As the threat from cyber attacks increases, and elevated risk from nation-state actors and organised criminals pose ever more sophisticated attack vectors, how can the finance industry protect itself and their customers?
The current geopolitical climate has shifted the cyber playing field quite significantly in the past few years, and finance companies continue to be a key strategic target.
Nation-state threat actors pose an increasing risk, in particular to those institutions classed as critical national infrastructure.
The war in Ukraine and heightened political scrutiny of China has fuelled an increase in more sophisticated attacks, often funded, or at least encouraged, by certain nation-states.
By their nature such attacks are significantly harder to defend against, often exploiting zero-day vulnerabilities that are unknown to the vendor.
Wake-up call
The Solar Winds supply chain attack in 2020 demonstrated the impact nation-state threat actors could have upon both governmental and private entities.
The exploit originated through a compromise of the Solar Winds Office 365 environment, which enabled the attackers to leverage access to the software development system.
This facilitated the deployment of malicious code into an update package that was then distributed to thousands of businesses.
There are cyber tools and strategies that can be deployed to achieve some quick wins.It is believed the infected software was operating for several months before being detected, providing backdoors into many commercial and government networks.
This attack was a wake-up call for many security operations teams, as it demonstrated that even updates from trusted suppliers could contain malicious content.
The Solar Winds event has highlighted the need for all organisations to pursue a 'zero trust' strategy, with many financial institutions clearly identifying this as a priority.
It is, however, not a simple process to fully achieve in a short space of time. There is no one tool that the chief information security officer can advise the business to procure.
Instead, zero trust needs to be approached through the lens of a methodology, woven into programme delivery and solution design.
There are cyber tools and strategies that can be deployed to achieve some quick wins, particularly in the identity access management and extended detection and response space.
Resilience will again be a burning issue.The reality is though, it will take several years to deliver fully comprehensive zero trust architectures that can help protect against threats from supply chain, ransomware, and industrial espionage attacks.
Within the financial industry this will be further exacerbated when considering legacy mainframe and core banking platforms that do not adapt as easily to modern security strategies.
On the cloud
Core banking migration to the cloud is likely to be a hot topic in many boardrooms over the coming years.
Financial institutions will be ever more tempted to consider both the commercial and potential risk transference benefits of migrating their core banking to the cloud.
It’s fair to say there is still some regulatory concern around this, but the likelihood is that as financial services become more experienced in cloud computing, the next step will be to migrate core banking.
This will present both opportunities and challenges, but keeping customers data safe and maintaining a secure reputation will be paramount.
While large commercial cloud providers can offer state of the art security features all for a monthly cost, they also present an increased risk of being a central target for nation-state threat actors looking to impact critical national infrastructure.
The best defence to protect against these types of attack is educating end users.The ability to 'take out' several key financial providers by targeting a single supplier will elevate risk for each of the institutions utilising these services.
Resilience therefore will again be a burning issue, and identifying strategies to maintain operation in the event of key service provider outage will be a priority.
Along with securing complex infrastructures, the industry should seek to assist in protecting their customers in the digital environment.
As security methodologies improve through the likes of multi-factor authentication and biometrics, advancement in social engineering tactics, such as obtaining one-time passcodes are likely to increase.
The best defence to protect against these types of attack is educating end users. This will therefore become a primary focus for financial organisations and could prove to be a differentiator in customer service if delivered correctly.
Companies who promote a speak-up culture and regular employee training are likely to be better positioned to defend themselves. Education of internal staff should be encouraged, with research suggesting up to 90 per cent of data breaches are a result of successful phishing campaigns.
Companies who promote a speak-up culture and regular employee training and testing are likely to be better positioned to defend themselves from ever-evolving social engineering techniques.
As the ongoing cyber battle advances, with financial institutions defending themselves from both cyber criminals and terrorists, there will be much focus on security methodologies and tooling to mitigate risks.
Companies that invest in educating their staff and their customers, however, may well prove to have the upper hand.
Ben Ford is a technical security consultant at Altus
