Is the entire financial services sector under attack? Given the proliferation of news stories around cyber attacks on financial institutions, it's sometimes easy to believe so. For the criminal fraternity it's an obvious target. This is where the money is.
For ill-intentioned nation states it's also a prime target. This is where the basis of the economy is.
For banks, the threat of data breach is pervasive; as the digital empowerment of staff leads to broader deployment of mobility, every device offers an entry point to those who know how to get in.
With BYOD now an irresistible factor of modern life, every member of staff could potentially be carrying the the seeds of data destruction in their device. Simple slippages in best practice, like opening a phishing email, can throw the doors open. Protecting
data is an enormous challenge for any company that handles it. For banks, it's triple XL enormous.
Some of the world’s most established and respected finance brands have suffered the consequences of insufficient data protection. In 2017, Lloyds suffered a
48-hour DDoS attack that put 20 million accounts at risk and
Tesco Bank lost £2.5m from 9,000 accounts. In 2016, HSBC’s
HSBC's online services were disabled by a DOS attack. Examples go on and on. We all get the point. How many banks, however, get the right protection?
The entire financial services sector runs on trust
Let's face it, we give all our money to somebody else to look after on our behalf. We don't even see it. We don't even see
how they look after it. Most of the time we don't even think of questioning what they do to protect it. It's not large men standing at the door with guns. It's not even the monolithic building any more. It's rarely a vault. It's just a virtual environment
somewhere.
If that's not an illustration of trust, I can't think of a more accurate one. Customers trust banks to look after their assets and protect their privacy and personal data. When this doesn't happen, the relationship between a bank and its customers takes
a severe hammering.
It considerations in data protection
The protection of privacy and personal data has assumed prominence in recent years, as digital transformation has made data more fluid and mobile, and therefore harder to protect. The growing threat of both intentional and unintentional data breach is further
compounded by inherent factors in the financial services IT environment such as:
Complexity and lack of visibility: This sort of multi-dimensional environment
where different systems and databases from often different epochs are not integrated is typical of legacy IT systems. It tends to spawn “security siloes” that lead to increased risk of malicious or unintended activity.
BYOD: The continued growth of BYOD makes it difficult to enforce security rules around antivirus, personal firewalls, data encryption, and secure passwords, exposing organisations to greater risk.
Open Banking regulations: Open banking and the need to integrate back-office systems and databases with third party service providers through APIs presents a new and growing risk point for financial services organisations.
Trust in the cloud
As security threats begin to resemble an epidemic, businesses in all sectors are being forced to take a more joined up approach to cyber security. This approach is enabled and required by the adoption of a cloud strategy, for three key reasons:
Updating software is time-consuming, disruptive and error-prone. In a cloud environment, much of the risk and workload comes within the remit of the cloud service provider, who pushes out updates to users seamlessly and securely.
- Faster identification and resolution of risk
Faster alerts of failures or breaches within systems drive faster resolution. Through real-time status dashboards and automated alerts, cloud services providers enable administrators to investigate, detect and resolve in real time from any secure web server.
The cloud model is based on sharing resources, costs and risk. Cloud service providers focus investment and leverage economies of scale to provide higher levels of security for their shared infrastructure than would be possible for most individual IT organisations.
As a client, you get access to the most robust and up-to-date security solution at a fraction of the cost of building it yourself.
The essential security strategy
How is it that cloud platforms are emerging as secure havens? For a start, they offer a level of programmatic infrastructure not easily achievable in the enterprise data centre. This enables a high level of automation within the security operation. As well
as saving time and money, increased automation reduces the potential for human error and alleviates the burden of regulatory compliance.
To leverage such security benefits, the organisation needs to address some specific challenges involved in cloud security. It needs to be prepared to rethink its approach to securing applications, data and workloads across multiple platforms. For example,
perimeter-based security is no longer sufficient in the cloud era. It needs to be replaced by a workload-centric approach, where users share responsibility for security in conjunction with cloud providers and third party solution partners.
A comprehensive cloud security solution integrates with your own systems and the security tools native to the cloud platform. It automates repetitive, resource-intensive security tasks, such as provisioning and de-provisioning. In so doing, it provides greater
visibility, agility, and compliance, while simplifying procurement. As the threat expands, so too do the options available within the cloud to deal with it.
Public cloud platforms have invested heavily in security features and support, strengthening their systems to the extent that their security posture is now as good as, and frequently better than, most enterprise data centres. Gartner
suggests that…"through 2020, public cloud infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centres". These seem like immensely favourable odds to me.