Zero-Trust: Is it time to reimagine the cybersecurity models for financial service firms?

“Money, money, money,” the title of ABBA’s pop song from 1976 perhaps best captures why the Financial Services Industry (FSI) is perceived as a lucrative target when it comes to cyber-attacks. After all, criminals can profit from their crimes by following the money.

Cyberattacks on the industry are however about more than monetary gain; financial service providers also have vast amounts of sensitive customer information such as names, addresses, credit history; intellectual property such as financial models, M&A or IPO plans; access to infrastructure such as interbank payment systems; and more. Additionally, state-sponsored actors also target the financial sector as a critical infrastructure to complement conventional military operations.

Since 2018, there have been over 10,000 data breaches in the U.S., resulting in over 10.7 billion records exposed. Research by cyber intelligence firm, Insights, highlights that over 25% of malware attacks target banking and financial services.

Financial institutions unsurprisingly invest heavily in ways to protect their customer information – ranging from 6% to 14% of the total IT budget, with a mean of 10%. However, breaches continue despite high levels of investment.

Figure 1: Financial breaches last 1 year

Some of the key reasons the financial services business models create security vulnerabilities include:

  • Only strong as the weakest link: While large financial institutions have invested vast amounts of time and money on cybersecurity, the industry is highly networked – from technology service providers, communications firms, clearing houses, payment handlers, data processors, and more. The security of the network highly correlates with the strength of the weakest link in the chain. Attackers utilize the path of least resistance in the interlinked supply chain to penetrate the victim’s work. The well-publicized Target breach in 2014 and the NotPetya outbreak in 2017 both started with a supply chain compromise.
  • Two sides of technology: Financial services are also transforming every day to capture more customers, provide more value to their customers, and retain them. Fintech today enables and empowers new business models and improves customer access, asset ownership has been decentralized through sharing economy, big data and analytics allow richer customer intelligence, AI & automation improve costs and service efficiency. However, increased technological dependences also put financial institutions at an increased risk of cyberattacks with over 67% of executives seeing cybersecurity as a key risk to business growth.
  • Lack of skilled staff: This is another well-advertised gap across all industries. According to an annual survey by ESG, over 50% of organizations report a severe shortage of skilled security professionals. Moreover, the growing complexity of IT, the reactive nature of security technologies coupled with the continuous evolution of threats and threat actors are only going to exacerbate this further. It’s no wonder that financial service organizations spend two-thirds of their annual budget on the operationalization of technology[1].  As the cost of breaches continues to grow – the average data breach cost companies $3.86 million, the study found, and large-scale breaches can hit $350 million – this could be a critical factor in determining technology adoption risk for financial service firms.

Historically this has resulted in a question of “how can we detect threats faster?” or “how can we respond faster?”, which is a very tactical approach to the problem. If our goal is securing the organization, shouldn’t the question be, “how do we get ahead of the cybersecurity crisis?”

There is an interesting approach that can help move us forward. Of course, no security is a panacea (if a vendor tells you that, fire them right away!). However, if we were to view the problem differently, we can see a way forward. Our traditional models rely on an open-trust framework where everything inside a company is trusted and some from the outside too. And this trust is what the attackers exploit. If we could move to a Zero-Trust model, we can dramatically reduce the attack surface, thereby eliminating a whole class of threats. The framework was introduced in 2010 by Forrester.  The Zero-Trust model treats all interactions with a principle of least privilege. In other words, if you were browsing the Internet, the Zero-Trust approach would treat both a “reputable” site or an unknown site as inherently unsafe and limit the exposed surface (to near-zero). This approach not only limits the attacker’s ability to drive a compromise (Gartner predicts a 70% reduction in endpoint compromises with remote browser isolation) but also reduces the operational overheads on security professionals in chasing false alerts.

To learn more about the unique challenges facing the Financial Services Industry and how a Zero-Trust approach can enable security and scale, check out our latest white paper “Zero-Trust: Reimagining Security for Financial Services Industry”


Download Whitepaper

Rajiv Raghunarayan

Vice President - Products