Organizations in most verticals experienced a surge in cyber-threats over the course of the pandemic. But the criticality of financial services and the highly lucrative customer information held by firms in the sector make it a particular favorite of cyber-criminals. One global industry body, the Financial Services Information Sharing and Analysis Center (FS-ISAC), was forced to raise its Regional Cyber Threat Levels an unprecedented three times in 2021. The question is what can financial institutions do to mitigate risk as their digital attack surfaces continue to expand? An increasingly popular place to start security efforts is with the data itself.
Where’s the risk?
According to a new FS-ISAC report, there are three anticipated threats to industry organizations this year:
Ransomware: A persistent threat for several years, ransomware has become an existential challenge for many organizations. The advent of “as-a-service” offerings on the cybercrime underground has democratized the model to a growing number of affiliate groups who look to steal data before deploying their payload, in order to force ransom payments. Safe havens in Russia and elsewhere make this virtually impossible to stamp out.
Supply chain risk: Given the large supplier ecosystems that financial services firms sit within, the risk from compromised third parties remains high. When products and services used by banks are breached in this way, there’s a significant operational impact. Banks need to reassess risk exposure, and work through new mitigations and compliance mandates.
Zero-day vulnerability exploits: What FS-ISAC describes as “diversification of the kill chain” has made zero-day attacks more common. Specialists on the cybercrime underground now sell access to zero-day vulnerabilities, making such attacks easier to launch. It swings the pendulum even further in favor of the threat actors.
Banks are high-profile targets and they know it. In the sector, the average spend on cybersecurity is around 10% of the total for IT. But is it being spent in the right areas? The bottom-line implications are stark. Data breaches cost financial services firms on average $5.7m last year, the second highest of any sector after healthcare and much higher than the global average of $4.2m.
Protect the data first
As banks continue to build out their cloud and digital infrastructures to trim costs, support hybrid working, and create more compelling customer experiences, they will come under greater scrutiny from hackers. Perimeter-based defenses don’t provide adequate protection in an age when breached corporate credentials are easy to buy on the dark web or can be “brute-forced” by automated tools.
With threat actors holding so many of the cards, IT leaders must find a way to mitigate the risk of highly regulated customer data and PII falling into the wrong hands. From Capital One to Experian, countless big-name financial sector players have had this kind of data exposed in the past. This is where data-centric security comes into its own.
The idea is simple: protect sensitive data at all times, wherever it is located. However, the trick is to find a provider that can discover, classify, and continuously monitor as well as protect that data—across any environment and at scale, without impacting user productivity. When done right, this approach can help financial sector firms mitigate business and compliance risk and deliver important digital initiatives with peace of mind. The threat landscape continues to evolve. But with data-centric security, organizations have an effective hedge against cyber-related risk.