The global financial services market was worth over $25 trillion in 2022. That kind of wealth inevitably attracts malicious activity. Cyber-criminals are broadly speaking after the wealth of highly monetizable personal and financial data that financial institutions hold on their customers, or access to their accounts. But at the same time, banks themselves want to use that data to deliver better services more efficiently. This is a challenge when it must be locked down to avoid a potential breach.
Fortunately, financial institutions operating today don’t have to choose between security or growth. They can have both, by deploying a data-centric security strategy.
The evolving threat landscape
With so much up for grabs, it’s perhaps not surprising that threat actors have made the financial services sector a priority target. While opportunistic attackers will always be probing for weaknesses to exploit across the attack surface, it is more sophisticated groups that arguably pose the biggest threat. They may use techniques including:
- Highly targeted spear-phishing emails designed to trick a recipient into handing over their credentials or unwittingly installing malware on their machine
- Vishing phone calls where the scammer pretends to be calling from the bank’s IT department and tricks the victim into divulging their log-ins. Targets are selected ahead of time via social media research
- Vulnerability exploits targeting externally facing systems
- Bribery of employees to provide covert IT access
- Supply chain attacks, potentially targeting partners or software used by banks, in order to gain a foothold into corporate networks
- Use of legitimate tools and processes to stay hidden once inside the corporate network
With so many tactics, techniques and procedures (TTPs) at their disposal, the advantage is certainly with the attacking team. Governments know what’s at stake, which is why financial services is one of the most highly regulated sectors out there. But compliance does not always equal security.
The scale of banking security breaches
Research reveals that US financial sector businesses suffered 2,260 data breaches between January 2018 and September 2023, affecting over 232 million records. Many of these records were compromised in a single incident – the Capital One data breach. However, banks have also been caught out by supply chain breaches such as the recent MOVEit extortion campaign, which accounted for dozens of incidents in 2022..
The potential cost to the bottom line and reputation is significant. IBM calculates financial services breaches as the second most expensive of any sector after healthcare, costing $5.9m per breach in 2023.
Building a secure banking culture
A secure-by-design-and-default culture should therefore be the goal of any financial services company. That means cybersecurity is built into all processes, new products and services, and the thinking and behavior of all employees from the board down. This isn’t just about keeping the risk of breaches at bay. It’s about empowering businesses to fulfil their growth potential by providing a secure framework for digital transformation, appealing to new customers and partners, and possibly even unlocking access to new markets.
Data-centric security should be the starting point. Why? Because the sheer size of the banking attack surface and the variety of TTPs at the disposal of threat actors means a determined adversary will always find a way through perimeter defenses eventually. But if the data they’re looking for is protected with strong encryption or tokenization, their efforts will be in vain.
comforte’s Data Security Platform automatically and continuously discovers, classifies and protects banking data, wherever it is stored in the organization—according to policy. Its tokenization capabilities also enable strong data protection whilst at the same time allowing businesses to continue using that data for analytics and other use cases.
This is the kind of secure banking framework that opens the door to tremendous business opportunities including:
Enhanced customer experience through optimized data use and service delivery.
Improved fraud prevention based on analytics applied to large data sets, to uncover patterns of suspicious behavior.
Operational efficiencies that result from data being unlocked from enterprise silos and used to power real-time systems.
Better strategic decision making built on predictive analytics and “what-if” scenario planning.
These are just some of the reasons why banking software provider Tenemos recently signed a partnership deal that will see the Data Security Platform made available on Temenos Exchange, the vendor’s integrated partner ecosystem. It will enable Tenemos customers to apply advanced, end-to-end data protection for enhanced compliance and business value.
Building a cybersecure culture isn’t easy. But it can be done, with data-centric security at its core.
