By Kory Daniels
Cyber defense programs have a difficult mission of evolving against threats that are constantly trying to find a way into organizations. It’s no secret that financial services has long been one of the most targeted industries for cyberattacks. Research shows that financial firms face as many as 300 times more attacks than businesses in other sectors.
It’s easy to understand why—as the old saying goes, criminals rob banks because “that’s where the money is.” However, as banking has shifted to digital—both from the standpoint of customers accessing their accounts through digital channels, as well as financial institutions moving more of their IT infrastructure and business processes to the cloud—the risks have increased exponentially.
In May, the CEOs of Wall Street’s six largest banks testified before Congress about the state of the nation’s financial system. When asked to name the greatest current risk facing the sector, the majority called out cybersecurity threats. The COVID-19 pandemic accelerated banks’ cloud infrastructure and services adoption to empower a remote workforce while finding pathways to maintain revenues and grow the business. This rapid expansion of banks’ attack surface means that organizations must advance their cybersecurity practices to address the risks and realities in the age of the cloud.
Traditional cybersecurity culture focused on perimeter defense, protecting on-premises systems and compliance requirements are no longer sufficient to empower cyber defense in the digital age. Successful empowerment of cyber defense requires a culture shift as much as it requires strong people, process and technology.
Benefits and risks of the cloud
Moving infrastructure and services to the cloud was inevitable. The operational and cost-saving benefits of the cloud have enticed many organizations to migrate their data. Still, the rapid spike in adoption due to the impact of a global pandemic was not part of the budget or plans.
For many businesses, the adoption of cloud and digital workforce is here to stay. Banks are migrating their data and processes to the cloud in order to improve customer experience, achieve back-office efficiencies, spur innovation and gain a competitive advantage. Through the widespread use of mobile apps, banks have gained access to huge troves of consumer data that can provide deep insights into customer behaviors, enabling banks to improve personalization and increase loyalty.
However, with more data comes more problems. The volume and diversity of data being generated in financial firms is placing a great strain on their cybersecurity teams, with new data points and logs needing to be measured and reviewed continually as part of both routine hygiene checks and vulnerability scans. Not every bank is a Fortune 500 global business, and we see many financial organizations competing for staffing and skills to defend their hybrid and multi-cloud environments at an acceptable risk tolerance. As an example, large banks spend approximately $600 million each year on cybersecurity programs and have more than 3,000 employees working to strengthen its cybersecurity posture. But banks with fewer resources and staff to dedicate to cyber resiliency face an imposing challenge.
Cloud has also opened up benefits and risks for the business while opening up less charter territory. The IT supply chain has become a major vector of attack. Once trusted software providers and cloud services can no longer be assumed safe. Recent examples like the SolarWinds or the Kaseya attacks illustrate how an attack on a third-party provider can negatively impact your organization and customers.
To reduce risk and increase resiliency in this new landscape, banks must plan, build, test and run evolved cyber defense strategies to ensure that their people, processes and technologies are designed to be secure in the cloud. The same levels of investment and innovative thinking that banks are applying when adopting cloud platforms must also be applied to the security that protects them. Here are four best practices for how banks can advance their security programs for the cloud age:
1. Develop a cloud-specific security strategy
Applying the same security strategy you used for on-premises systems to the cloud environment is a recipe for disaster. Instead, banks should establish new policies around what “good” cybersecurity looks like in the cloud. Ideally, this should be done before you’ve made a major cloud migration. But even if some elements of the business have already been moved to the cloud, it’s not too late to evaluate the existing processes and policies. Whether migrating to a public cloud or building a private cloud, it’s important to focus on creating a solid, cloud-specific security strategy first.
2. Test, test and test again
Just as you would test an application before making it publicly available to your customers, banks should test their security processes before going live. When it comes to threat and vulnerability detection, testing cannot be a one-and-done activity. Environments are constantly changing, so testing must be continuous. Banks should use either an in-house red team to conduct thorough vulnerability testing or, if they lack resources, consider leveraging a third-party partner with experience in this area. Don’t be alarmed if you find issues in the beginning. This is normal. Your cloud migration will be more cost-effective and secure if you identify and address these issues early.
3. Leverage AI, but take a human-led approach
Artificial intelligence and machine learning deliver many benefits, including the ability to quickly analyze and pull intelligent insights from large volumes of data. But they do not replace cognitive thinking or the human role in cybersecurity. Too often, these solutions are pitched as an over-promised “easy button” that end up under delivering. Simply taking an AI or ML solution and applying it to bad rules and poorly developed security strategies won’t produce the outcomes banks need. Human ingenuity is invaluable in cybersecurity, with skilled security analysts able to place themselves in the mind of a hacker to predict what their moves will be. They can also use their skills to supervise AI- and ML-based cybersecurity solutions to ensure banks are getting the best of both worlds.
4. Take a holistic approach
A proactive and predictive cybersecurity approach must take into consideration more than just network infrastructure hygiene. To build strong cyber resiliency, banks must ensure their strategy combines cybersecurity with physical security, including identity management. Ensuring proper access permissions are enabled and testing for vulnerabilities in physical security systems all impact a bank’s overall security posture. When traditional forensics and personnel insights are combined with alerts from within a cybersecurity operations center, threat intelligence is strongest. And with insider threats on the rise, it’s more important than ever for cybersecurity teams to take a holistic approach, working closely with physical security teams so they can see the big picture.
As financial institutions have become more digital and more dependent on the cloud, they have been able to reap many benefits, including improved customer experience, greater efficiencies and data-driven insights to guide the business. However, the cloud age also brings greater risk. With banks rushing to adopt new technologies fast enough to keep pace with customer demands, it’s up to security professionals to find the right balance between ensuring proper risk analysis is being conducted, while not becoming a roadblock to innovation.
With a cloud powered cyber defense strategy, continuous vulnerability and risk testing, human supervision over AI-based security solutions, and a more holistic approach that combines cybersecurity with physical security, banks can build strong cyber resiliency against fast-evolving threats. This will help enable more financial institutions to safely embrace the cloud while ensuring the cyber program empowers the business to take risks responsibly in a defendable posture.
Kory Daniels is the global director, cyber defense consulting at Trustwave and serves as the organization’s global financial services leader.