2022 was another bad year for the global financial services sector when it came to data breaches. According to reports, financial institutions disclosed over 560 breaches, accounting for more than 250,000,000 compromised records. Western Europe, South America, Australia, and Southeast Asia suffered multiple breaches, but the US finance sector continues to be hit hardest, with several incidents in 2022 impacting over 1 million customers.
For financially motivated threat actors, the banking and finance sector is obviously a prime target. The sensitive nature of the data involved means account access and identity theft remain powerful incentives. Phishing, hacking, malware, and ransomware attacks continue to evolve, with cybersecurity professionals playing a constant game of catch-up.
Across many regions, the way customers engage with their financial institutions has changed. The digitization of services has seen the point of engagement change from the physical to the virtual. Online banking, fintech apps and mobile services dominate the marketplace, but convenience doesn’t come without risk.
The banking sector forms part of our critical infrastructure and demands a zero-trust approach to network and data security. Unfortunately, reality doesn’t fit this ideal. Several reports published in 2022 point to a significant uplift in zero trust implementations, but dig a little deeper and you’ll discover many of these industries struggle with some of the fundamentals, such as user and data authentication. In its 2022 cost of a data breach report, IBM claims almost 80% of critical infrastructure organisations do not adopt a zero trust strategy.
Prevent and protect
Any robust cybersecurity strategy needs to employ both prevention and protection technologies. Access control, 2FA, firewalls and stringent security policies are essential, but continue to prove ineffective against the most persistent and sophisticated of threat actors.
Encryption, both at rest and in transit, has long been seen as an answer to the “what if” question in the event of a successful systems breach. Depending on whom you ask, statistics for the proportion of data being encrypted vary wildly, with some sources claiming as much as 95%. This seems unlikely, given the fact that millions of unencrypted records are compromised every day.
Adopting zero-trust principles for new technology deployments should be a no-brainer, but businesses find it more challenging when it comes to securing existing infrastructure. There is an economic reality associated with IT investment. Big ticket CAPEX items take time to realize a return, and despite widescale adoption of cloud infrastructure there are still a lot of legacy systems out there.
As the world adapts to the new hybrid working model, much of its legacy infrastructure is no longer fit for purpose exposing data to cyberthreat vulnerabilities. However, as organisations continue their digital transformation journeys, there is an opportunity to introduce security first principles and put data and systems security at the forefront of the user experience.