The relentless pace of change is one of the key reasons cyber-security is such a dynamic field to work in. When criminals can succeed by striking just once, you cannot take your eye off the ball for a second.

Over the past couple of decades, the nature of the threats facing security professionals have changed. The stakes are higher and there is a greater potential for criminal gain or malicious disruption. Like any enterprise, the more money you make, the more you can invest in making money. Which is why today, cyber criminals have become so incredibly well resourced, sophisticated, and organised.

But there is one type of target that’s uniquely attractive to attackers, because of the huge potential financial gains by successfully compromising their defences. Financial institutions such as banks hold a massive amount of consumer data that can be sold on the black market for a healthy return. 

Alongside the value of consumer data that can be compromised, banks are also exposed to risks through weak points in their IT infrastructure. To get an idea of the impact from exposed weak spots, the Lazarus FASTCash operation saw cash withdrawn simultaneously from ATMs in over 30 different countries in 2017 and from ATMs in 23 separate countries in 2018. To date, this specific activity is estimated to be responsible for the theft of tens of millions of dollarsand that’s just the work of one attack group.

There’s a big difference, of course, between being a target and being vulnerable; and banks remain vulnerable to cyber threatsdespite the advances in security technologies and compliance. So why is this?

Paul Knott

Paul Knott
Director and Security Strategist
Symantec

Legacy challenges

Banks were early adopters of IT systems from the late 60s as technology modernised book-keeping practices and automated other manual processes. 

As computer technology became more ubiquitous and indispensable, the result was new systems were being repeatedly layered upon incumbent and legacy systems.  This resulted in complex interdependencies, and the necessity for legacy systems to be maintained. Maintaining these interdependencies can fall short of the bank’s priorities over time.

Older systems eventually reach their end-of-life without being suitably replaced, leaving the organisation vulnerable to new zero-day threats and emerging malware. As a result, these decaying and unprotected systems are attractive areas for criminal organisations to target.

Complex relationships

All mergers and acquisitions introduce a degree of uncertainty to the enterprise. For context, there were 697 merger and acquisition deals in global banking in 2017.

The acquiring organisation must understand the risk presented by the acquired business. This includes everything from how endpoint and network access is controlled, and how the cloud extends on that network infrastructure. This is complex enough, without the recent introduction of regulatory compliance with legislation such as GDPR and the NIS Directive, while balancing the playing field of different security postures and risk appetites.

IT teams face the additional strain of integrating and standardising security controls across both organisations. In this way, each M&A becomes a kind of digital transformation project, except with potentially twice as much complexity and disruption. At this scale, some of those vulnerabilities can be missed or deprioritised for more business-critical mattersleaving banks blind to entirely new threat vectors after the M&A.

The data mystery

Accounting for an organisation’s data estate can be toughwhere it lies, the type, and where in the organisation it touches. These undefined data flows are even more complex and problematic for large banks that have overlapping legacy systems and a sprawling organisation extended through M&A deals.

For exampleone project to upgrade user web browsing for a large multinational bank involved a brief planned outage. It emerged that this outage affected one of the business processes for approving loanswhich used the browser system to function.

It’s because of unexpected connections like this that clear visibility and an accurate understanding of organisational processes and the IT estate are fundamental principles for building a robust security strategy. When system integrations and data flows are not fully understood then it’s much harder to protect all your data, which leads an increased risk of a bank being compromised.

Time for a platform led approach

When you consider the breadth of these issues, and the legacy headaches that lead to banks juggling more and more point solutions from different vendorsas they seek to bolt on new protections for new kinds of threatsthe scale and complexity of the challenge is laid bare.

Banks must manage their cyber-defences holisticallywith fewer vendors and centralised tools that match the bank’s security ecosystem. In short, banks need to an integrated platform-led approach.

The ideal platform should offer tools with reporting and shared telemetry across each layer of defence. Due to the fast-moving nature of the threat landscape and the practicalities of managing complex systems across large financial services organisations, the platform should also be extremely adaptableit must be able to rapidly deploy new modules, plug in legacy systems, and integrate continuously evolving intelligence and threat detection.

Cybersecurity professionals in this sector face a challenge distinct from any other. Throughout history, banks have served as institutions of trust and responsibility – and in today’s digital economy, that responsibility takes on entirely new forms