The relentless pace of change is one of the key reasons cyber-security is such a dynamic field to work in. When criminals can succeed by striking just once, you cannot take your eye off the ball for a second.
Over the past couple of decades, the nature of the threats facing security professionals have changed. The stakes are higher and there is a greater potential for criminal gain or malicious disruption. Like any enterprise, the more money you make, the more you can invest in making money. Which is why today, cyber criminals have become so incredibly well resourced, sophisticated, and organised.
But there is one type of target that’s uniquely attractive to attackers, because of the huge potential financial gains by successfully compromising their defences. Financial institutions such as banks hold a massive amount of consumer data that can be sold on the black market for a healthy return.
Alongside the value of consumer data that can be compromised, banks are also exposed to risks through weak points in their IT infrastructure. To get an idea of the impact from exposed weak spots, the Lazarus FASTCash operation saw cash withdrawn simultaneously from ATMs in over 30 different countries in 2017 and from ATMs in 23 separate countries in 2018. To date, this specific activity is estimated to be responsible for the theft of tens of millions of dollars—and that’s just the work of one attack group.
There’s a big difference, of course, between being a target and being vulnerable; and banks remain vulnerable to cyber threats—despite the advances in security technologies and compliance. So why is this?
Banks were early adopters of IT systems from the late 60s as technology modernised book-keeping practices and automated other manual processes.
As computer technology became more ubiquitous and indispensable, the result was new systems were being repeatedly layered upon incumbent and legacy systems. This resulted in complex interdependencies, and the necessity for legacy systems to be maintained. Maintaining these interdependencies can fall short of the bank’s priorities over time.
Older systems eventually reach their end-of-life without being suitably replaced, leaving the organisation vulnerable to new zero-day threats and emerging malware. As a result, these decaying and unprotected systems are attractive areas for criminal organisations to target.
All mergers and acquisitions introduce a degree of uncertainty to the enterprise. For context, there were 697 merger and acquisition deals in global banking in 2017.
The acquiring organisation must understand the risk presented by the acquired business. This includes everything from how endpoint and network access is controlled, and how the cloud extends on that network infrastructure. This is complex enough, without the recent introduction of regulatory compliance with legislation such as GDPR and the NIS Directive, while balancing the playing field of different security postures and risk appetites.
IT teams face the additional strain of integrating and standardising security controls across both organisations. In this way, each M&A becomes a kind of digital transformation project, except with potentially twice as much complexity and disruption. At this scale, some of those vulnerabilities can be missed or deprioritised for more business-critical matters—leaving banks blind to entirely new threat vectors after the M&A.
The data mystery
Accounting for an organisation’s data estate can be tough—where it lies, the type, and where in the organisation it touches. These undefined data flows are even more complex and problematic for large banks that have overlapping legacy systems and a sprawling organisation extended through M&A deals.
For example—one project to upgrade user web browsing for a large multinational bank involved a brief planned outage. It emerged that this outage affected one of the business processes for approving loans—which used the browser system to function.
It’s because of unexpected connections like this that clear visibility and an accurate understanding of organisational processes and the IT estate are fundamental principles for building a robust security strategy. When system integrations and data flows are not fully understood then it’s much harder to protect all your data, which leads an increased risk of a bank being compromised.
Time for a platform led approach
When you consider the breadth of these issues, and the legacy headaches that lead to banks juggling more and more point solutions from different vendors—as they seek to bolt on new protections for new kinds of threats—the scale and complexity of the challenge is laid bare.
Banks must manage their cyber-defences holistically—with fewer vendors and centralised tools that match the bank’s security ecosystem. In short, banks need to an integrated platform-led approach.
The ideal platform should offer tools with reporting and shared telemetry across each layer of defence. Due to the fast-moving nature of the threat landscape and the practicalities of managing complex systems across large financial services organisations, the platform should also be extremely adaptable—it must be able to rapidly deploy new modules, plug in legacy systems, and integrate continuously evolving intelligence and threat detection.
Cybersecurity professionals in this sector face a challenge distinct from any other. Throughout history, banks have served as institutions of trust and responsibility – and in today’s digital economy, that responsibility takes on entirely new forms