What does finance cybersecurity look like in 2021?
Now seems like just as good a time as any to consider the topic of cybersecurity in financial services. Digital transformation has been on all our minds for a long time, no more so than when COVID-19 made it virtually essential to operating in a ‘new normal’ that’s been sustained for over a year now; but what use is exciting and agile new infrastructure if it isn’t properly protected? In a roundtable with a panel of security, tech and financial services experts, we examine the current status, potential developments, and challenges of modern cybersecurity.
Our contributing experts are: David Emm, Principal Security Researcher at Kaspersky; Ian Benson, Partner at PwC and UK Financial Services Cyber Security team lead; Corey Hamilton, Financial Services Sector Partner at IBM Global Security Services; Limor Kessem, Global Executive Security Advisor at IBM Security; Kara Hill, Corporate CIO at FIS and Chair of the American Transaction Processors Coalition (ATPC) Cyber Council; and Norma Krayem, VP and Chair of Cybersecurity, Privacy & Digital Innovation at Van Scoyoc Associates, as well as Director of ATPC’s Cyber Council.
Aside from the obvious pressures already placed on organisations during the pandemic, our panel highlighted the flourishing trend of remote working as being one of the most obvious factors increasing security vulnerability. New technology introduced to accommodate this and other tech-based changes were also cited. That cyber attacks are only going to increase seemed to be beyond doubt, with banks and crypto exchanges in particular danger if only because they present valuable targets. Side effects of the pandemic like an acceleration towards ‘cashless societies’ have made it all the more important that both consumers and companies are well-versed in cybersecurity best-practice, even if the solutions are simple reapplications of pre-existing measures.
The finance sector should steer clear of treating the issue as a purely technological one, however, as executive-led culture that trickles through an organisation until it reaches the end-user is fundamental. In addition to his answers, Hamilton closed by submitting a plea for everyone to consider security teams on a personal level, particularly in the current environment:
“One topic I believe is very important and doesn't receive enough attention is the well-being of security teams. As a leader of a global team, it's now more important than ever to take the time to check on colleagues, figure out what is working from a workplace and team dynamic, and also to inquire about their family and non-work life. Building relationships, rapport and trust will be more critical than ever when it comes to collaborating in a crisis situation.”
Q. How will the events of 2020 shape financial services’ cybersecurity plans in 2021 and beyond?
Corey Hamilton: There’s no doubt that some CISOs (Chief Information Security Officers) and their security programmes received a shock when their budgets became significantly restricted or cut as a result of the pandemic, particularly as companies refocused on digital transformation. In 2021 and beyond, I expect financial services sector (FSS) security programmes to be hyper-focused on their ROI.
Limor Kessem: The financial sector suffered a crisis during a very shaky 2020. Alongside change on the political front, financial entities were one of the pillars nations depended on the most for assistance and relief funds. As demands increased during the pandemic, the financial sector had to move its workforce out of offices and branches, relying more heavily and more rapidly on cloud infrastructure in the past 12 months. The rise in digitisation and demand for contactless services are changing the ways we work and how customers will consume services in 2021 and onward.
Ian Benson: A shift to home working and accelerated digital transformations are two clear outcomes of the pandemic. Cloud adoption has been key to enabling home working and while this can bring many security and resilience benefits, many of them depend on organisations configuring cloud environments correctly with security built-in. Ransomware attacks continued to grow in prevalence through 2020 and it’s a trend that shows no sign of slowing down. All indications are that organisations will continue to support more flexible working beyond the pandemic, so security teams need to ensure they are replacing any temporary solutions put in place to deal with this ‘new normal’ with more permanent ones.
Kara Hill: Over the past 12 months, I have experienced first-hand how important threat intelligence, threat modelling and information sharing across fintech firms was in 2020. It is critical that cybersecurity plans include significant focus on threat modelling and information sharing in 2021 and beyond so that we can work together to anticipate and plan for new techniques that may be used against us in the future.
Q. That’s proving very difficult: banks and cryptocurrency exchanges, for example, seem to be particularly susceptible to cyber hacks. What can they and others do to minimise their attack surface area?
Ian Benson: I’m not sure either is inherently more susceptible. Banks and crypto exchanges are both highly attractive targets for attackers due to the large volumes of cash and assets that they process and hold, and criminals always follow the money.
For banks to minimise their attack surface area, especially with their large IT estates, they should have a good understanding of their underlying infrastructure; clear visibility of assets and an ability to manage them effectively and consistently are key foundations for good cybersecurity.
Cryptocurrency exchanges should aim to perform detailed threat modelling against their main business processes, especially around transfer and withdrawal processing. A good strategy is to make sure they do not store more funds than necessary in hot wallets, as well as make it difficult for attackers to infiltrate and approve transactions, even if they are able to acquire a high level of privileged access.
Limor Kessem: For-profit cyber criminals are not about to slow down these attacks, take for example a launched in 2020 against more than 100 financial-services companies across the world. The goal for companies should be to continually simplify users' access while more securely adopting web, mobile, IoT and cloud technologies. Metrics should reflect striking a balance between usability and security through the use of risk-based access, single sign-on, integrated access management control, identity federation and mobile multi-factor authentication.
Norma Krayem: We need to differentiate between banks and cryptocurrency exchanges. Banks will always be targeted by attackers but have robust cyber protections in place to manage and address cyber risk and are heavily regulated to do so. Cryptocurrency exchanges are complicated and vary greatly in who runs them, how they are set up and what types of protections they have in place
Cryptocurrency exchanges are top targets and we have seen hackers and nation-states successfully steal cryptocurrencies around the world, but they are doing that using the same tools, tactics and procedures we see in aspects of the financial services sector.
Corey Hamilton: I think it really goes back to the fundamentals of strong cybersecurity hygiene. Many organisations have got new devices coming into their environment, but when was the last time a vulnerability assessment was conducted? Has the organisation reevaluated its patch management policies? Is there an accurate inventory of assets? Have escalated permissions been reviewed across the organisation? These are all important but often overlooked.
Q. As we progress towards a cashless society, how can digital wallets be adequately secured? Could we be approaching an era of frequent ‘cyber muggings’?
David Emm: COVID-19 has certainly accelerated the shift towards a cashless society. However, it’s important that consumers take the following steps in order to guard themselves:
- Protect all devices used for conducting transactions with a comprehensive Internet security product
- Only use a secure Internet connection for financial transactions
- Use a password manager to secure the password to your online wallet; or, better still, use a cold (offline/hardware) wallet that encrypts your private keys
- Consider using multiple accounts – specifically, keeping a separate account for normal transactions – just as you might have current and savings accounts in the real world
Limor Kessem: Unfortunately, we are already deep in a ‘cyber muggings’ era. Account takeover fraud rates skyrocketed 282% between Q2 2019 to Q2 2020. Establishing digital identity trust quickly and transparently after a person logs in to the account can limit the scope of an attack.
Ian Benson: Around US$3bn was stolen from blockchain wallets in 2020 (at current values). Many of the same principles for traditional online banking, around maintaining security of personal devices by not clicking on suspicious links or installing untrusted applications, apply here too.
Kara Hill: We do not need to think we will approach an era of frequent ‘cyber muggings,’ but we do need to be clear that everyone who is part of this complicated ecosystem must manage and address cyber risk. That includes the hardware and software providers in the system, the smartphones the digital wallets sit on, the cloud where data is stored and for the users themselves.
With all new digital innovations there are risks that must be managed together; we no longer live in a world that can or should separate innovation from managing risk, they are mirror images of each other. Cybersecurity is a systemic risk that will have to be addressed head-on so that the benefits of a cashless society (i.e. greater financial inclusion) can be enjoyed.
Corey Hamilton: I believe the strongest control has yet to really make inroads and that is around security education for customers. The most vulnerable are those that leap-frogged the desktop-based ‘online banking’ platforms and jumped right into mobile. Cyber criminals are well aware of the lack of focus we as a society have while being mobile, and unfortunately, I don’t expect this to change without some significant focus.
Q. What role does automation have in mitigating risk? Which other technologies could form a stronger, more coherent threat response?
Norma Krayem: Automation helps standardise protections and focus on machine-speed solutions across a wider swath of the network. At the same time, the industry must also focus on not just the tools that exist now, but the new ones that need to be created, too. Attackers can learn quickly how to get around the existing tools and use technology to create new backdoors.
SolarWinds is an example of an attacker that methodically learned which tools and systems were used to protect networks and then used those same structures against the US government and the private sector. Cybersecurity is an enterprise risk management issue; it must constantly change and adapt to the threat environment.
Corey Hamilton: Poorly tuned security platforms, instead of focusing on the highest risk and greatest ROI, are often geared towards ‘low hanging fruit’ or quick wins that are of lower concern.
At IBM, we have introduced a (CP4S) as many customers have a vast array of tools and technologies already deployed. However, they lacked a single pane of glass that covers threat intelligence, event monitoring, and automation across today's on-premise, hybrid cloud, and multi-cloud environments.
Ian Benson: Rather than focus on a single technology, what we need to consider is how we can design systems to be resilient and secure within the environment that we expect them to operate. In the same way that we consider financial risks and rewards when launching a new product or working with a new business partner, we should also consider how tech changes can alter an organisation’s risk profile.
Automation and orchestration undoubtedly help increase the speed and repeatability of response, but it’s important that we don’t forget the ‘hard basics’ like access control, active directory hygiene, security patching and configuration, and asset management.
Q. Finally, is there a cultural barrier to solid cybersecurity? Do stakeholders have an in-depth understanding of the risks inherent to modern finance?
Limor Kessem: Cybersecurity needs to become a ‘universal culture’ in every business. Every single person plays a role in securing the enterprise, regardless of whether they employ a security role or not. No other sector is more data-rich, digitised, or more targeted by cybercriminals than the financial sector. If there is one thing I think we still stand to get better at, it’s not technology and it’s not the number of tools we have going at one time - it’s collaboration and coming together more than ever.
David Emm: I think there’s a very mixed picture here. On the one hand, some of the well-established financial institutions are well-versed in the threats facing this sector. Yet, on the other hand, there are many new financial organisations that have neither the experience nor the expertise in securing their systems. In addition, for obvious reasons, business continuity may be prioritised over security, especially if the organisation has so far not faced major incidents.
Ian Benson: A sign of a mature organisation from a security perspective is not when the CISO is invited to IT strategy meetings, but when they are included as a standing attendee at business strategy meetings and committees at the request of executive committee members. Currently, in many organisations, we are not even at the stage where the former happens consistently.
Kara Hill: I don’t see a cultural barrier to solid cybersecurity. I think everyone wants to do what they can to protect themselves. That said, I think there is an important opportunity to increase cybersecurity education for the general public. As consumers, we have become accustomed to fast, low friction, online experiences. We can do more to bring cybersecurity awareness and education to children and adults of all ages. I think classes on cybersecurity and online safety should be offered as part of elementary and high school curriculums, because the more education and awareness we can raise the better protected we will be.