Widening Threat Surface and Security Gaps
Digital transformation, the rise of mobile banking, ongoing migration of core banking services to the cloud and a shift towards an omni-banking model have all contributed to an overall wider threat landscape for financial institutions to monitor and manage. This is further exacerbated by the fact that financial institutions operate in a highly complex and interconnected financial ecosystem connecting thousands of entities, networks and users across the globe.
Petabytes of data, billions of messages and transactions flow across this interconnected system on a daily basis and make it a daunting task to monitor, detect and block anomalous activities, elusive threats and under-the-radar attacks in real-time. , Cybercriminals have the potential to launch a large scale attack by infiltrating and exploiting one ‘weak link’ in this interconnected system, targeting multiple financial institutions in various geographies simultaneously. This has vastly elevated the potential for risk of “systemic” consequences for the industry at large.
On top of that, financial institutions have the added burden of operating in an environment where system, process and security silos prevail. With hundreds of disparate security tools deployed, they are constantly struggling to patch holes and close gaps in their threat defense lifecycle. Security teams are often overwhelmed with sifting through and prioritizing the vast amounts of alerts that each security tool is generating often with limited threat intelligence sharing between the various tools in a cohesive and adaptive manner.
In a recent study issued by Morgan Stanley (1), it was reported that better security tools with tighter integration and automation are needed. It suffices to say – as the financial services industry and world at large rapidly march towards further digital transformation, the challenge to bridge the security gaps will get increasingly difficult in an industry whose very “foundation” is built on an interconnected system — linking financial institutions, payment and settlement processors and various other entities including the 3rd party providers that financial institutions work with globally.
So now, the pressure is on everyone (and not just the top G20 financial institutions) to prevent cyberattacks at the scale we saw in in 2016 with the Bangladesh Bank, SWIFT, and the Federal Reserve Bank of NY. Or the Carbanak attack on multiple financial institutions resulting in nearly $1 billion in losses the year prior.
The path forward will require implementing multiple steps:
- Implement ‘a unified threat defense security infrastructure’ — one where financial institutions pivot from disparate security solutions that have created yet ‘another layer of silos’…in an already complex and fragmented technology landscape. This means security solutions need to work in an integrated, automated and adaptive manner.
- Adopt a communication fabric that is built on open standards, enabling your business to easily integrate the your disparate security solutions to create a cohesive and adaptive threat defense lifecycle. To do that, consider a solution, such as McAfee Open DXL, that can help your institution share information easily across your security infrastructure.
- Adopt greater collaboration practices across the industry (bringing in both the security vendor community as well as more banks, not just the top 100 or G20 banks). This is a burden that needs to be carried by all and not just a few
- The creation of hunter teams need to become more pervasive in the industry and a best practice (switching from reactive to proactive mode) for more about this read our paper on the big attacks from 2016 .
- While the industry does not need or would welcome yet another regulation — this is one area where a global cybersecurity regulation is required. This is not to penalize a handful of banks, but rather protect an interconnected ecosystem where hundreds and thousands of entities are connected to the financial system. The need for everyone to pursue the same set of guidelines and regulatory stipulations is needed.