Cybersecurity has historically been a difficult sell to the board. Banking leaders, like their counterparts across other sectors, tended to regard IT security as the domain of the techies—something adjacent to rather than at the core of their business. But things have changed considerably since the start of the pandemic. Today the challenge is not convincing executives of the business criticality of managing cyber risk, it’s convincing them that there’s always more to do.
A Bank of England study earlier this year found that three-quarters of financial sector executives believe cyber-attacks are their biggest short- and long-term risk, trumping even inflation. Yet just a third (37%) believe the risk will materialise.
For those who think cybersecurity is “mission accomplished”, there may some discomfiting news ahead. As digital transformation investments grow, so too will the corporate “cyber-attack surface”. Unless it can be clearly defined, and continuously monitored, protected and minimised, the likelihood of a serious breach will only grow.
What is the attack surface?
Today’s financial services organisations are a complex blend of old and new, of legacy IT systems including mainframe technology sitting alongside innovative digital systems powered by the cloud. Add into the mix a large number of home-working PCs, laptops and networks, and the IT systems of third-party suppliers and partners, and you have a diverse and sometimes opaque set of assets to manage and secure. Any one of these websites, servers, PCs, laptops, mobile devices, cloud accounts and email inboxes – to name but a few – could be used by hackers to access the organisation’s most critical resources. Collectively they have become known as the cyber-attack surface.
The bad news is that the threat actors have the advantage. They only need to get lucky once, and with such a range of assets to target, the chances are that one of them will be left misconfigured, unpatched or otherwise unsecured. From phishing attacks to exploits of software vulnerabilities, there are many tools and techniques available to the attacking team. If they don’t have the knowledge in-house to operationalise campaigns, capabilities can usually be bought “as a service” on the cybercrime underground, at pretty low cost.
What’s more, as financial sector firms continue to invest in new digital technologies to enhance customer experience, drive cost reductions, and improve agility and resilience, the attack surface continues to grow. But there’s a dwindling pool of talent to defend it. The latest estimate is of a shortfall of 3.4 million professionals in the cybersecurity industry, including 57,000 in the UK.
Blind spots and siloes
Perhaps it’s therefore unsurprising that three-quarters of global financial sector IT and business leaders we polled recently say they’re concerned with the size of their digital attack surface. Half (49%) even claim it is “spiralling out of control”. It should be of great concern that two-thirds of these firms admit to having blind spots in their IT environment, with dynamic cloud assets particularly problematic. Change is the only constant in the cloud, which can make any attempt to catalogue and manage these assets a Sisyphean task without the right tools.
The mapping of the corporate attack surface is made more challenging by the global nature of many financial sector organisations, which adds to the data siloes and blind spots already created by shadow IT, mass home working and supply chain partners. A surfeit of IT management and monitoring tools adds to the complexity and impedes clear-headed decision making.
What happens next?
Throwing money blindly at the problem will not do. In fact, the tools exist today to help organisations better monitor, manage and secure their attack surface, but they’re often not being used. In the meantime, contrary to the belief of many financial sector executives, cyber-attacks are indeed materialising. Two-thirds of the 115 “material” incidents reported to the FCA last year were attributed to attacks, with a third related to personal data breaches and a fifth to ransomware attacks.
If financial sector organisations want to minimise cyber risk then they must first get a handle on attack surface management. That will require visibility into all assets and attack vectors. The data that is generated from this exercise must then be used to continuously calculate risk exposure. Finally, the right controls should be applied to mitigate that risk. Of course, these capabilities can be found in multiple toolsets. But consolidating onto a single platform for everything should be the goal. It will reduce expenditure, minimise the burden on stretched security teams, and eliminate silos for improved decision making.
To find out more: https://www.trendmicro.com/en_gb/about/financial-services.html