Why banks must get better at managing the risky business of cloud computing
Cloud computing represents the future of financial sector IT. Its services helped many organisations through the pandemic, supporting mass working and empowering them to reach locked-down customers digitally. But migrating data and systems to third-party datacentres also increases risk, as the Bank of England noted last year. The challenge for IT bosses in the sector is balancing these risks with the undoubted benefits of cloud computing.
The good news is that the market is full of tools to help mitigate cloud cyber-risks and accelerate digital transformation. Less encouraging is awareness of what’s on offer, and how urgent the task at hand is.
Cloud computing means business
According to one estimate, COVID-19 accelerated digital transformation by five years for the majority (89%) of UK banks. The figure rose even higher (93%) for traditional financial institutions who arguably have further to go in their digital journey than newer challengers. Cloud computing sits front-and-centre of these efforts, providing the infrastructure on which to host innovative customer-facing mobile applications and services. These apps are increasingly developed by DevOps teams using cloud-based systems and open source resources, which enhance their ability to rapidly respond to changing customer demands.
Cloud innovation doesn’t just empower financial services organisations to deliver more personalised experiences to customers. It can also drive internal process efficiencies and behind-the-scenes improvements using AI and other capabilities, such as in automating repetitive tasks or scouring data for evidence of fraud. Perhaps unsurprisingly given these benefits, respondents to a global financial sector survey [PM1] we ran say the pandemic has considerably (46%) or somewhat (42%) accelerated their cloud migration plans
The cloud can be risky
Yet the BoE was also right to flag public cloud initiatives as a possible risk for the financial sector. Unlike private cloud deployments, these require financial sector firms to store data in a third-party datacentre, usually provided by one of the big three: Microsoft Azure, AWS or Google Cloud. Many IT leaders mistakenly believe this means that the provider will take care of security for them when in fact the level of protection they offer is strictly limited.
The financial sector is a huge draw for both financially motivated cyber-criminals hoping to steal customer data and hold networks to ransom, and also state-backed threat actors looking to probe and potentially disrupt critical infrastructure. Cloud computing broadens the corporate IT environment and expands the number of assets banks’ IT teams must defend. At the same time, it provides new opportunities for hackers to hijack or steal them.
Sometimes IT teams are their own worst enemy. Misconfiguration of cloud systems is one of the biggest threats facing organisations today, potentially exposing sensitive data to hackers who regularly scan for accidentally unsecured accounts. A configuration error helped the Capital One hacker steal 100 million credit card applications and accounts in 2019. In-house developers using cloud systems can also represent a security risk if they source vulnerable components from third-party open source “libraries”. The average application development project now has 49 vulnerabilities as a result, according to one recent estimate.
The stats bear out these risks. A recent report reveals that 80% of global organisations have suffered a “severe” cloud security incident over the past year, while a quarter worry they’ve suffered a cloud data breach and aren’t aware of it. Separate data suggests that breached organisations migrating to the cloud are likely to suffer $284,000 more in losses. That’s on top of the $5.97m global average per breach for financial sector firms.
A false sense of security
On the one hand, banking IT leaders seem to understand these risks. Nearly half of those responding to our survey admit privacy and security challenges represent a “very significant” or “significant” barrier to cloud adoption. Yet those same individuals may be over-confident in the performance of the controls they’ve already put in place. Over half believe cloud migration has focused their minds more keenly on security, and over 80% feel either fully or mostly in control of securing their remote working and hybrid workforce.
There are obvious red flags. Some 99% of those we polled claim their cloud provider offers “more than enough” or “sufficient” data protection. Unfortunately, the reality is that data security is 100% the customer’s responsibility in most cloud environments. It’s also concerning to see many respondents believe that cloud security adoption can make environments more complex, siloed and expensive to run. In fact, the right platform-based tools will streamline protection in the cloud, improve communication between IT security and developer teams and ultimately reduce the risk of costly breaches. Let’s hope the message gets through soon.
To find out more: https://www.trendmicro.com/en_gb/about/financial-services.html