Thought leadership
    10 June 2021

    Kevin Odudoh

    Cybersecurity in Financial Institutions

    The adoption of cloud-based applications and platforms over the last few years has been on the rise, meaning the enterprise data and applications are no longer just confined in a single on-premise data centre, but a mix of hybrid and multi-cloud locations.

    Cybersecurity for most financial institutions has for many years focused on securing physical environments - the enterprise data centre, corporate offices, branch locations and ATMs - keeping internal information safe from external bad actors. As long as someone was still on the payroll, and checked all the IT boxes for legitimate employment, they would be granted almost indiscriminate, always-on access to business systems and data. A few years ago, this was sufficient to achieve the main objectives listed below of any cybersecurity program when it comes to protecting digital business systems and resources, commonly referred to as the CIA Triad:

    1. Confidentiality - ensuring authorized access and application of relevant privacy rules.
    2. Integrity - ensuring data accuracy, non-repudiation and trust
    3. Availability - ensuring high service levels using scalability/capacity planning, redundancy, disaster recovery and business continuity techniques

    Hefty fines, sudden drop in share price, loss of customer trust and even imprisonment are some of the consequences of cyber-attacks. Before exploring some cyber-risk mitigation strategies, let's review some trends influencing cybersecurity and the current threat landscape in the financial services industry.

    Business Trends Influencing Cybersecurity

    The adoption of cloud-based applications and platforms over the last few years has been on the rise, meaning the enterprise data and applications are no longer just confined in a single on-premise data centre, but a mix of hybrid and multi-cloud locations.

     Also, employees, partners (credit bureaus, merchants, billers, payment gateways, payment switches, high-frequency trading platforms, other financial service providers including FinTechs, etc), regulators, clients and other connected devices like remote ATMs and POS terminals usually need secure access to different enterprise data, systems and resources outside of the traditional threat perimeter.

    Before the COVID-19 pandemic hit us and government lockdowns were initiated across the globe, few organizations, if any, had considered the possibility of remote working for all employees across all functions.  If this consideration was ever made, almost none of these organizations trialled remote working at the scale witnessed in the first few months of 2020. Prior to this period, the need to transition thousands of employees across multiple countries, to work from home, productively and securely, almost simultaneously or within just a few weeks, was inconceivable.

    These trends fundamentally changed the security landscape and called for a new approach to cybersecurity.

    The Threat Landscape

    In a typical financial institution, threat entry points are numerous. They include endpoint devices like mobile phones and laptops of remote workers, applications like email and digital banking apps, websites, cloud environments and network infrastructure.

     The number of attacks is also mindboggling. At the time of writing this piece, FireEye threat map showed that the financial services industry reported the most cyber-attacks. Below are other useful threat maps from major cybersecurity solutions vendors that will promise to blow your mind.

    The types of threats are also now numerous and more advanced; from whaling and DDoS (Distributed Denial of Service) attacks to malware (malicious software) like viruses and ransomware, similar to the Colonial Pipeline attack that has been making headlines over the past few days. In fact, the Colonial Pipeline attack was so severe that the US president issued an Executive Order on Improving the Nation’s Cybersecurity.

    Cyber Threat Mitigation Strategies

    Even though there’s no one size fits all approach to managing these risks in the financial services space, there are key themes that cut across the industry regardless of company size, risk profile, stage in the digital transformation journey or compliance and regulatory requirements. For example, today, Encryption and Multi-Factor Authentication are basic security requirements for financial institutions. Below are some other common cyber threat mitigation strategies: 

    1. People Strategy: This is usually the weakest link. All employees (especially senior-level executives), suppliers and partners should be regularly trained and made aware of the latest cyber threats and associated risks to the individual and business. Using weak passwords or not securing work devices; accessing work resources from insecure Wi-Fi hotspots; falling prey to social engineering and phishing/spear-phishing attacks - these are all avoidable risks with regular training. Obtaining board and executive-level buy-in to ensure cybersecurity is front and centre of all company programs as an enabler and risk mitigator is key.
    2. Policies, Processes and Procedures: These should be documented, enforced, reviewed and updated regularly for relevance. Here, adopting a credible cybersecurity framework such as NIST can be a great start to understanding your security posture. NIST, for example, gives recommendations on how to Identify, Protect, Detect, Respond and Recover from cybersecurity incidents. It also aligns with another common standard, ISISO/IEC27001, and covers areas such as regulatory compliance and supply chain/dependency management.
    3. Technology Strategy: This enables the implementation of the first two strategies. There are just as many cyber tech tools, solutions and vendors out there as are cyber threats. Also, Skills required to design, build/buy, deploy, maintain and refresh cybersecurity architecture and infrastructure are usually in high demand and short supply. For this reason, many financial institutions have a build-buy-outsource strategy when it comes to cybersecurity technology. At Vodacom Business, for example, we offer a wide variety of cybersecurity solutions, ranging from Security Assessment (covering governance, compliance, end-point, cloud, data, applications, identity & access management) to Security Information and Events Management and Managed SOC. 

    The Future of Cybersecurity

    The demand for cloud-enabled mobile-first employee and customer experience will continue unabated in the financial services industry for the foreseeable future. In a number of markets, financial service institutions are having to rethink their GTM strategies to stay abreast of the fast-evolving consumer expectations for innovative, integrated and digital lifestyle financial services. This has in part driven more disruptive business models in the sector and resulted in various FinTech and Ecosystem plays that have blurred the industry lines, especially in the payments space and digital lifestyle platform plays. Being able to securely expose certain data sets, but still maintaining the privacy of PII data through open API’s has become an imperative for FinTech innovation but introduces added complexities in securing these potential threat vectors.

    General availability of high-speed data connectivity through 5G, powerful computational devices and smartphones, and emerging technologies like Internet of Things (IoT) and Multi-Access Edge Computing (MEC) mean that early warning security systems that leverage Advanced Analytics, Machine Learning and Artificial Intelligence capabilities are paramount.

    It is no wonder that identity-based solutions, which continuously monitor internal vulnerabilities and external cyber threats before providing contextualized access to cloud-based enterprise resources using Zero Trust principles, are gaining traction in the financial services arena. At Vodacom Business, for example, we are well-positioned, even with the added complexity, with our SASE (Secure Access Service Edge) solutions, to extend this threat mitigation capability all the way to the edge including securing IoT devices with cloud moving to the edge given the advent of 5G.

    The financial institutions of tomorrow are clearly very different from the ones of yesterday. Driven by rapid technological change, digital omnichannel customer needs, flexible and BYOD working models, growing co-opetition with the tech industry and complex regulatory environments, the attack surface will only continue to widen exponentially. ICT-led cybersecurity solutions are therefore going to remain an important pillar for the financial services industry going forward.

    Kevin Odudoh

    EHOD: Financial Sector: Vodacom Business

    Kevin Odudoh