The nature and scope of hostile attack continues to evolve. This year’s Microsoft Exchange cyber attack resulted in the European Banking Authority’s email servers becoming severely compromised, while a dramatic escalation in cyber attacks on financial institutions prompted Australian banking officials to describe such activity as ‘the biggest risk in banking’. Such attacks draw attention to the vulnerabilities of major financial targets now in the sights of criminal gangs, terrorist units and nation-state threat actors.
In an earlier blog, in partnership with Saviynt – a specialist in intelligent, cloud-first identity governance and access management (IGA) and a strategic partner to Identity Methods – we discussed how implementing such solutions can build consumer confidence in the banking and finance industry. In it we referenced ‘Zero Trust’, a concept soon to become the standard in security and representing cybersecurity’s biggest change in years. Adopting such an approach will be key to the banking and finance industry, and indeed any modern digital enterprise.
The downside of long-term access
Cyber-criminals focus on weak points in the security infrastructure of financial institutions to gain access to lucrative data. To remedy this, the first step is recognising that the basic plumbing of cybersecurity depends on the way computers trust each other and their human users. After satisfying checks, people, programmes and systems get ‘trust’, a license to roam in permitted parts of an organisation’s digital space. With increasingly sophisticated ransomware technology, this implicit digital trust only helps today’s hackers to dwell undetected, learning about the systems they’ve unlawfully accessed.
Reducing digital trust to a minimum is the most important way to lower the risk of an attack. This can be achieved by adopting a Zero Trust approach to cybersecurity which ensures that cyber defences never allow long-term access to information and continuously check that any access is in keeping with a strict set of policies. Advice on what these policies should look like has been set out by the US Government’s National Institute for Science and Technology (NIST) using guidelines that have been adopted by the UK Government, among others.
Never trust, always verify
The end goal of a Zero Trust approach is a state of never trusting and always verifying digital activity. This way, we ensure constant vigilance and reduce access to information for employees and computer processes down to a need-to-know structure. By setting Zero Trust policies, we grant access to resources and networks only when it’s really needed and remove access as soon as it’s not. This way, permissions don’t linger, denying attackers the chance to spread widely around a network.
Getting these Zero Trust policies right is a bespoke process. Every banking and financial organisation works differently, but there are rules of thumb. If your organisation assumes high levels of trust in its approach to cybersecurity, stolen usernames and passwords can give away excessive levels of access to intruders. This quickly becomes difficult to trace, amplifying the damage they can do. With Zero Trust, an organisation needs to be clear on what kind of access its users need, mapping out their identities against the permissions they require. While this process represents an investment of both time and business resources, the protection gained is immense.
Learn more: A Roadmap to Zero Trust Identity
Flexible working and the challenge to overcome
Traditional cybersecurity has always relied on implied trust. As an example, consider the offices of a modern investment bank. Users physically working inside the building are trusted, gaining access to resources, while anyone outside the office building is not trusted, thus gaining no access. With the mass shift to more flexible working patterns as a result of Covid-19, this approach is no longer practical. Security must now centre on what the individual user is doing, not on implied factors like their location.
Most breaches happen because of human error, so done well, with policies that follow official guidelines, Zero Trust saves people from themselves. With a Zero Trust approach, supported by government-backed standards, banking and financial institutions of all varieties can reduce the possibility of cyber attack, while in the process, facilitating hybrid working between home and the office that’s more secure. Zero Trust represents a unique chance for progress in our digitally connected world.
To get to Zero Trust with Identity Methods in partnership with Saviynt contact us:
Learn more about Saviynt’s solutions for financial services:
Saviynt’s mission is to safeguard enterprises through intelligent, cloud-first identity governance and access management solutions. IGA and Cloud Privileged Access Management (CPAM) powered by Saviynt, a leader in Gartner’s Magic Quadrant, protect customer account details, improve data management and build trust.
By Ian Collard