Cybersecurity means trust – Now more than ever
Cheryl Chiodi, Industry Strategy Manager for Financial Services, Akamai Technologies
With cyberattackers shifting their focus from individual institutions to the financial system as a whole, maintaining the trust of customers has never been more challenging.
Cheryl Chiodi, Industry Strategy Manager for Financial Services at Akamai Technologies
Banking has been in existence for centuries since the first currencies were minted and there was a realization of the need to make loans and to protect depositors’ money. In those early days, financial institutions operated with ledgers, but, since the rise of the internet in the mid-1990s, we have witnessed significant transformation in the way financial services and products are delivered to customers.
The technological revolution brought advancements in telecommunications and networking, fundamentally disrupting the way people bank, save money and invest. Technological innovations driven by AI, data analytics, Application Programming Interfaces (APIs), crypto-currencies, IoT, voice banking, banking as a service (BaaS) and fintech innovation have removed barriers to entry for the unbanked and underbanked, and improved financial inclusion. However, these technological innovations must be centred on the primary purpose of the financial services industry- to provide a trusted, safe, and secure place for the world’s finances. Upholding this trust is a constant challenge for today’s financial institutions as the new technologies that enable innovation also expand the attack surface and the ability of threat actors to capitalize on vulnerabilities.
Evolutions in the threat landscape
A big part of my job involves speaking with clients in financial services and understanding the obstacles they are facing. From these conversations, I consistently hear of the imperative to bring fast, reliable, and secure services to their customers. Fulfilling this need requires having the best defenses in place against some of the growing cybersecurity threats, such as web application and API attacks, ransomware, phishing, malware, and Distributed Denial of Service attacks.
The ever-increasing threat landscape is evident from the constant stream of headlines. Cybercriminals are multiplying and advancing in their tactics, targeting with precision for maximum impact and financial gain. Financial institutions might feel like they are playing a game of whack-a-mole with the bad guys, where they focus on one particular threat and then a new one emerges, and they have to quickly change tactics.
Recently, API attacks have become very lucrative for cybercriminals. APIs have become prolific in financial services as they are used to grant secured access to services to third-party platforms, helping companies build products around banking solutions. However, they can serve as vulnerable points of entry for malicious actors. A recent Akamai research report found that web application and API attacks surged by a factor of 3.5 against financial services firms year over year, the highest growth of any major industry.
Another big trend in security threats for financial services is artificial intelligence (AI). There is no denying that AI is bringing lots of positive changes to the way we solve problems. However, threat actors are finding ways to use AI for sophisticated phishing scams, social engineering, fraud detection evasion, data exfiltration, credential stuffing or brute force attacks. Security teams must therefore constantly evolve their mitigation tactics to respond to these new threats. For instance, belonging to a threat intelligence sharing organization like the Financial Services Information Sharing and Analysis Center (FS-ISAC) can help broaden your ability to tap into what all security researchers are seeing.
Building a trust mindset
With customer trust wavering in light of the European Central Bank (ECB) aggressively hiking interest rates in an effort to curb inflation and the recent take-over by UBS of Credit Suisse, the public needs assurance that the banking system is well capitalized and funded and remains safe and sound. The industry went through seismic changes to adjust to a customer-first model when back in the day, traditional brick-and-mortar banks had the power to dictate when and where customers could conduct their banking activities. Today, customers have the freedom to bank from anywhere, even while on holiday in distant locations, securely, conveniently, and remotely.
This reality emphasizes the importance of ensuring a security mindset throughout every aspect of a financial institution’s business model. Such a mindset means being proactive and thinking like a threat actor whose goal it is to target your staff, customers, infrastructure, or your data. To protect them, banks implemented two-factor authentication (2FA), or multi-factor authentication (MFA), and many are now adopting Fast Identity Online v2 (FIDO2) passwordless biometric identification, based on regular reviews of risk appetite.
Trust lies at the heart of our banking system, as evidenced by the architectural grandeur of banks resembling Greek temples, symbolizing confidence in enduring financial institutions. In today’s digital age, banks are primarily accessed through online platforms and mobile apps. While the popularity of banking apps was booming prior to the COVID-19 pandemic, the global health crisis further accelerated their adoption. Consequently, trust now relies heavily on robust cybersecurity measures since banking transactions are predominantly conducted remotely, reducing face-to-face interactions.
The new generation of banking customers has seen their trust in financial institutions eroded by the 2008 financial crash, followed by more recent economic turbulence and relentless disruption by cyber attackers. Trust takes a lot of time to build – and even more to rebuild. Once financial institutions fully adopt this trust mindset, they can consider practical strategies to bolster their cyber mitigation strategies, such as developing an inventory list of their complete network architecture map, reviewing risk models to ensure appropriate fraud and customer threats are categorized, implementing always-on DDoS protection across the entire attack surface, caching as much as possible, keeping runbooks up to date and running tabletop exercises. It is hard work to stay one step ahead of cybercriminals, but in order to continue protecting the world’s finances for centuries to come, banking institutions must keep up the fight.