Risk Management
Managing risk, building resilience: How financial services CISOs can add value
The banking and financial services industry (FSI) is about as critical as critical infrastructure can get. Both the services it provides and the data it processes represent a major target for nation states and financially motivated threat actors alike.
The banking and financial services industry (FSI) is about as critical as critical infrastructure can get. Both the services it provides and the data it processes represent a major target for nation states and financially motivated threat actors alike. So it should come as no surprise that it’s also a magnet for attacks. Trend Micro research from 2022 revealed 72% of global FSI firms had been compromised by ransomware at least once in the previous three years.
Yet as panellists in a new on-demand workshop attest, there’s plenty that CISOs in the sector can do to manage risk – albeit across a large and expanding digital attack surface.
The expanding attack surface
Like their peers in many other sectors, FSI firms are spending big on digital transformation to drive process efficiencies and improve the end-customer experience. Yet in doing so, they may be unwittingly exposing themselves to attack. Investments in cloud infrastructure and home-grown applications can expand the attack surface even further. This presents both a visibility and a control challenge.
Trend research reveals that cloud assets are the area where financial services IT teams have the least insight (39%). A quarter claim they’re still mapping environments manually, which can’t help given the sheer pace at which dynamic assets like VMs and containers appear and disappear. The use of third-party software components sourced from open source libraries is also a growing concern. Some 87% of global organisations were impacted by one or more software supply chain security issues over the past year, according to a Snyk study.
There are several other ways that the FSI attack surface is growing:
Legacy tools and technologies: This could range from software and operating systems that are no longer supported, and therefore not receiving patches, to use of legacy protocols like TLS 1.0 which can create serious security gaps.
Human error: In an ideal world, FSI employees would be a prime asset in the fight to build cyber-resilience. In reality, many invite cyber risk by falling for phishing emails, or potentially misconfiguring critical systems.
Supply chains: Supply chains don’t just provide software. They could include everything from cleaning contractors to business process outsourcers. Those with access to corporate data/systems/networks are an increasingly popular target in their own right. Over half (56%) of FSI firms Trend spoke to say a supplier has been compromised by ransomware in the past.
Next-gen threats: FSI firms need to balance their management of traditional risks with the threats posed by emerging technologies. Quantum computers may still be several years away, but when they arrive they promise to break the asymmetric algorithms on which financial systems depend for security and trust. The industry must act now to prepare for this near inevitability.
A checklist for building cyber resilience
However, all is not lost. During the Trend workshop, expert attendees claimed the following could help CISOs chart a successful course forward:
- Engage with your users: Don’t scold them, but rather give them access to the right information to help educate and change behaviours. And make it easy for your users to do the right thing
- Engage with the board: Speak the language of business risk and ensure cybersecurity strategy is linked to business goals. This will help keep senior leaders onside and ensure long-term investment and engagement
- Understand the attack surface: You can’t defend what your can’t see. Identify where all of the organisation’s key assets are, and how data flows through the business and externally (ie to the public cloud) via a unified view
- Proactively mitigate risk: Take action pre-emptively when notified of misconfigurations, vulnerabilities and other security holes. Avoiding breaches in the first place is the cheapest and most effective way of minimising cyber and business risk
- Rapidly respond to threats: Have the detection and response (XDR) tools in place to react quickly if needed. AI tooling can help to filter out noise and ensure analysts are able to prioritise the alerts that matter
Above all, it’s important to remember that cybersecurity is about far more than keeping the bad guys out. It can also be a business enabler and revenue generator – by enabling seamless and secure remote working, supporting digital transformation projects and attracting security-minded partners, suppliers and clients. It’s time to start the journey from risk to resilience.
Click here to watch the on-demand workshop, Unlocking Value in Financial Services: Cyber Resilience Unleashed.