By Dave Henderson, co-founder, BlueFort Security
Any organisation that holds financial data has a target painted on it. When it comes to cyber attacks, financial services firms have been hit hard over the past year, according to a recent study commissioned by Keeper Security. The study found that 70% of respondents experienced a successful cyber-attack in the 12 months up to October 2020, and most of these blamed COVID-related conditions for the incident. There’s no doubt the massive shift to remote work has created new vulnerabilities for criminals to exploit. IT security teams must counter these exploits with new tools and strategies. Zero Trust access has a vital role to play.
The thinking behind Zero Trust is not to grant privileges to users or devices without first verifying who they are. Instead of assuming anyone or anything that has successfully logged onto a network is trustworthy, no user or device gets broad access. By adopting a Zero Trust strategy, each time people and devices access the network, IT admins know who they are and control what they have access to.
Events over the past 12 months have significantly – and permanently – changed the way we work. As businesses moved rapidly to accelerate their digital transformation, and deploy remote work programs to “keep the lights on”, security considerations sometimes took a backseat.
Recent Trend Micro research revealed that remote workers often engage in more risky behaviour at home than when they’re at the office. When combined with the surge in COVID-19 phishing emails and devices that may be shared with other users in the same household and/or less well protected than corporate equivalents, it adds up to a potential perfect storm of risk. Insufficient budget and lack of know-how on combating cyber-attacks were flagged by respondents as the biggest IT security challenges with remote working. They were most concerned about the threat to customer records (50%) and financial information (48%). IT security managers are right to be worried, given the potential regulatory and reputational impact of a breach.
The net result today for many organisations is that their endpoint and IoT devices have become at serious risk from malware, insecure network access and our old and regularly-deployed friend, compromised credentials. The 2020 Zero Trust Endpoint and IoT Security report from Pulse Secure explored how enterprises are advancing Zero Trust endpoint and IoT security capabilities within their individual organisation. It found that 72% of organisations experienced an increase to significant increase in endpoint and IoT security due to workforce mobility and remote workplace flexibility.
Deploying a visibility and access control approach like Zero Trust must be a critical element of financial services firms’ cyber security strategies. The three key building blocks of of a Zero Trust strategy are:
Validation – of users and their devices’ security posture
Control – of access through granular policy enforcement
A winning combination: endpoint & network security
In today’s highly mobile world, data moves with endpoints making them attractive targets for cyberattacks. As a result, security policy must move with users and data and should not be tied to a particular location. Just as endpoint security products secure and collect data on the activity that occurs on endpoints, network security products do the same for networks. To effectively combat advanced threats, both need to work together. An integrated approach that combines endpoint and network security is the only way to achieve end-to-end protection across your entire security architecture.
Addressing IoT devices
The exponential growth of the Internet of Things has added another dimension to an organisation’s ability to protect against a cyber attack. The IoT in the financial services market is expected to grow to USD 2,030.1 million by 2023. Forces driving this growth include the convergence of operational and information technology and the increased use of IoT devices in products, applications, and connected banking.
The Pulse Secure recent study also showed that 56% of IT teams surveyed believed that there is a moderate to extreme likelihood that their firm would be compromised by a successful attack that originated from the endpoint or IoT device. The fact is that these connected devices are different from laptops, servers or traditional IP-based machines. They aren’t necessarily ‘owned’ by IT. They usually use different types of services and they communicate differently on the network. These attributes come together to create a perfect storm of potential cyber abuse. What’s needed with the growing number of connected things is the ability to lock down those systems against both intentional and unintentional threats.
User experience is equally important
Historically the user experience has often played second fiddle to IT security. It doesn’t have to be this way. The Zero Trust approach means it is possible to enforce policy compliance by employees, guests and contractors regardless of location, device type, or device ownership. Users enjoy greater productivity and the freedom to work anywhere without sacrificing access to authorised network resources and applications. IT can mitigate malware, data loss and IoT risks. And IT is empowered to optimise their resources and enable digital transformation across the enterprise.
No organisation is immune from cyber attacks. In today’s perimeterless, remote world, the key to mitigating risk of a cyber attack is to reduce the threat surface as far as possible, and ensure visibility and awareness of when, where, and how devices are connecting. The golden rule in security is that all users should only be given the minimal amount of or least privileged access required for them to do their job function. Zero Trust is the key.