CXO Bytes

How digital banks can combat cybersecurity challenges for themselves and their customers

cyber security

The evolution of financial services is significant for the business opportunities it offers and how it drives customer centricity at the core of it. One study suggested that 75% of global consumers use at least one fintech service, and that will continue to see an increase. The fintech market is going to grow, with some estimates that it will be worth ~$324 billion by 2026.

 

Financial transactions are a natural target for threat actors. This, coupled with other sensitive data, attracts these threat actors.  The financial sector is the top impacted economic sector by data breaches in 2022, followed by healthcare and social assistance. As the financial sector grows, it will continue to see sustained pressure from these threat actors. It’s important, therefore, to have a holistic strategy to manage this risk on an ongoing basis.

 

The tech stack of fintech typically comprises of: Cloud Computing, Big Data, and an API ecosystem. This offers an increased attack surface area with a high probability of misconfiguration and privacy-related risks. Privacy and data security become more crucial due to the availability of large data sets used to generate further insights into the customer. Protecting this data is equally critical to protecting transactions and digital money.

 

Some key considerations when designing the security for this ecosystem are “Observability”, “Layered defences”, and “Embedding security in design”. Observability is key to finding insights into how your environment is operating. This, coupled with layered defences, i.e. from protection to detection, provides unique insights into anomalies ranging from identity, to network telemetry, to privileged access. Augment your protection strategies with threat detection stacks for a cost-effective and time-sensitive detection of threats.

 

Misconfigurations can be addressed with guard rails implemented as part of the infrastructure as a code. With more visibility into the code base and guard rails surrounding the software delivery infrastructure, the code quality from a security perspective is managed optimally with enough visibility into the vulnerabilities that lead to product vulnerabilities and supply chain compromise.

From a data security perspective, it’s important to identify the sensitive data, build data lineage for data lakes, and tag the sensitive data in your ecosystem. This would then enable the organisations to define controls to meet compliance and auditability requirements and enforce granular access policies. In an API ecosystem, it’s important to identify which APIs expose what kind of data.

 

While authentication and authorization are central to an API strategy, observability around the data exposure is key to defining security strategies, including what monitoring mechanism, needs to be in place to identify any API abuse. Most API abuses these days revolve around the poor implementation of authentication and authorisation and, in some cases, excessive data exposure.

Ransomware is another serious threat that most enterprises face. The ransomware has grown significantly over the last couple of years.  As per the Data Breach Investigation Report findings, ransomware has continued its upward trend with an almost 13% increase. This rise is as big as the last five years combined. In the NCSC (National Cyber Security Centre) annual review published a little earlier, the NCSC CEO described ransomware as the “most acute threat that businesses and organisations in the UK face.”  The growth of ransomware is primarily because it continues to be a high-profit, low-risk attack. Therefore, a holistic strategy to address the four core areas around ransomware: credentials, phishing, exploitation of vulnerabilities, and recovery through immutable data backups, are a must-have.

 

The endpoints prone to ransomware need adaptable protection. Preventive and detective controls need to be rolled out to the endpoints. The endpoint-specific strategy is insufficient, and this needs to be layered with additional controls. Some organisations are looking at FIDO2 to augment their authentication strategies, which is a step in the right direction.

Phishing continues to be a core theme, so security awareness training and simulations are important. However, these need to be augmented with more robust controls around identifying homoglyph domains and leveraging machine learning for nudging users whenever they receive an email from a new domain besides using MFA (multi-factor authentication), URL rewrites, and time of click Protection.

 

Patching and vulnerability management are central to everything. It’s basic hygiene. You need to have prioritised vulnerability management and patching regime in place.  You could augment existing patching approaches with the Cybersecurity and Infrastructure Agencies (CISA) Known Exploited Vulnerability (KEV) List. This is a good reference point to prioritise patching but not a substitute for patching. Even with all of this, there is a likelihood of exposure, so the backup plays a key role. You should have a clear recovery strategy focussed on the immutable backups and tried and tested recovery from these backups as part of your recovery strategy.

 

The above sections are just a glimpse of how the cybersecurity strategy needs to be for an evolving threat landscape. There is a famous saying in cybersecurity “Complexity is the worst enemy of security, and our systems are getting more complex all the time.” You need to account for this complexity in your design. So, it’s strongly recommended that you align with a good framework such as the NIST Cybersecurity Framework, which helps you approach and structure your strategy with a focus on four core areas – protect and detect and respond and recover.

 

(The author is Mr. Sachit Singh, Director of Cyber Security at OakNorth and the views expressed in this article are his own)

Leave a Response