A zero-trust approach to cyber defence for banks

The turbulence in part related to the COVID-19 pandemic has brought about huge changes for organisations across all industries, often at the expense of being cyber secure. According to research, 82% percent of organisations prioritised maintaining business operations over ensuring robust cybersecurity. In fact, 77% of the respondents agree that decisions taken during the last 12 months introduced new areas of vulnerability.

The banking sector has not been exempt from the swift pace of environmental change, and banks have had to adapt very quickly to support the shift to remote work and digital banking services, all while having to adhere to evolving compliance standards.

Most recently, Singapore’s Parliament passed the Financial Services and Markets Bill, which sees financial institutions liable for a fine of up to SG$1 million if they fail to prevent cyberattacks against their networks. This also comes in the wake of the Monetary Authority of Singapore amending its technology risk management guide for financial institutions to ensure data confidentiality. Financial Institutions are encouraged to implement a process for evaluating the structure of IT controls against identified cybersecurity risks. For backups, financial institutions are required to have risk metrics that identify data assets that have a higher likelihood of being targeted. The latest change also highlights the importance of implementing a “strong oversight” over third-party service providers. This emphasises the need for a strong vetting process in assessing third parties’ capabilities in delivering secure services, as well as enforcing well-defined monitoring, reviewing, and reporting processes.

With regulatory changes, and an increase in the frequency, scale, and complexity of cyberattacks, banks now have to manage security risks better, strengthen their cyber resilience, and guarantee the smooth and secure delivery of financial services.

Identity security has become the latest offering in security innovation, shifting the focus on access management as well as the security of individual identities. In practice, banks and financial institutions would need to authenticate identities accurately, authorising identities with the right permissions and giving access to privileged assets.

As organisations accelerate digital transformation initiatives to respond to evolving business demands, the interconnectedness of identities across business applications and environments has blurred – if not dissolved – network security barriers. Today, we are seeing all identities: customers, remote employees, and even third-party vendors intersecting within an organisation. Within this IT landscape, any identity can become privileged and serve as an attack vector that can compromise the organisation’s valuable assets. This underscores the need for banks to integrate identity security as a fundamental component in their overall cybersecurity strategy.

Against evolving threats, it is critical, therefore, for banks and financial institutions to take a proactive stance to security and adopt a “never trust, always verify” approach. Here are some steps:

Adopt a zero-trust mindset and secure privileged accounts

Zero trust is based on the principle that organisations should not – by default – trust their surroundings, be it from the outside or within the network perimeter. Zero trust demands that users and devices connecting to an organisation be verified before granted access.

To establish modern architectures that are consistent with zero trust, banks must adopt a phased and programmatic approach. They need to identify privileged accounts, credentials, and secrets in their platform, and accurately determine potential weaknesses that could leave sensitive data exploited as well as critical infrastructure.

Both humans and machines now have more digital identities than before. According to research, the average staff member can have more than 27 digital identities, and an organisation with 5,000 employees will have roughly 150,000 machine or non-human identities. These digital identities come with access credentials, which further expand the potential attack surface.

Moreover, attackers have become adept at leveraging vulnerabilities in the human psyche to conduct social engineering and phishing-based attacks, finding success in infiltrating corporate networks. To combat this, banks must adopt privileged access management to prevent the lateral spread of an attack. By proactively managing and rotating high-value “privileged” credentials and limiting user access to only the information and tools needed to perform their immediate role, an attacker’s route to critical data and assets can be contained, reducing their ability to exfiltrate information or disrupt operations.

Enforce MFA for business-critical assets

Multi-factor authentication is crucial to constricting the focus for devices and users. Step-up or just-in-time authentication and managerial approval processes could also minimise the risk of important information being attacked. Once an attacker has taken over a privileged credential, the attacker looks like a trusted user. As endpoints are typically the most common entry point for attackers, running antivirus software alongside endpoint detection and response can benefit in reducing the attack surface.

In conclusion, the banking sector must be cognisant of the evolving nature of threats and focus on proactive cybersecurity, as digital banks and financial services become a reality. There is an urgent need for preventative steps to strengthen controls and recognise that securing their customers’ personal identifiable information is critical to their ongoing success. Identity security should be a core component of their overall cybersecurity strategy to counter the external and internal threats to which banks and financial institutions are exposed.