3 Signs It’s Time for a Zero Trust Security Model in FinServ
For cyber criminals, few industries offer rewards on par with the risk quite like the financial services sector. That’s why it’s ranked as the most attacked industry in the X-Force® Threat Intelligence Index since 2016, even with the increased incursions on the manufacturing and energy sectors in 2020. Switching between established tactics like Trojan horse viruses and innovative new ploys like deep-fake phishing or crypto-jacking, hackers regularly get a return on their investment when they hit the financial sector.
In the hopes of stopping many of these attacks in their tracks, more and more financial organizations are embracing a zero trust security framework to mitigate risk and maximize the effectiveness of their security posture. It’s a shift that will only increase as certain security trends and industry innovations take greater root.
1.) Hackers Are Increasingly Deterred by Multifactor Authentication
Hackers are admittedly a persistent crowd – they’re the malicious embodiment of the motto “if there’s a will, there’s a way” – but they also value their own time and effort. For example, if a cybercriminal encounters systems or applications that are hard targets to breach, they’ll divert their attention to corporations or organizations that provide the path of least resistance. They may not completely abandon a business as a future target to plunder, but they might downgrade their focus in favor of a victim that puts up less of a struggle.
In fact, reports from IBM X-Force suggest that when hackers, using specific tactics to compromise your systems and employees, even encounter multifactor authentication, they abandon their efforts before wasting too much of their time.
Business email compromises (BEC) are a great example. The IBM X-Force team attributes the 38% drop in BEC between 2019 and 2020 to the further expansion of multifactor authentication across the business world. There’s even been a drop in credential theft and brute force attacks. Certainly, the skills and resources of a threat actor play a big part in their willingness to hound your business, but layered authentication convinces enough hackers to quit while they’re ahead.
There’s more that financial services organizations can do to raise the security bar: implement a zero trust security model. With multifactor authentication, there are still some individuals who are given implicit trust. With zero trust, every user, device, and program needs to verify the legitimacy of system inquiries and access every single time. Though it’s not completely impenetrable, it elevates the effort hackers need to exert to get what they want.
2.) The Rise of Open Banking APIs Creates Avoidable Threats
In general, the popularization of open banking APIs are creating a net good for the financial services sector. Established organizations can leverage the flexibility, narrowed focus, and/or creative perspective of smaller fintech businesses or complementary organizations to extend their own capabilities and services. However, the permissions granted to these organizations can result in security risks.
Consider API tokens. If your third-party applications have a weak security posture, hackers can create legitimate accounts or illegally access those systems to bypass your security measures, leveraging the valid API token of your pre-approved partner in duplicitous ways. And if some vendors or third-party apps are white listed, you may have inadvertently given bad actors the keys to the kingdom. With a zero trust security model, you can soften the threat without weakening the technology. For example, a zero trust mindset lets you:
- Limit API tokens in circulation
- Track the activity of API tokens to identify suspicious actions and or irregular behavior
- Block any existing tokens that appear compromised.
Beyond token utilization, your systems can be compromised if your network lacks measures that reset transactions after repeated failure. In a 2020 blog on Threatpost, there’s a strong example of how hackers can use simple reverse engineering to compromise credit-card transactions.
While conducting a transaction system analysis, the author found he could use an intercept proxy to obtain credit card numbers and expirations dates, and then complete his payment information by using an enumeration technique to sequentially guess the CVV. Unfortunately for the platform’s owners, the ploy worked with limited effort. If your system isn’t monitoring for this and other threats (and forcing re-authentication when too many errors are notated), then you’re turning a great tool into a ticking time bomb.
3.) Increased Mobile Banking and Mobile Work Can Buck Security Measures
Last year cemented the importance of mobility across the financial services sector. As face-to-face interactions dwindled, more people of all generations depended on the ability to access and transfer money without leaving their homes. In fact, sessions in mobile banking and payment apps were up 26% between the first half of 2020 and the first half of 2019.
Moreover, larger segments of the financial services workforce transitioned to remote work during the pandemic. Previous surveys suggested that only about 29% of the industry permitted the majority of their employees to work from home once a week or more. After COVID swept the globe, that proportion jumped up to 69% of financial services organizations.
All of the increased mobile activity heightens security threats. Vulnerabilities can be created by anyone from a negligent app development team to financial services personnel who are unversed in cybersecurity best practices. The sad truth is that 76% of mobile banking vulnerabilities do not even require access to a user’s physical device. In short, organizations need to take a stringent stance on authentication.
The rising access to financial services databases and systems from mixed use devices requires enforcement points that are vigilant and nonnegotiable. You cannot afford to be overly permissive. For a user to gain access to your systems, their device should possess essential security patches, up-to-date operating systems, approved geo locations, or other core authentication criteria. This helps to protect your user base and your business – while still embracing the benefits of a connected world.
Keeping Up with the Zero Trust Security Model
This is only a snapshot of the potential threats out there from an authentication standpoint. As solutions and channels expand in the financial services sector, new cyber security threats will arise, necessitating greater control of the tactics, techniques, and procedures protecting your network. Whether it’s your in-house team or a trusted IT management solutions and consulting partner, it’s long overdue for the industry to make a permanent move to zero trust security model.