Effective cybersecurity must align with an organization’s needs and take its lead from its requirements. Security must be enabled, not defined.
Thus, understanding your organization’s operational environment and what optimum performance looks like must come first. In banking and financial services, where trust and data security are fundamental, cybersecurity requirements are even more complex. This reinforces the importance of getting it right by building security out from a place of comprehensive insight into your organization and its challenges.
Evolution is essential to business longevity and success, but right now, the financial industry is finding out that positive change in one area can exacerbate security vulnerabilities in another. Significant progress in digital transformation, cloud acceleration, and governance is creating cybersecurity implications that require immediate attention.
– The organization’s attack surface increases significantly as greater digitalization and accelerated cloud adoption create more potential access points for cybercriminals to exploit.
– Business interruption threats are more likely as these developments increase connections and dependencies on third parties, key technology partners, and the supply chain. All those can mean easier points of entry into the organization’s network than a direct attack on the organization itself.
– Regulators are taking a tougher stance as the finance and insurance sector is a prime target for cybercriminals, requiring greater operational resilience to defend against business and supply chain disruption.
The scale of the cybersecurity problem facing banking and financial services is increasingly evident. More than four-fifths (81%) of financial service professionals fear an escalation in cyber-attacks, driven by unsettled geopolitical situations. Further, it’s estimated that 3.4 million more cybersecurity workers are needed globally to secure assets effectively, leading to 43% of executives expressing concern that their bank may be ill-equipped to protect customer data, privacy, and assets in the event of a cyber-attack.
Although the risk landscape for the banking and financial sector is changing as the market develops, this change is ripe with potential – providing it’s paired with zero-trust thinking and development that keeps pace. This new cloud-centric, more regulated environment calls for a robust cybersecurity posture, particularly for high-value cyber targets.
In addition, the arrival of the Digital Operational Resilience Act (DORA) will force organizations to seriously consider where they are with their security posture considering the consequences of non-compliance. DORA will apply to financial sector organizations operating in Europe from 17 January 2025.
This means that the regulation impacts not only banks and other financial institutions but also the technology firms that support them. For example, DORA will apply to a financial services firm regardless of whether they use a hyperscale cloud provider or a small fintech. The purpose of DORA is to strengthen resilience to IT-related incidents by requiring organizations to focus on their digital resilience strategies and accompanying digital resilience frameworks.
This will mean that all financial services firms must prove they can withstand, respond to, and recover from all types of IT-related disruptions and threats. The responsibility and accountability for institution-wide digital resilience will sit with CEOs and the executive committee, covering governance and organization, IT risk management framework, ICT incident management, classification and reporting, digital operational resilience testing, third-party provider risk management, and information sharing. Potentially the most challenging area will be achieving oversight of ‘Critical IT third-party providers’ (CTTPs), such as network providers, cloud platforms, and data analytics services as well as financial services firms.
DORA compliance aside, banking and financial services organizations need an approach that recognizes the singularity of the sector’s challenges; one that supports change in three areas:
– Securing your multi-cloud to achieve better control, visibility, and security across your cloud infrastructure.
– Securing your end users and data by establishing defenses for your customer information and company data when your employees are working from anywhere.
– Improving your operational resilience by identifying security risks across your third-party interactions, internal infrastructure, and defenses.
Ongoing digital transformation, cloud acceleration, and growing governance pressures are exacerbating security vulnerabilities within finance and banking – and each organization will face unique additional issues on top of that. By creating a clear picture of requirements first, and only then tailoring a cybersecurity solution, financial services organizations can move closer to the solution that will enable them to thrive securely.
By Todd Schoeman, BT Client Business Director in South Africa