Global digitisation, combined with unprecedented changes to the financial services business model is demanding industry and digital modernisation. To remain competitive, financial services institutions must embrace new business models such as hybrid working alongside cyber resilience. These new hybrid working models need to balance productivity and scalability with agility and security
Most financial services organisations already have robust defences. However, we know that no network, or system, is infallible. Attackers will use a variety of means to gain access to the estate. The financial services industry is also a high value target for cybercrime and fraud. According to PwC, 69 percent of financial services’ CEOs reported that they are either somewhat or extremely concerned about cyber threats. In a recent podcast with UK Finance, we took a closer look at the current threats facing financial services organisations and why cyber resilience is so important.
The future of work will remain hybrid. People are fluidly working between home and office, intertwining their personal and work networks. Many financial services organisations have security strategies that focus on recovery and operational resilience, with testing and recovery planning. So how can organisations ensure they stay secure and safe in a hybrid environment, while continuing to manage distributed and legacy environments? By making cybersecurity the foundation for operational resilience. Here’s five ways to start.
1. Assume compromise
Instead of assuming everything behind a corporate firewall is safe, assume compromise. Continually ask ‘what if’. What if an attacker gained access to your network, servers or data? What if a trusted insider gained access to information they shouldn’t? What could be done with it? Therefore, what level of protection is needed to help keep information safe?
Organisations may be operating in a hybrid or multi-cloud environment, using thousands of different applications. Employees may be working on multiple devices in different locations. As a result, a defence-in-depth approach is needed to protect data and services.
The hybrid workplace is borderless, so wrapping security around identity and devices is critical. Recent cyberattacks have shown that identity is the new battleground. Implementing multi-factor authentication (MFA) can prevent 99.9 percent of credential attacks, yet many organisations have yet to fully deploy MFA. We also see Zero Trust security as a business imperative.
2. Protect identity
Zero Trust takes a risk-based approach by embracing the principle of least privilege. It assumes compromise and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches “never trust, always verify.” Every access is fully authenticated and authorised before granting access.
When integrated with security and compliance solutions, employees can securely sign on once, and access everything needed, when needed. No matter the location.
For Rabobank, taking an identity-first approach to security opened up more productivity for their people.
“The ability to more securely access documents through Microsoft Teams and OneDrive from mobile devices means people can easily work in different locations, but still keep our data and documents highly protected in our environment.”
Erik Passchier, Global Head of IT Infrastructure at Rabobank.
3. Keep devices and networks healthy
Anything that has a connection to the internet is potentially vulnerable. While the cloud boasts multiple security benefits, organisations need to segment infrastructure and networks, to reduce the probability of lateral movement across the estate. This is especially important for any legacy services or systems that can’t be patched or upgraded.
Ensuring devices and infrastructure are updated with the latest security patches and updates is very important. In the cloud, patching becomes part of the shared responsibility model, making it easy for teams to manage updates.
As part of their hybrid strategy, Rabobank has built robust mobile device management policies and uses tools like Endpoint Manager and Intune. These focus on making it easy for employees to securely access work apps across devices. They use protection policies to restrict company data from being saved to local devices or moving across to other apps.
“Before, I only had access to email while out of the office. Now if I’m traveling to work on the train or working from home, I can call colleagues and we can work together in the same document. The ability to be more mobile is a huge step forward.”
Boy Sleddering, Senior Vice President Corporate Communications at Rabobank.
4. Automation and audit logs
Automation and orchestration are key to enabling cyber resilience. For example, Microsoft XDR provides better detection, incident response and blocks known threats. Additionally, it’s key to reducing security operations fatigue and increasing efficiency with the volume of alerts. It also provides the opportunity to be proactive by performing active threat hunting. Machine learning can also identify and correlate behavioural-based attacks .
SIEM provides an aggregated and unified experience with investigative capabilities across the estate. Checking for Indicators of Compromise (IOCs), analysing logs, verifying changes, isolating and potentially preserving forensic data is critically important for financial services organisations to leverage as an audit trail for regulators and law enforcement.
“Now we have one platform that looks across all our estate. One system, one skillset means greater understanding and more effectiveness. We have a more comprehensive solution, and we can focus staff training on the Microsoft solutions, so we have broader security competence through our team.”
Mudassar Ulhaq, Chief Information Officer at Waverton
5. Invest in people and skills
We know there is a balance between human capacity and skilled resources which is also at a premium right now. (ISC) ² reports that there is a 3.1 million cybersecurity gap. While automation and machine learning can reduce the noise, the cybersecurity professional skills gap needs to be addressed. Introduce new ways of acquiring talent, apprenticeships and diversity and inclusion programmes. Highlight talent in-house and re- or upskill your employees.
Each employee should have good digital literacy and understand the different type of cyber threats that they may be exposed to, such as phishing attempts and business email compromise. However, leaders must also have digital empathy for the end-user experience and be mindful of the stressors that they be facing. Security and compliance can work together by being dynamic to the changing landscape, and help employees to be safe and secure, through regular tips that reinforce awareness of the policies.
Enabling cyber resilience
Financial services organisation needs to be kept up to date on cyber capabilities and made aware of potential threats on an ongoing basis through both push and pull means. However, key to cyber resilience is collaboration and partnerships. For example, the Financial Sector Cyber Collaboration Centre collaborates with around 40 organisations, including Microsoft. We work together to provide focussed messages across an array of customers that is timely and relevant.
Strong governance, operational resilience and partnerships are key to ensure the financial services industry builds cyber resilience now and, in the future, in the face of an ever-changing landscape.
Find out more
About the authors
Sarah Armstrong-Smith is a Chief Security Advisor in Microsoft’s Cybersecurity Solutions Group. She principally works with FSI customers in the UK and strategic customers across Europe, to help them evolve their security strategy and capabilities to support digital transformation and cloud adoption.
Sarah has a background in business continuity, disaster recovery, data protection and privacy, as well as crisis management. Combining these elements means she operates holistically to understand the cybersecurity landscape, and how this can be proactively enabled to deliver effective operational resilience.
Sarah has been recognised as one of the most influential women in UK Tech and UK cybersecurity and regularly contributes to thought leadership and industry publications.
Elizabeth is a Principal Cybersecurity Consultant in the Detection and Response Team (DART) and 20+ year veteran at Microsoft. She works directly with financial services and national security agencies in detecting and protecting critical infrastructure.