The financial landscape is rapidly morphing from traditional brick and mortar institutions that were staid and stuffy beehives to environments that resemble trendy coffee shops, while banking services are no longer limited to four walls and a teller’s cage. In an age of advanced digital technology and the perpetual expansion of the cloud and IoT universe, big data is driving the financial sector to new business heights. Unfortunately, with this digital transformation comes new and constant security threats.
In its newly released “The Changing Face of Data Security – 2019 Thales Data Threat Report” for the financial services sector, done in conjunction with global market intelligence provider International Data Corporation (IDC), the research shows “that more U.S. financial institutions are on the leading edge of digital transformation than any of the other industries studied, with 49% of financial services respondents saying they are either aggressively disrupting the markets in which they participate or embedding digital capabilities that enable greater organizational agility.”
This report is based on a global IDC web-based survey of 1,200 executives with responsibility for or influence over IT and data security from nine countries and a range of industries, with a primary emphasis on financial services, retail, healthcare,and federal government.
The study goes on to say that while digital transformation (DX) “enables financial institutions to introduce new business models and reach more customers in new and innovative ways, it also introduces added difficulties for information security professionals, and raises the potential to put sensitive customer data at risk. Security professionals currently deal with a threat environment in which 62% of U.S. financial services respondents report that they have been breached; they must also face ever-expanding attack vectors, with top concerns including cyberterrorism, internal threats from within the IT organization, and industrial espionage. To add to the complexity, financial institutions are entering the era of open banking – in some markets by regulatory force – in which they are exposing APIs to third-party financial technology startups (fintechs) so that these new partners may access customer accounts and data for the provisioning of new services. Open banking essentially creates an additional attack surface.”
“Over the last few years we’ve done this report, we have seen a lot of investment into digital transformation technologies, with cloud certainly being the big leader in that. However, the adoption of mobile technology, especially when it comes to fintech, big data, social media, is certainly rising, as are IoT and blockchain. When we asked the financials to self-identify about how they view themselves as investing in digital transformation, financial services and Fintech companies identify themselves as the most aggressive in adopting digital transformation technologies, which I don't think is shocking. Twenty-two percent self-identify as using digital transformation to disrupt business models in their environment. Another 27% see that they are linking their agile management vision to the use of digital transformation. So overall, 49% consider themselves pretty aggressive in supporting digital transformation,” says Charles Goldberg, Vice President of Data Protection Product Marketing at Thales, who adds that the retail industry ranks just behind the financial sector when it comes to DX, which corresponds with each industry’s reliance on finding new ways to reach out and retain customers.
Is There Enough Security?
The 2019 study demonstrates the financial sector’s willingness to forge ahead with digital transformation to help drive business, but the appetite for the security spend is fading. Financial executives in the U.S. responded that 54% of their security budget has increased this year, but that is down substantially from the 84% claiming increased security spend last year. U.S. financial services respondents who say their organizations will decrease security spending more than doubled (8% compared to 3%) and the number who say their spend will stay the same nearly tripled (38% compared to 13%).
Goldberg admits that the growing complexity of technology and process as Fintechs try to manage security across different infrastructure environments like cloud and mobile accounts for some of the uncertainty in security implementation. He says that when it comes to mobile banking platforms, people are most worried about authentication.
“That's what floats to the top and keeps them up at night because now you're talking about that endpoint and that user more directly. Cloud and mobility are the two big issues when discussing security around digital transformation, but they are two different endpoints of the spectrum,” explains Goldberg. “The cloud is where we say the data is and the services are, while the mobility factor is where the devices and the customers are. Both must be secured. Both are equally important, yet they are different problems to solve. That adds to the complexity and the challenges that financials have putting a coordinated security strategy in place. It's different tech, different solutions.”
Complexity Concerns Stymie Security
Financial institutions continue to migrate business to cloud workloads that were once handled by a single on-premise environment and are now augmented with multiple infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) environments, as well as tens and even hundreds of software-as-a-service (SaaS) applications, according to the study. As data is evolving to be one of the key control points, the importance of data security grows, but data security in a DX environment is not easy.
The complexity of establishing encryption, tokenization and management policy for one cloud deployment is daunting enough, but it is only compounded for the financial sector as it continues to roll out multiple cloud applications. Data protection and the impact on business performance raise the risk quotient exponentially. The survey shows that 53% of U.S. financial services providers rate complexity as a top concern, while 46% rate impacts on business performance as a top concern.
“While the endpoint is heavy on authentication and fraud detection, the cloud side is really about control, regulation and locking down that sensitive data, and, of course, availability. It is no surprise complexity is an issue among U.S. financials since they're more aggressively rolling out initiatives and need to ensure a positive consumer experience,” Goldberg says. “When it comes to business process, having auditors and security teams coming in often slows down departments. We know that a lot of services and the adoption of digital transformation happens fast. Whether security is built in at the beginning or not depends on the company and the environment. I often think it is a combination of the security team perceived as slowing things down or security is just considered an afterthought in a worst-case scenario.”
Goldberg points to the rampant Amazon S3 cloud storage data leaks that seem to have become a weekly occurrence of the last several years.
“It's difficult to say it's gotten better, so that's just one proof point. The financials are the most highly targeted environments. This information is just not from the (Thales) data threat report but from other analyst research I've seen. The average business is attacked four million times a year. Your average financial business, however, is attacked, not necessarily successfully, one billion times here every 30 seconds. They are big targets and do need to be more cautious,” he concludes.
About the Author:
Steve Lasky is a 33-year veteran of the security publishing industry and multiple-award-winning journalist. He is currently the Editorial and Conference Director for the Endeavor Business Security Media Group, the world’s largest security media entity, serving more than 190,000 security professionals in print, interactive and events. It includes Security Technology Executive, Security Business and Locksmith Ledger International magazines, and SecurityInfoWatch.com, the most visited security web portal in the world. He can be reached at email@example.com.