Effective cybersecurity must align to organisation’s needs and take its lead from its requirements. Security must enable, not define.
By Todd Schoeman, BT client business director in South Africa
Thus, understanding your organisation’s operational environment and what optimum performance looks like must come first. In banking and financial services, where trust and data security are fundamental, cybersecurity requirements are even more complex.
This reinforces the importance of getting it right, by building security out from a place of comprehensive insight into your organisation and its challenges.
Evolution is essential to business longevity and success but right now, the financial industry is finding out that positive change in one area can exacerbate security vulnerabilities in another.
Significant progress in digital transformation, cloud acceleration and governance is creating cybersecurity implications that require immediate attention.
* The organisation’s attack surface increases significantly as greater digitalisation and accelerated cloud adoption create more potential access points for cyber criminals to exploit.
* Business interruption threats are more likely as these developments increase connections and dependences on third parties, key technology partners and the supply chain. All those can mean easier points of entry into the organisation’s network than a direct attack on the organisation itself.
* Regulators are taking a tougher stance as the finance and insurance sector is a prime target for cyber criminals, requiring greater operational resilience to defend against business and supply chain disruption.
The scale of the cybersecurity problem facing banking and financial services is increasingly evident. More than four-fifths (81%) of financial service professionals fear an escalation in cyber-attacks, driven by unsettled geo-political situations.
Further, it’s estimated that 3,4-million more cybersecurity workers are needed globally to secure assets effectively, leading to 43% of executives expressing concern that their bank may be ill-equipped to protect customer data, privacy and assets in the event of a cyber-attack.
Although the risk landscape for the banking and financial sector is changing as the market develops, this change is ripe with potential – providing it’s paired with Zero Trust thinking and development that keeps pace.
This new cloud-centric, more regulated environment calls for a robust cybersecurity posture, particularly for high-value cyber targets.
In addition, the arrival of the Digital Operational Resilience Act (DORA) will force organisations to seriously consider where they are with their security posture considering the consequences of non-compliance. DORA will apply to financial sector organisations operating in Europe from 17 January 2025.
This means that the regulation impacts not only banks and other financial institutions, but also the technology firms that support them. For example, DORA will apply to a financial services firm regardless of whether they use a hyperscale cloud provider or a small fintech. The purpose of DORA is to strengthen resilience to IT-related incidents by requiring organisations to focus on their digital resilience strategies and accompanying digital resilience frameworks.
This will mean that all financial services firms must prove they can withstand, respond to, and recover from all types of IT-related disruptions and threats.
The responsibility and accountability for institution-wide digital resilience will sit with CEOs and the executive committee, covering governance and organisation, IT risk management framework, ICT incident management, classification and reporting, digital operational resilience testing, third-party provider risk management, and information sharing.
Potentially the most challenging area will be achieving oversight of ‘Critical IT Third Party Providers’ (CTTPs), such as network providers, cloud platforms, and data analytics services as well as financial services firms.
DORA compliance aside, banking and financial services organisations need an approach that recognises the singularity of the sector’s challenges; one that supports change in three areas:
* Securing your multi-cloud to achieve better control, visibility and security across your cloud infrastructure.
* Securing your end users and data by establishing defences for your customer information and company data when your employees are working from anywhere.
* Improving your operational resilience by identifying security risks across your third-party interactions, internal infrastructure and defences.
Ongoing digital transformation, cloud acceleration and growing governance pressures are exacerbating security vulnerabilities within finance and banking – and each individual organisation will face unique additional issues on top of that.
By creating a clear picture of requirements first, and only then tailoring a cybersecurity solution, financial services organisations can move closer to the solution that’ll enable them to thrive securely.