This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
This year saw some notable cybersecurity events in the financial services industry, including thefts from a number of SWIFT (Society for Worldwide Interbank Financial Telecommunication) member banks and from malware-infected ATMs in Asia. As we look ahead to 2017, I predict that we’ll see the following cybersecurity trends in the financial services industry.
Sure Things
- Growing Adoption of Public Cloud – The financial services industry is the final frontier for public cloud computing. After years of saying it will never happen due to information security concerns, the industry has slowly warmed up to the use of the public cloud. Both Amazon Web Services (AWS) and Microsoft Azure already publicize a number of financial institutions as customers. Many organizations have been testing, evaluating, and conducting proofs-of-concept in 2016 with a critical eye on appropriate cybersecurity practices. A significant number of these institutions will finally adopt the public cloud for computing workloads in 2017. Initially, these may include applications that handle less sensitive data. Although there are still pockets of resistance out there in the financial services industry, they are definitely getting smaller. The appeal of agility, scalability, and cost-benefits offered by public cloud computing is irresistible, especially when security can be architected into the solution instead of bolted on.
- Common Use of Multi-Factor Authentication (MFA) – As we saw with the recent fraudulent transactions at several SWIFT member banks, legitimate login and password credentials were somehow stolen and used to initiate fund transfers. This basic authentication technique is prone to compromise and allows account takeover (ATO) attacks. Financial institutions will finally take note and adopt more robust MFA techniques – at least internally for critical applications and sensitive data, and certainly for privileged accounts, such as root, administrator. Although not all MFA techniques are created equally, any form will create another hurdle that the cyber adversary cannot easily clear. MFA techniques are based on presenting evidence – at least two of the following:
- Something you know (e.g., login/password, PIN)
- Something you possess (e.g., one-time password token, mobile phone)
- Something you are (e.g., fingerprint, retina scan)
Long Shots
- Broad Implementation of Zero Trust Networks – Forrester Research first introduced the Zero Trust (ZT) model in 2009, but as of the end of 2016, implementations are still not widely seen. Conceptually, the information security value of restricting traffic to only known, legitimate flows between various portions of the network is difficult to refute. Any malicious activity will then be constrained by the nearest segmentation gateway. However, the challenges with the ZT model include: difficulty in completely identifying the legitimate traffic patterns (both initially and in perpetuity); necessary cooperation across multiple disciplines (e.g., IT, security, business); and the potential for business disruptions, especially in brownfield environments. In spite of this, financial institutions will warm up to the idea of ZT for their networks and take some big strides in 2017. This will start off with pockets of network segmentation that limit traffic to/from more sensitive portions of each environment. These efforts will limit the exposure and restrict lateral movement after a compromise. In the end, it will be a question of how far down the ZT path a financial institution will go within its own network.
- Blockchain Opens Another Attack Vector – There continues to be significant buzz regarding blockchain technology within the financial sector. Blockchain is certainly bigger than Bitcoin and is a distributed ledger technology that is being considered for payment processing, trade settlement, virtual wallets, etc. In addition to start-ups, traditional financial institutions are actively working to understand this technology and the potential impact on their organizations. Some of the benefits include greater expediency as well as reduced costs for cross-border payments, securities trading, and settlement as a result of cutting out the intermediaries. Other benefits include greater transparency and audit trails for compliance officers, auditors and regulators. Even with the best of intentions in mind, early financial industry adopters of this technology will create another attack vector, despite the inherent mechanisms for cryptography and immutability. Vulnerabilities in nascent implementations of blockchain technology will be discovered by malicious actors who will exploit them in an effort to compromise the security and confidentiality of financial transactions in 2017. This provides a segue to the next prediction.
- Better Results from Coopetition – FinTech start-ups continue to challenge financial institutions for a share of their customers’ wallets. FinTech brings lower costs and innovative approaches to a segment of the banking and investing population. However, they often lack brand recognition, access to a large customer base, and experience with regulatory matters. On the other hand, traditional financial institutions clearly have those qualities, but often lack the agility and capacity for innovation. Traditional financial institutions are trying to embrace cloud computing to remove some of the drag, and some have even launched their own (autonomous) FinTech units. Others have embarked on collaborative efforts with FinTech companies as a means to marry the core competencies of both sub-sectors. This approach may very well be the best path to innovative solutions in 2017, which are industrial-grade in terms of scalability, enterprise architecture, cybersecurity, etc. Ultimately, this will provide lower cost financial products or services and improved customer experiences, but with safety, soundness, and regulatory compliance fully baked in.
What are your cybersecurity predictions for the financial services industry? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for EMEA.