Banks will lean further on tech to tackle 2022 security challengesBy George Lee
Covid-19 has driven large-scale growth in online banking, dramatically increasing the volume of sensitive customer data that’s available to steal.
As the pandemic spills over into 2022, the attractiveness of the financial services sector as a honeypot for cybercriminals will continue to grow, and the security and business challenges for banks will continue to mount.
Imperva Research Labs found that between January and May 2021, web application attacks on the financial services sector increased 38% year-over-year.
Upping digital experiences comes with its risks
One cause of cybercriminals’ increasing success with financial services sector attacks is the institutions’ fast-growing use of applications to improve customer experience.
With Covid-19 deterring customers from visiting physical branches, banks will continue to invest efforts in digitising customer service, making online experiences feel more personal and engaging.
But while online banking applications, mobile transactions and omni-channel services heighten customer experience, they also expand the attack surface, giving cyber criminals fresh avenues to steal data and gain rogue access to financial accounts. Financial services firms hence need to step up data protection with each digitisation move.
Almost every bank in Asia is modernising their customer-facing apps, and driving the adoption of such apps among their client base. Banks are rolling out new apps and features at a furious pace, accelerating the development process by using libraries from open source code.
These apps, built with open source code, are vulnerable to cyber criminals. As much as 97% of enterprise codebases are open source, with an average 203 dependencies. An estimated 90% of security incidents begin with exploits against defects and vulnerabilities in the design or code of software.
In 2022, financial services firms should strive to boost the security of their apps by implementing a positive security model around their application development lifecycles. This includes using runtime protection to lock down software so it can’t do things it’s not expected to do, and enable developers to ship applications that are as secure as possible when released.
Modern application development has also meant the proliferation of application programming interfaces (APIs). While they are a powerful tool, APIs expose financial services organizations to risk in complex ways because they are often connected directly to the data layer.
Financial institutions need to identify all APIs within the enterprise, and have visibility into the traffic accessing those APIs. They should also leverage automation and machine learning to assess API behaviours, evaluate against risk-based policies, and determine appropriate actions for mitigating the threats.
Cloud migration could mean more security failures
Cloud migration will be another reason for data breaches to rise among financial institutions. A recent Google Cloud survey finds that as much as 83% of financial services companies have deployed cloud technology as part of their primary computing infrastructures.
Besides money, one thing banks have a lot of is data, some accumulated over decades. Not much has been done with this information historically but with data analytics and AI technology being so accessible today, financial institutions have pulled out all stops in deciphering customer data for business benefit.
Combine this massive amount of data being manipulated across operations with banks’ aggressive move to the cloud, and the tendency to treat data security as an after-thought, data breaches are likely to climb.
According to Gartner, through 2025, 99% of cloud security failures will be the fault of the company using the cloud service.
Financial institutions need to stop putting the entire onus of data security on their service providers, and have a holistic data security strategy where the focus is on securing the data itself, not just the endpoints connected to the database. They must also have the capability to detect and react to dangerous user activity that puts their business at risk, wherever the data lives. We expect more financial sector players in APAC to look into these areas in 2022.
Compliance a growing cost and complexity challenge
A particular business challenge faced by Asian banks is rising compliance requirements, as the region tries to catch up with North America and Europe in data and user privacy laws.Financial institutions now have to contend with meeting a growing number of regulatory requirements, including Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI-DSS), the EU General Data Protection Regulation (GDPR), and of course, the Monetary Authority of Singapore Technology Risk Management (MAS-TRM).
Even if data is not stolen, regulatory non-compliance can result in steep penalties for both financial institutions and their executives.
These data protection and privacy mandates protect the integrity of financial records and reduces fraud, but they also inflate compliance costs.
Going into 2022, we expect financial services firms to automate more of their compliance processes to manage costs. This benefits both the institutions themselves and their customers, as adherence to stricter regulatory requirements typically correlate with greater cybersecurity.
As the world recovers from Covid-19, financial services firms will see new business opportunities. Properly securing their operations will ensure they can maximise such opportunities.