• Stefan Auerbach, CEO at Utimaco.


• 14.12.2023 12:45 pm
#cybersecurity #fintech

Not enough is being done to foster trust in the digital security of financial institutions (FIs), according to our latest annual report examining consumer perceptions of digital safety across the public and private sectors globally. Although cybersecurity spending in the financial services industry has already reached $600 million annually – a figure that is increasing each year – only 13% of people worldwide trust their providers. Worryingly, the research found that 5% of people don’t trust FIs at all and a further 8% said they rarely trust them. The majority of respondents, which included residents of countries as varied as the United States, Mexico, Germany, and the UK, said they only have ‘some’ trust in their FIs’ digital security.

As a result of this wariness, our survey found that cash remains the most popular type of payment worldwide. More than a third (36%) of respondents perceived cash to be the most secure payment method, compared with just 12% of respondents for credit and debit cards. While it’s important to offer customers choice when it comes to managing their finances, this preference for cash driven by low levels of trust can significantly hinder an FI’s bottom line: the tiny processing fees made by FIs on individual card transactions often add up to a large portion of their revenue.

Businesses aiming to expand their offerings into new areas may also find these concerns about digital security problematic. For example, cryptocurrency came bottom of both the perceived safety of a type of payment (only 2% of respondents worldwide cited it as safe) and people’s preferred form of payment. For FIs, this effectively means that an entire form of payment that has several potential commercial benefits may never achieve mass adoption, and the reason for this seems to be a lack of trust. 

Building trust with ‘zero-trust’ 

Interestingly, the solution to this lack of trust in financial services may lie in a security model known as ‘zero-trust.’ Many security models work like a medieval fortress which can be breached through a single gate - for example, a password or even a biometric ID system. This means that intruders would have access to everything within the fortress, provided they can break through this single point of access. Zero-trust, on the other hand, operates as a more modern form of defense: everyone has a lanyard, biometric profile, or passcode that permits them to access only what they need, and they must verify their identity every time they open a door.

For obvious reasons, banks frequently find themselves the target of attempted cyber-attacks. For example, Flagstar Bank was hit by a serious attack in 2021 that led to the loss of social security numbers of its members. The modern threat environment is diverse and ever-evolving and is rendering previously adequate security models obsolete. The high rate of malware attacks on FIs means, without action, the sector could lose a staggering $700 million to cybercrime over the next five years.

The concept of zero trust fundamentally uses robust access controls and continuous authentication mechanisms to ensure that only authorized entities gain entry to sensitive systems and data. This entails meticulous user identity verification through multifactor authentication (MFA) and the least privilege principle, which restricts user access to only the resources required to fulfill their tasks.

The segmentation strategy of zero-trust divides the network into distinct zones which are isolated and fortified to prevent specific threats. Network micro-segmentation leverages firewalls, intrusion detection systems, and encryption to bolster these barriers.

What’s more, zero-trust is crucial for mitigating data breaches, safeguarding customer financial information, and upholding regulatory compliance standards such as PCI DSS and GDPR. As digital channels and remote work arrangements become more prevalent in financial services, zero-trust's holistic and adaptive cybersecurity approach will cement the industry's resilience against threats as they emerge.

Despite its benefits, implementing a zero-trust model can be a daunting task. With so many Fis - particularly banks - still using legacy systems, added security checks are not necessarily user-friendly and create a greater possibility for error. Moreover, it must be determined how much of an FI’s network is hosted by the company itself or located within ‘the cloud. While it might be possible for an FI to create a rock-solid zero-trust environment, the companies it works with might not have made the same investments in security.

How to create a zero-trust environment

There are several steps required to create a zero-trust environment:

1. Definition of perimeter: The complexity of modern FIs has increased due to significant M&A activity and the advent of cloud computing, so it’s important to begin by establishing what is and isn’t within the remit of the company’s zero-trust policy.

2. Micro-segmentation: Separating digital operations into segments means that if there is a cybersecurity incident, such as a ransomware attack that encrypts a company’s confidential data, its damage can only spread so far. 

3. Device monitoring: Nowadays, devices are constantly connected and disconnected from the network and comprise dozens, if not hundreds, of third-party components. This means that every device needs to be continually monitored, even after it has passed initial security checks.

4. Data inventory:  Data needs to be categorized by its importance and given appropriate levels of protection, while still making it available to those who need it. Strong governance protocols ensure every new piece of data can be classified on an ongoing basis.

5. Security controls: Finally, methods of verification that are appropriate for each ‘checkpoint’ must be implemented. It needs to be decided where to use multi-factor authentication, which types of encryption to use for what data, and how to adapt to future threats like quantum computing.

Hardware and software systems that can encrypt data and manage digital keys are the foundation for a zero-trust environment. Each user and device will only be allowed to access the parts of the system that they are supposed to. 

Though not necessarily a simple exercise, in the face of persistent and changing threats FIs must be able to demonstrate their commitment to digital security to rightfully earn the trust of their loyal customers, and protect the future of the industry.