• Andreas Wuchner, Angel Investor at Venari Security


• 08.06.2023 08:30 am
#cybersecurity

The opportunity for large financial reward, and the chance to cause severe business and social disruption are the stimulus for a sizable proportion of current cyber-attacks. This makes banks, and other financial institutions, prime targets for would-be cyber criminals. In fact, banking and finance is the most attacked industry between 2015 and 2020, according to a recent IBM report. This has only been surpassed in recent years by critical infrastructure attacks. If successful, aggressors could access a treasure trove of sensitive personal and financial data, and perhaps access to money itself. Any suspension in withdrawals or deposits causes a degree of social disruption and panic, and can lead to significant reputational damage.

Banking is heavily regulated, and the regular emergence of new technologies mean that institutions are constantly forced to grapple with new regulations– which has produced technology estates that are hugely complicated and disparate. This provides attackers with a huge number of entry points, and attack vectors, and makes the cybersecurity efforts of banks crucially important. Even the smallest breach across a network can have devastating financial and data security implications, and lead to systems being overrun. As such, security teams need to look beyond their regulatory tick-box commitments and look to implement the highest-grade security that they can, across their entire network – including strong encryption standards.

Reacting quickly to cyber-threats, across a vast and complex technology estate, requires speed and flexibility – to identify and resolve issues, and update security protocols. However, the sheer volume of legacy infrastructure within the banking industry adds an additional complication, and slows this process down, leaving many security teams in a difficult predicament.

The cybersecurity risk of legacy infrastructure

Much of the banking industry still functions on systems developed as long as 40 years ago, including many of the core banking systems like payments, loans, mortgages and associated technologies. These are typically coded using COBOL (Common Business-Orientated Language), a near defunct programming language that has been around for longer than the internet itself. COBOL remains the ‘backbone of banking services in Europe and the UK, while as much as 43% of banking systems are built using the code in the US. This means that it underpins much of our financial systems, and our economic stability.

While the code has been regularly updated throughout the years, this still represents a significant security risk. When the systems were built, attacks were less well-financed, and were less sophisticated in nature. The burden of holding and protecting the today’s vast quantities of data was also less pronounced. Governments have long warned about the cybersecurity threats presented by legacy systems built on COBOL, and their incompatibility with today’s highest-grade security practices and tools, including multi-factor authentication. Recent data from Kaspersky confirms these fears, reporting that businesses with outdated technology are much more likely to have suffered a data breach (65%) than those who keep their technology updated (29%).

There are also a diminishing number of security professionals training in maintaining COBOL systems, presenting further security issues in the short-term future. Yearly, a host of experienced professionals exit the industry - with new industry joiners lacking experience and interest in outdated programming languages. This makes servicing legacy infrastructure extremely expensive and time-consuming.

Finally, legacy infrastructure is also stifling the introduction and application of encryption, presenting very distinct regulatory and security risks. Encryption is heralded by some as a solution for data privacy concerns and has been an area of heavy focus from regulatory bodies in recent years. However, banks remain guilty of poor deployment, maintenance and management of encryption; using outdated protocols and inefficient methods of analysing and understanding network traffic. When coupled with legacy core banking systems, incompatible with modern encryption techniques, security teams are presented with a regulatory and security nightmare.

Changing mindset  

If banks want to prevent breaches and ensure data protection long-term, a concentrated re-think of cybersecurity strategy is needed to understand and react to the continued stronghold of legacy systems on the banking sector, and the variety of cybersecurity threats that they could pose.

Banks have often taken an ‘outside-in’ view – using their capacity, finances and knowledge to deal with threats that are, known and well-publicised. In order to support long-term security, banks should look to implement an ‘inside-out’ proactive approach instead, whereby security teams have a detailed overview of their own internal systems and understand where the key vulnerabilities are found.

An understanding of the data that is particularly at risk, and the impact that legacy systems are having on the overall security environment, will enable banks to address flaws, update these systems and build a stronger overall security posture.

The secure path ahead

Social, economic and regulatory change will come as no surprise to high-street banks – some of whom have operated for hundreds of years. However, technology adoption and rapid advancement does continue to present unique challenges. ‘Traditional’ banks have built up their complex technology infrastructures through decades of small adjustments, in order to meet new legislation and adopt critical technologies. While this has traditionally proved serviceable, the volume of innovation from new fintech start-ups are testing the long-term viability of these systems at an unprecedented rate.

Challenger banks have the distinct advantage of being built from the ground-up, which means they’ll have built their systems specifically to prioritise modern security processes, and convenient digital services. As the customer base of these banks increase, they expect traditional banks to match these features – adding even more complexity for legacy infrastructures to contend with. Traditional firms simply aren’t positioned to support these rising expectations, as outlined by Deloitte, exposing them to further risk. 

Banks spend as much as 80% of their yearly IT budgets on the maintenance of legacy systems. While an immediate switch away from these systems would be unrealistic, an opportunity does exist to reduce wasted spend and allocate some of these funds towards modernisation efforts. However, while traditional banks may want to implement technological advancements quickly, they need to do so while continuing to minimise cyber risk and without jeopardising the security of their data or systems. This means ensuring cybersecurity is at the heart of any modernisation efforts and maintaining a steady rate of change. As more of the technology estate begins to be modernised, the potential risks of regulatory non-compliance will also reduce.

Legacy systems need a considered update

For too long, banking systems have relied on legacy infrastructure, resulting in difficulties maintaining the highest-grade cybersecurity and in facilitating innovation. Novel cybersecurity attack vectors, and competition from new and emerging digital services offered by challenger banks, present new risks and are exacerbating issues. As such, legacy systems need a programme of managed modernisation in the long-term, facilitated in part by a redistribution of existing IT spend. However, to ensure long-term security overall, cybersecurity needs to be central to be at the very heart of modernisation efforts.