To those who understand the importance of cybersecurity, and the monumental risks that growing cyberthreats impose on organizations, safeguarding systems and data may be assumed to go hand in hand with digital transformation. After all, the larger a company’s online and cloud presence, the bigger the target on that company’s back for cyberattackers and bad actors.
Unfortunately, that assumption oversimplifies both the process through which organizations digitize and the process through which they address cyberthreats. In the financial services (FinServ) space, like in many industries, companies are enduring a gradual migration to the cloud, sometimes implementing layers upon layers of digital platforms and Software-as-a-Service (SaaS) solutions in the back office.
Bart McDonough, CEO and founder of cybersecurity and IT management firm Agio, likened the current landscape to the frog in slowly boiling water. As organizations progress in their digitization journeys, they gradually find themselves in hot water when it comes to their cyber risks, and many don’t notice until it’s too late.
“These companies have gone from a traditional, [on-site] infrastructure to an environment that utilizes best-of-breed services across the web, [using] lots of SaaS platforms — and what’s happening is, they don’t know where all the doors are,” he told PYMNTS in a recent interview.
The doors he referred to are the symbolic openings through which data can leak and be exposed. While the FinServ sector’s embrace of cloud technology has produced a plethora of improved products and services for end users, organizations often struggle to protect information because this SaaS shift requires an entirely new approach to security.
Traditionally, on-site systems have provided simplified, straightforward access controls. If an employee left a firm, IT would simply disconnect their devices from the company’s systems. Today, however, with systems able to be accessed from anywhere, companies struggle to manage who gets access to which systems, when and how much.
The Biggest Risks
A financial institution’s (FI’s) digitization efforts can yield a range of cyberthreats for a firm. As McDonough noted, failure to deploy proper access control not only exposes sensitive company data to outside bad actors. Indeed, internal data leaks can cause mayhem for a company.
He pointed to one example he saw recently of a large organization with dozens of back-office systems in place. The company’s stakeholders and executive team discovered that privileged executive communication was being shared with others within the organization. Unfortunately, because there were so many systems — and data “doors” — at play, the firm didn’t even know where to look first to block the leak.
The FinServ industry’s migration toward data integrations — through both Open Banking initiatives for end users and internal adoption of back-office SaaS platforms — is another trend that can expose company data from the inside out. With more data connections in place, it can be harder for leadership to identify that a problem even exists.
Shadow IT is a prime example of this point of friction, noted McDonough. Not only does the deployment of non-approved digital systems add to the number of data doors a bad actor may open, but, with data protection regulations like GDPR, companies may find themselves non-compliant if and when they finally discover an employee has downloaded some type of software.
“We do a lot of data mapping that exposes a lot of shadow IT,” he said. “It truly is one of the biggest existential threats to financial services — and any business, really.”
Internal controls and employee education are essential to mitigating this risk, and boosting oversight.
“Sometimes, this is best done in the accounts payable department,” McDonough added, “because, ultimately, you’re not buying these services if you’re not paying for it.”
Finally, he said, ransomware is another massive threat that continues to grow, particularly as attackers adjust their tactics from single, large targets to many smaller hauls. In other words, these ransomware fraudsters are pickpocketing instead of trying to rob a bank, he explained, as “picking 1,000 pockets is more cost-effective than breaking into one bank.”
Taking Action
Since the cyberthreat of back-office digitization can sneak up on FIs, regulators and cybersecurity experts are pressing those in the industry to take proactive measures to protect themselves. However, cyberthreats continue to climb, and it seems no one is listening.
According to McDonough, there is a dangerous disconnect occurring in the market today. While education and awareness are increasing, stagnation remains prevalent. As a seminar speaker, he will often give lectures and lessons on how individuals can protect themselves online, though, ultimately, he said he’s not providing any new information to listeners.
The problem is that individuals and companies alike continually fail to act on that knowledge.
“Many people I talk to know they need to have a data map; they need these controls, they know all of these things. I’m not telling them things they haven’t heard before, but they don’t take the action,” he said. “There is a cognitive dissonance that goes on. People are not changing their behaviors. They’re reusing the same passwords. They’re not updating their devices.”
Unfortunately, it’s not until an institution has actually experienced a significant cyberattack or data breach that it finally takes the required measures of protection — even though, by then, it’s too late.