Bank security technology teams have grown more worried about the threat of data leakage as they respond to increasingly sophisticated cyberattacks against their remote employees, and they’re stepping up their responses to these threats.
In a recent survey conducted by the CyberRisk Alliance, more than a third of the 1,100 cybersecurity and IT professional respondents said “attack through remote worker connections” was the cyber threat they were most concerned about for the next 12 months. This was preceded only by data leakage (49%) and ransomware (39%).
More than half (53%) of the respondents said they experienced at least five IT security incidents in 2021. Hackers broke in most often through Wi-Fi access points, employee-owned remote endpoints and cloud infrastructure. Respondents also said their top challenge in protecting their networks against attacks is monitoring remote worker access. Their second and third biggest challenges are lack of budget and shortage of IT security skills.
The survey also found that, in redressing each of those vulnerabilities, firms are increasingly using Secure Access Service Edge (SASE) products and zero trust frameworks. More than half (54%) of the survey respondents have already partially or fully implemented SASE and another 28% plan to do so.
SASE, a term first coined by Gartner analyst Andrew Lerner in December 2019, is both a cloud-based take on securing network traffic of remote employees and a package of network security functions. It combines the capabilities of virtual private networks (VPNs) and software-defined wide area networks (SD-WANs).
Unlike a VPN, SASE does not tunnel traffic through corporate servers isolated from the rest of the internet. Rather, as the name suggests, SASE operates primarily at the network edge, closer to remote employees who are not all working near a corporate data center.
According to Avishai Avivi, chief information security officer of cyberattack exercises firm SafeBreach, the weakness of enterprise VPNs is that they focus all internal employee traffic into a handful of company data centers.
“This is highly inefficient, can exhaust constrained resources, and lead to connectivity issues,” Avivi said. “The correct method to address this is to split the traffic at the endpoint. This does also mean that to secure this traffic properly, the security controls need to shift to the endpoint,” hence the need for SASE.
SD-WANs set and enforce the rules of internet connectivity on firm servers and employee endpoints by, for example, encrypting traffic to certain destinations and blocking traffic to others.
One benefit of shifting the focus of identity and security from data centers to network edges is scalability — a key benefit of cloud tech in general — according to SASE vendors, which include Palo Alto Networks, Cloudflare, Cisco, and Fortinet.
Scalability is one reason why, at the start of the pandemic, interest in SASE offerings boomed and why, as some companies now scale back remote work to hybrid or in-person work, interest continues. That’s according to Bill Brenner, vice president of custom content for CyberRisk Alliance.
“Go back to March 2020. Everybody’s locking down, everybody is sending everybody home, and a lot of companies are moving faster than they had intended to put a lot of what they do in the cloud,” Brenner said. “The interest in SASE was piqued because, when used properly, it can help enable remote workers to do these things securely.”
In terms of information security for financial institutions, “the biggest change of all in the pandemic has been the way remote work has mushroomed,” Brenner said. Financial services has been one of the best sectors in terms of handling these new security challenges of remote work, he said, by virtue of years of experience complying with information security-focused regulations.
The shift of focus toward SASE has come with a broader movement toward a zero trust framework for security, according to Brenner. “When I talk to people about SASE, zero trust often comes up in the same breath,” he said.
Zero trust is a security mindset rather than a product — an approach that demands authentication and identification every step of the way in a work environment. It is an “identity-centric” architecture for internal and customer-facing operations, according to Michael Sentonas, chief technology officer at cybersecurity company Crowdstrike.
“The key to holistic zero trust architecture is requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data,” Sentonas said.
Like SASE, zero trust suddenly gained a great deal of traction with the dispersal of workers to remote settings in March 2020 because the network perimeter — the safe zone in an office building from which employees could connect to the internet in a secure and monitored way — suddenly vanished.
As employees began trying to connect to on-premises and cloud-based systems, financial institutions faced the challenge of authenticating many more of those connections, ensuring they were not hijacked, and monitoring them for uncharacteristic behavior.
Zero trust is about harmonizing legacy processes and systems that have been “wedged together” over the years, according to Nick Puetz, a managing director for consulting firm Protiviti’s security practice. He described implementing zero trust in these legacy environments as “undoing balls of yarn” and re-bundling them to create a more secure framework.
Undoing those balls of yarn will require money and focus. Indeed, companies across sectors — and financial institutions in particular — are planning for greater spending on cybersecurity over the coming years and months. CyberRisk Alliance’s survey found that 78% of U.S. firms expect their cyber budgets to increase in the coming year.
But simply buying and implementing products will not suffice, according to Paul Innella, CEO of cybersecurity firm Tetrad Digital Integrity. “How many zero trust tools you have deployed on your network is irrelevant if your users only have 30% enrollment in multi-factor authentication,” Innella said. Rather, cyber must be a priority inside board rooms.
“Cyber is as critical and interrelated to the success of an organization as any other resource or component,” Innella said. “Cyber must then be elevated to the highest level of an organization so its impact is known, understood, measured and visually reported and managed.”