Share this article on:
It’s no secret the financial services sector is one of the most mature of all the critical infrastructure industries — both in terms of cyber security strategy and investment. Yet the industry is more vulnerable than ever and needs stronger identity security strategies — and fast.
In fact, no matter their maturity, there are hidden challenges and risks everywhere. From the difficulties associated with navigating complex networks and systems to the complexity of securing both human and non-human digital identities, the risk is high, and there is constant pressure to ensure resilience against increasingly sophisticated cyber criminals causing persistent digital identity-related breaches, often through third parties.
The financial services industry deals with large amounts of sensitive data and personally identifiable information, making it a prime target for attackers. According to the OAIC’s latest Notifiable Data Breach Report, the financial services industry is the second-most breached sector (recording 68 breaches), after the health sector (with 71 breaches), the top target. Drilling down into the OAIC report, a third of all cyber incidents derive from stolen or compromised credentials falling into the wrong hands.
While a growing number of financial firms are prioritising identity security, attacks remain dangerously commonplace, with 93 per cent of respondents reporting they’ve experienced a breach within the past two years — the most common impact of which was widespread ransomware/malware infection (41 per cent), according to SailPoint’s recently released State of Identity Security 2023 report.
Certainly, these sobering findings speak volumes — and, in turn, have a role to play in contributing to the national narrative that tells a story of widespread security vulnerabilities negatively affecting the financial services industry.
Data breaches in financial services are so debilitating, and the increased sophistication of the attacks launched is so damaging that the federal government has already taken action. Given the sector’s importance to the functioning of the economy, the government has jumped into the ring launching a government-led cyber “war games” initiative that involves a series of exercises to determine how the industry would respond to a debilitating cyber attack.
In today’s uncertain economic climate, the impact of a data breach on financial institutions is greater compared to other sectors. This is primarily due to the resulting consumer sentiments that follow such incidents. A notable example is the collapse of SVB and the Republic Bank, where customers rapidly withdrew their funds. This mass withdrawal was largely influenced by the ripple effects of rising interest rates.
Considering the sensitivity of consumers in this context, any perceived risk or vulnerability to cyber attacks can have severe consequences for a financial organisation. It can damage the organisation’s reputation, brand, revenues, and the trust it has established with its customers. Thus, the potential fallout from a data breach in the financial sector is significant and requires careful attention.
Financial services in the crosshair
Financial firms have become more enticing for cyber criminals with the mass shift to digitisation, and there is more to be done to manage access to sensitive data and improve financial services’ breach detection as identity-related security breaches are inevitable. The fact that over half (56 per cent) of the surveyed financial services firms have fully implemented an identity security solution is a step in the right direction, but it’s clear that there is still room for improvement.
It’s vital that financial institutions work towards risk reduction. IT and security teams need to have the right processes and support to ensure this is successful. While identity security is “very high” on the agenda within financial services, there are many hurdles to jump, according to 91 per cent of respondents, who’ve experienced the following challenges: most notably flexibility in integration (38 per cent); high configurability (35 per cent); or being too complicated to implement (32 per cent).
These numbers aren’t surprising given the many different applications within the finance environment, both internally and externally facing. And there’s lots to contend with. Tightening regulations by the Australian Prudential Regulation Authority (APRA), the sector’s regulator, are also contributing to the cost pressures faced by financial services organisations. Compliance with these regulations necessitates investments in people, technology, and processes. The high costs are driven by the need to protect customer data, meet regulatory standards, and maintain trust with customers.
In addition to security, operational and compliance challenges, legacy systems are still a massive stumbling block. A number of the biggest financial institutions still operate on legacy technology and rely on manual processes to track data access and user identities, opening doors to inaccuracies.
Steps to secure the financial fort
Indeed, these challenges and grim numbers paint a clear picture — strong identity security is a necessity.
Today, banking and other financial transactions are no longer contained within the four walls of a building. Third-party partners, mobile functionality, blockchain integration, and the emergence of banking-as-a-service (BaaS) have led to increased risk, as well as cyber threats — and a critical need to close the security gaps on cyber security controls. Implementing a strong identity security solution has never been more important, greatly reducing the potential damage an attack can incur.
There are essential steps that banks and financial service firms can take to protect their sensitive data and shore up defences on the identity security front:
Ultimately, a strong identity security posture is critical for the financial services sector to not only safeguard sensitive data and prevent cyber threats but also to protect its reputation.
Nam Lam is country manager, ANZ, at SailPoint.