Protecting Sensitive Data

Protecting financial institutions and customers from critical cyberattacks

  • By Thorsten Stremlau
  • May 30, 2023

Digital banking has become commonplace across the world, with the number of people using these services projected to reach 3.6 billion by 2024. Ensuring the protection of systems and sensitive data can be a complex task for banks and other organizations to manage, as they are unable to directly implement security measures onto a customer’s personal device. Instead, they must rely on the general cybersecurity ecosystem, and the institutions establishing trusted computing within it.

The Digitization of Banking
The COVID-19 crisis has had a lasting effect on consumer banking behavior. With the temporary closure of around 8,500 branches in the UK alone, the pandemic compelled banks and their customers to use digital tools and processes instead of traditional banking services.

The rapid digital transformation of these services proved to be the most pertinent banking trend of 2022 and fueled a massive increase in the number of connected devices and suppliers linking to customer’s bank accounts.

With the growth of this digital supply chain comes an increased number of significant threats. These can prove ruinous to organizations if the key cybersecurity elements involved within the ecosystem are not held to well-established, internationally recognized standards of trust.

In June 2022, it was reported that one of the largest financial institutions in the United States, Flagstar Bank, suffered a major data breach which resulted in almost 1.5 million customers having their sensitive information leaked. This included their social security numbers, banking information and personal details, such as their names, addresses, and birthdays.

To avoid similar incidents, such as the 2013 attack against Target, financial institutions and organizations in other industries. They must be able to rely on the readily available standards and specifications designed to protect personal devices, and by extension, the banking applications found on them.

Threats to the Supply Chain
Often organizations are good at protecting “the front door,” with systems and protocols in place to protect their own servers against direct attacks. However, these become effectively useless if customer devices that link to financial services are not up to the same standards. Threats against personal devices are just as dangerous to financial institutions as they are to the user, as a successful exploit can quickly enable attackers to gain access to banking networks through the applications found on a device.

Attackers no longer hack devices simply as a hobby. Malicious organizations now exploit vulnerabilities as a service, and they will often target supply chains with malware and ransomware attacks with the aim of stealing valuable data. Devices can be breached through a compromised third-party vendor anywhere in a network, with malicious parties using the organization to circumvent security controls and create avenues to sensitive resources.

This is made possible by entities within the chain who simply do not take cybersecurity as seriously as others. To successfully mitigate any vulnerabilities, each phase of a product’s lifecycle – whether design, manufacturing, transport, utilization, or decommission – need assessing to uncover any significant risks.

Unfortunately, this is not easily achieved, with no single entity having complete control of a supply chain. Organizations must work together to ensure that security standards for the industry are correctly defined, implemented, and adhere to up-to-date security guidance measures.

Third-party risk assessments on a regular basis – especially when there are changes to a bank’s digital infrastructure – can ensure the cybersecurity measures of any vendor are aligned with those leveraged by financial institutions.

The Necessity for Up-to-date Specifications
Organizations like the Trusted Computing Group (TCG) are dedicated to developing standards and specifications that make cyber resilience accessible to the average user and provide assurance to organizations that their systems are protected, whether in finance or any other industry. The ongoing work developed by standards organizations helps create strong frameworks by which devices within a supply chain must demonstrate compliance to, which offers additional protection against cyber threats.

The Cyber Resilient Technology (CyRes) specification developed by the TCG, entitled Cyber Resilient Module and Building Block Requirements is an example of a crucial standard making a difference within the technology ecosystem. This specification was created to ensure the implementation of cyber resilient architecture in the first stages of a product’s design process, rather than it being considered an afterthought.

The goal is to sufficiently equip all devices with the necessary components to protect, detect, and attest – bolstering the security of the supply chain.

This, paired with a hardware Root of Trust (RoT) like the Trusted Computing Module (TPM), makes cyber resiliency accessible to the average user and provides assurance to financial organizations that their systems are protected.

Securing the Ecosystem
The financial sector remains a major target for malicious cyber-attacks, facing the second-largest number of known security breaches in 2022. Banks differ from many other large organizations in that they must heavily rely on the security of their customers’ devices.

They must trust that the overall security ecosystem is secure enough to prevent or mitigate any damage caused by cyber-attacks. Stringent security measures and software must be made readily available and common within devices to ensure banks and other organizations are adequately covered against threats. The standards and specifications from bodies such as TCG are necessary to protect against malicious activity, and establish trusted computing not only for individual devices, but for the supply chain as well.

This article originally appeared in the May / June 2023 issue of Security Today.

Featured

  • Evolving Cybersecurity Strategies: Uniting Human Risk Management and Security Awareness Training

    Organizations are increasingly turning their attention to human-focused security approaches, as two out of three (68%) cybersecurity incidents involve people. Threat actors are shifting from targeting networks and systems to hacking humans via social engineering methods, living off human errors as their most prevalent attack vector. Whether manipulated or not, human cyber behavior is leveraged to gain backdoor access into systems. This mainly results from a lack of employee training and awareness about evolving attack techniques employed by malign actors. Read Now

  • Report: 1 in 3 Easily Exploitable Vulnerabilities Found on Cloud Assets

    CyCognito recently released new research highlighting critical security vulnerabilities across cloud-hosted assets, revealing that one in three easily exploitable vulnerabilities or misconfigurations are found on cloud assets. As organizations increasingly shift to multi-cloud strategies, the findings underscore significant security gaps that could provide attackers with potential footholds into networks. Read Now

  • Built for Today, Ready for Tomorrow

    Selecting the right VMS is critical for any organization that depends on video surveillance to ensure safety, security and operational efficiency. While many organizations focus on immediate needs such as budget and deployment size, let us review some of the long-term considerations that can significantly impact a VMS's utility and flexibility. Read Now

  • Paving the Way to Smart Buildings

    In today's rapidly evolving security landscape, the convergence of on-prem, edge and cloud technologies are critical. The physical security landscape is undergoing a profound transformation, driven by the rapid digitalization of buildings and the evolving needs of modern organizations. As the buildings sector pivots towards smart, AI and data-driven operations, the integration of both edge and cloud technology has become crucial. Read Now

  • The Cybersecurity Time Bomb

    If you work in physical security, you have probably seen it: a camera, access control system, or intrusion detection device installed years ago, humming along without a single update. It is a common scenario that security professionals have come to accept as "normal." But here is the reality: this mindset is actively putting organizations at risk. Read Now

Most   Popular

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.