Today’s financial institutions face evolving threats on a global scale. Online attackers without expertise (known as ‘script kiddies’) have had access to as-a-service malware for quite some time. AI is being weaponized for social engineering attacks at unprecedented speeds. And along with the potential of monetary rewards, today’s thefts also involve taking something that’s often even more profitable: Data.
Let's explore some of the data points relevant to these attacks, and what can be done to mitigate them. As we should all know by now, no one is truly immune to breaches, theft and other nasty fallout from people with malicious intent. However, there are still ways to thwart their efforts and make the lives of these people much more difficult.
Why financial institutions are targets for attack
Aside from the option of stuffing your underground bunker full of gold bars, the public sees banks as the most trustworthy entity to look after their money, and sometimes their data. A Forrester survey found 64% of US consumers trust them to keep their personal information and data secure, and they are willing to share more personal and financial data with a financial services company in exchange for some form of benefit.
Meanwhile, the value of data within financial institutions is also reflected in a Gartner survey, which found CRM technologies to be the most valued technology among finance leaders. These systems rely on information that’s often built up over many years of customer relationships and transactions. For example, “73% of European bank clients have had their primary current account at the same institution for five or more years.”
Consumers expect financial services to be available on-demand. Between 2020–2023, there was an 18% rise in global consumers using mobile devices for their banking needs. For financial institutions, this shift in behavior represents another attack vector to guard against. For example, SIM swapping, which enables hackers to intercept One-Time Passwords for app logins, led to losses approaching $50 million in 2023, according to the FBI.
There’s also the question of the legacy systems that still power many of today’s traditional financial institutions. It’s a safe bet that more than a few large banks rely on archaic mainframe systems in various nooks of their tech stack, the vacuum tube systems humming along just as they’ve done since the 50’s. I say this mostly tongue in cheek, but the truth is not far from the picture I’ve painted here. To overcome these constraints, many have opted for hybrid environments that can widen attack surfaces between cloud and on-premises systems, potentially leaving data vulnerable when in transit. An example is the Finastra breach, with the attacker reportedly compromising “an internal file-transfer application used by some of its customers.” A figure of 400GB stolen was reported, affecting users across Europe and the US.
Though with cyberattacks on financial institutions, the quality of data is often more valuable than the quantity.
What types of data are held, and why they’re targeted
Unlike other less regulated industries, financial institutions are subject to stringent regulations, including Know Your Customer (KYC) and Anti-Money Laundering (AML). On a consumer level, that means fulfilling Bank Secrecy Act (BSA) requirements for onboarding new customers, which includes gathering ID scans, income data, date of birth and other Personally Identifiable Information (PII).
Other data sources come from corporate customers and the associated due diligence processes. For example, logging, evaluating and triangulating sources of funds for transactions, information on controlling entities, and details on directors and other high net worth individuals.
This is, in other words, the basic information that gives malicious actors a platform from which to launch identity-based attacks. From their perspective, that’s another advantage of this type of financial institution data.
Use cases and challenges that create vulnerabilities for financial institutions
The Bank Secrecy Act (BSA) advises banks to “conduct ongoing monitoring” to “maintain and update customer information.” Naturally, the high likelihood of data being up to date makes it even more valuable in the wrong hands.
Any time there’s an attack on a high-profile financial institution, other costs should be factored in, too. Alongside unplanned downtime and disaster recovery, there are the effects on brand reputation and customer loyalty. A survey of US consumers found two-thirds (66%) would not trust a company that falls victim to a data breach with their data. Ironically, over the past 10-15 years almost every company in every business vertical has had or has been associated with some sort of data breach. My daughter wasn’t even one year old when I got a notification from the hospital where she was born that her name, DOB, and SSN were leaked from hospital records! Infants can’t make it to adulthood without having their information stolen, so who CAN we trust with our data?
For financial institutions in particular, regulatory fines can also affect the balance sheet. US regulators fined Citi $136 million for data risk management and internal control failures. Within EMEA, there’s the EU’s GDPR and its fines of up to 4% of annual turnover, or €20 million. The risk of such financial fallout underscores the importance of having a robust cybersecurity plan.
Designing a cybersecurity plan: What financial institutions should focus on
At many financial institutions, staff can turn over by the hundreds each year, creating plenty of potential for orphaned accounts. Staff may leave, but, due to resource constraints, their access may not be automatically deprovisioned, and their logins, including elevated permissions, may remain active. The resulting standing privileges and privilege sprawl offer multiple opportunities for exploitation.
That’s why protection from cyberattacks starts with a drive to centralize identity and access management (IAM). By unifying operations, attack vectors can be reduced and endpoints secured. Organizations can then shift toward a model of continuous monitoring, with dynamic controls that create a system of proactive security measures, rather than simply just waiting for the bad thing to happen.
Humans aren’t the only ones who need access to resources. Entities like groups, bots, service accounts and other human and non-human identities also need fine-grained pathways to their data. As identities proliferate, it can become difficult to maintain Separation of Duties (SoD), a mandated requirement for staying compliant with regulations such as SOX, PCI DSS and ISO 27001.
By focusing on the areas below, identity can be the new security perimeter for financial institutions.
Managing directories and minimizing identity sprawl
With new customers signing on, advisors changing roles, partners providing services and an untold number of moving cogs in this giant financial machine, tackling Active Directory (AD) can be daunting. If your institution uses native AD to hold customer data, there can be inherent vulnerabilities that are almost unavoidable. The first of these vulnerabilities is that everyone gets the ability to read all attributes for every user by default. Organizations will need to unravel where the data flows to – the true source of truth where all information is held and synced from. From there, administrators must identify what resources have been provisioned, to whom and whether that access is still required. It’s easy to get behind and lose sight of all that has been provisioned if it is not tracked closely. And you can’t protect what you don’t know exists.
The objective is to map the environment and apply user policies: Enforce a true dictatorship around your AD and the data held within. For example, you can auto suspend users who haven’t logged in to your financial planning application for 90 days, or who haven’t accepted an invitation to sign in. Inactive resources should be assessed to decide whether they should be retained or removed. Elevated accounts should be audited to identify any unnecessary or standing privileges.
Adapting the attack surface
Rather than users signing on to your website or gaining access to your financial application through a password, use adaptive authentication by analyzing the device used, including the geolocation, and its status as either a recognized or unrecognized device. This form of automation allows for a more granular approach to authentication that goes beyond standard MFA by requesting different credentials depending on the login’s risk score.
And for the sake of everything good in the world, stop using SMS-based MFA!
Financial institutions gain context-aware security, while legitimate customers benefit from a frictionless experience. Over time, anomaly detection becomes more intuitive, helping to automate continuous improvement to AD security and protection.
Automating protection in financial services
Of course, mapping all these controls at scale won’t be possible using manual approvals. To minimize errors and apply a standardized approach, robust automation is needed. Software licenses can be managed dynamically, reducing the attack surface and helping find budget savings by maximizing directory usage.
User provisioning and deprovisioning can also be automated for existing employees and those who are moving internally. This takes the load off helpdesks when users need different permissions to operate in different departments. This automation can provide access Just-In-Time (JIT), and only for the duration necessary.
Implementing Just-In-Time procedures across the environment
This shift to JIT can be supported by using features such as enforcing session timeouts, expiring idle user sessions and revoking issued tokens. Roles can be created that are mapped to privileged AD groups, with access granted when needed using JIT, to boost directory security.
Further time savings come from JIT provisioning. Users can have their accounts automatically created for them when they sign in rather than with manual creation or bulk-import. For example, users with Entra ID accounts can authenticate once with their Entra credentials and automatically access the spokes and apps that you have provided via SCIM or SSO.
Satisfying compliance with audit-ready visibility
Visibility across all AD and Microsoft 365 domains and across Entra ID tenants through a single pane of glass helps financial institutions ensure that identity management, including policy creation and enforcement, is consistent across the hybrid environment. This sets the stage for audit success. It’s possible to administer JIT privilege elevation and the Principle of Least Privilege using role-based access methods. These can be aligned to standards set out by the likes of NIST SP 800-53, which highlights RBAC implementation “as a mandatory or discretionary form of access control.” That way, even if a breach happens, lateral movement is limited, allowing less opportunity for attackers to self-approve extra permissions.
What’s more, change history can be recorded and surfaced when needed, which also assists with compliance audits. For example, let’s say an employee moves from a role in accounts payable to a new role in accounts receivable, with access granted for new applications and revoked from others. Change history can provide needed proof for who was granted access to which applications, their location and when their access was revoked, helping to validate that the user in question has access to what they should.
Directing and delivering directory protection for financial institutions
As financial institutions upgrade their core infrastructure, new innovations will require new strategies from their defenses. Alexander Peh of PayPal and Braintree believes that “Financial services companies that embrace technology will be the major winners.” However, many leaders caution against the security risks when trying to scale the technology enterprise-wide. AI must be considered an identity in the same way as human identities and must be managed as such.
The prospect of uneven integration of these emerging technologies, coupled with the monetary rewards from exfiltrating high-value data, means AD within financial institutions will remain a top target for malicious activity.
Financial institutions must design a cybersecurity plan that starts with auditing directories, checking for sprawl and vulnerable endpoints. They can then assess where more advanced defense can be implemented, such as adaptive authentication that hardens existing MFA protocols. Financial institutions can then more easily evaluate what types of controls are possible and whether access should be granted based on a more dynamic approach defined by attributes or policies.
By automating access and policies, privileges can be elevated at the right time to support Zero Trust Principle of Least Privilege (PoLP). Actions can stay consistent across the financial institution, generating a verifiable record to satisfy regulators and demonstrate compliance. This maintains visibility of workers and third parties who are distributed across multiple devices and different time zones – far beyond any central security perimeter. For financial institutions, there is no greater protection for digital assets, consumer data and brand reputation.
[embed:6c37bab7-0c0e-45e8-b691-297b8b6569e5:c4a04481-9dc3-4ec3-87d5-548d9ff3d8ce:undefined]
