The average data breach cost in 2031 will be USD $4.4million. Most cyber-attacks aimed at the financial services sector have the same target, data, and, more precisely, client data acquisition for unscrupulous financial gain (something like a bank drop – using stolen credentials to open bank accounts to hide criminal gain). The growing trend of migrating banking services into the cloud continues unabated (coupled with the sustained rise of the neobank and their digital-only presence); it is estimated that in 10 years, 40-90% of banks’ workloads will be hosted on public cloud2 with the number of fintech applications to run in the cloud to grow to over 80% by 20253. Our continued hunger for “always on” connectivity via mobile apps and IoT, the demand for “instant everything” powered by technology, coupled with the increasing use of microservice backbones for common services, presents an attractive target for criminals via an ever-expanding attack surface which they pursue in a variety of ways.
As banks continue or start their migration to the cloud or continue to grow their existing presence, there are several issues and threats that they must remain or become acutely aware of in 2024. Looking at the trend in modernisation and moving from expensive and cumbersome on-prem mainframes and legacy technology stacks, this isn’t a “trend” that is expected to disappear anytime soon. Banks will, therefore need to account for threats that range from the more common phishing and vishing (social engineering threats), which allow criminal access to accounts (2023 saw a 16-fold increase in cloud account threats), cyber-attacks such as Distributed Denial of Service (DDoS), man-in-the-middle (MitM), ransomware, SQL injection, cross-site scripting and zero-day exploits all aimed to gain access or disrupt services to the emerging software supply chain attacks that look to target the code within common third-party developed components (the nature of the cloud encourages the use of interoperable components). One of the most complicated threats that remain is that of the malicious insider whereby a disgruntled or compromised resources shares data/provides access willingly, or accidental external sharing of data (examples such as the common use of link-based sharing, with the ease of data sharing being a major asset and key to collaboration within the cloud, presents a great security risk).
Challenges remain around the misconception that once a workload is in the cloud, it becomes “safe” customers often incorrectly assume that the cloud service provider (CSP) manages all the important aspects of safeguarding resources within the cloud, misconfiguration, insecure interfaces / APIs and lack of security controls present significant risks in cloud environments. Lack of visibility from the familiar on-prem deployment of instances where everything is visible via monitoring tools requires that banks invest in cloud-focused security tools to help in this space, combined with resources learning what this new MI data looks like and how to manage incident responses. The intelligent automation of key processes and the use of automated deployment practices (such as Infrastructure as Code – IaC) can significantly improve an organisation’s security posture while supporting under-pressure employees by reducing reliance on manual activities. Security automation combined with the power of AI has seen organisations able to detect and contain data breaches 27% faster5 (there is a word of caution that surrounds the use of AI/GenAI in banks, which is the yet fully regulated & understood landscape, but taking a risk-centric approach today will offer a head-start when standards do arrive)
How can we help to mitigate the risks involved in what is ostensibly a powerful capability that can change and support banks as they grow and adapt, offering the mobile-first digital transformation we, as consumers, are demanding? NIST (National Institute of Standards and Technology) lists six core pillars underpinning a successful cyber security programme – Govern, Identify, Protect, Detect, Respond & Recover. Banks can take several practical steps to build on these banks further. The overall move towards DevSecOps(Development, Security & Operations) and adopting the CI/CD (Continuous Integration & Continuous Delivery) pipelines for frequent deployment of products allow for banks to adapt to customer or regulatory requirements but also for security. Compliance by design rather than a checkbox of minimal compliance (examples such as upholding the cloud shared responsibility model between customers and CSP and PCI DSS). Moving away from authenticating once and having unfettered access to corporate networks, banks should be adopting strong Identity and Access Management (IAM) & zero-trust architecture (including Multi-Factor Authentication, verification explicitly, least privileged access and assuming breach–segmentation). The education of resources on the newer technology and tools that accompany it, along with the management of effective cloud logs, is fundamental to how we can become more efficient at activities such as threat-hunting. For example, TPP Hunting (Tactics, Techniques and Procedures) is an intelligence-based activity that analyses the latest TTP used by criminals to help them learn how to detect and protect against new attack trends.
A key is that with reliance on technology and advances in software like AI, responsibility cannot be abstracted away from the human element and the continued need for education. Investment in the continued upskilling of resources on newer types of threats, cyber-attacks, and fraud and what we can do with the overwhelming volume of data that things like ISO 20022 and the dedicated fraud fields will yield. The fight is far from over, you could say, really. It’s just beginning to get interesting.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
