Achieving Zero Trust in Finance as Digital Ecosystems Grow in Complexity

Those of us who work in the cyber security industry have been talking about Zero Trust for more than a decade now. During that time, it’s fair to say that the financial services industry has become relatively good at verifying the identity of actors within and outside its dedicated networks. Unfortunately though, while defining best practices for securing those networks (introducing principles such as least privilege, strict access control and microsegmentation), the finserv digital ecosystem for each individual organisation has become dramatically more complex.

There is now a lot more to Zero Trust than verification and validation as the changing face of banking and finance has seen new players enter the market. With modern fintechs, open source software, and countless third parties, all of which either deliver new applications to dedicated financial organisations or borrow applications from them, finding solutions has never been more important.

Third parties are driving innovation in banking and finance

Most banks today are looking to modernise (digitise) their service offerings. This owes, at least in part, to changing customer expectations, with individuals seeking greater access and transparency over their finances. Customers also want more efficient processes for making changes to their accounts, be that updating their address, opening and closing accounts, or changing repayment details. This is an area where challenger banks and third party software developers have had a significant part to play in bringing new digital solutions to the table.

What Zero Trust can deliver for the finance community

Zero Trust is not a new idea, but it has had a serious shake-up in recent years to match modern security demands. Zero Trust is a set of principles - a framework intended to ensure that all actors, whether they are operating within your organisation’s infrastructure or outside of it, are properly authorised and authenticated when making any changes to IT systems. Essentially it means that no actor without proper authorisations can access your data and internal set-up, and anyone that tries to will be detected and locked-out immediately.

The latest Global third party risk management survey from Deloitte stresses a new focus on creating resilience when managing third parties, and the need for key mechanisms for prioritising risk. Zero Trust is experiencing a new lease of life in finance and banking, since there are so many actors in any given supply chain nowadays, working on private networks, public networks, the cloud, hybrid environments and almost any other configuration you can think of.

The need to make sure you know who you’re communicating with, that they can only carry out tasks you’ve authorised them to do, and that their response strategy to threats is aligned with your own is absolutely critical when personal and mission-critical data is at stake.

Cyber reform: strategy and response

By intercepting the data in the supply chain, hackers are able to access the ‘crown jewels’ of the banks through third party apps. Once access to the bank’s environment is gained, malware is triggered to run riot on the systems. It’s therefore absolutely essential that organisations are holistic about cyber security, taking into account the core business and the ecosystem around it, and bringing third parties into the fold to create a standardised response.

The first part of levelling-up cyber responses is to improve awareness and education. Only by doing this can you ensure that the Zero Trust principles your organisation wants to live by can be followed to the letter. One way of improving this is to engage staff in interactive simulation environments that educate participants on how to spot a potential threat and how to best deal and manage with it in order to ensure business continuity.

With human error being the main point of origin for many security vulnerabilities, the reality is that every person within an organisation carries some level of responsibility. Training courses should therefore not only be geared towards an organisation’s IT department or cyber security team, but towards all current and new employees.

By training staff and third party partners together, these exercises ensure that everyone has the same understanding and knows who to contact, when to contact them, and what actions to take should a breach or attack occur. Another way to support cyber reform in banking and finance is through cyber range exercises as previously highlighted to further increase education and awareness, as well as preparedness.

Overall, the finance sector's digital transformation journey can be considered a success thus far, with customers experiencing more freedom and control than ever before over what happens with their money. However, if the industry can achieve Zero Trust in cyber security practice, then the growing complexity that has accompanied this journey does not have to give way to a rise in security risks.