The financial services sector is attractive to cyber thieves for one obvious reason—access to funds and related data—and one less obvious—security vulnerabilities around the Internet of Things.
The industry is increasingly making use of IoT, with smartphones replacing bank tellers and connected cars helping set insurance rates. An analysis from Deloitte projects IoT could be deployed for using connected home systems to process consumer payments, or for reviewing device data to assess insurers’ risks in evaluating creditworthiness.
There are several important steps that finance professionals must do in order to safeguard their clients’ data on connected systems. First, they must take stock of where IoT is being leveraged—often in places that won’t be top-of-mind—and how it’s being used. Second, they should consider how much access those devices need to fulfill their function, and whether they require an all-access pass to the company network or can run inside their own quarantine bubble. And third, organizational business and technical leaders should become more familiar with everything from basic password hygiene to how to shut down Alexa or Siri while videoconferencing.
“Institutions need to go back and think as if they were no confines or walls in their organizations,” said Michael Monday, managing director and North America lead for financial services at Accenture Security.
As more devices connect remotely to financial databases, applications and data, attack surfaces grow. 89% of financial services professionals worry their organizations are not equipped properly against a breach.
Security Is ‘a Straight Line’
Even with the increased presence of IoT devices and applications, securing a financial services organization is not necessarily a complicated effort because it usually supports a less diverse set of endpoints than, say, a manufacturing plant, according to Dimitrios Pavlakis, digital security analyst at ABI Research. A recent ABI report on IoT security found organizations are increasingly factoring security as an important part of managing IoT assets.
IT security tools can easily give staff visibility into what devices are in the network and can, if necessary shut them down, he said. Automated tools can analyze network and application behavior, spot the presence of virus and malware, and manage security and access credentials on the network.
Fortunately, in a financial services environment, “usually it’s a straight line,” Pavlakis said. “You have to see what your footprint is, what assets are connected, what devices are connected, how critical are those devices (and) do customers have access to them.”
But security is challenged by the common difficulties that affect organizations everywhere and have become more pronounced as businesses adapt to the hardships of the COVID-19 pandemic. “We saw institutions unfortunately back off some of the usual controls, just to make sure they could operate. Then they had to come back and see how they could put back those secure controls,” said Monday. This is made even more challenging by the fact that IoT devices usually are not designed with a large security footprint, with relatively small amounts of memory necessary to implement and manage robust security.
Most recommendations to secure financial organizations against vulnerabilities borne by IoT devices are the same as for many other cybersecurity issues: visibility, communication and enforcing basic security hygiene.
Take Stock of Inventory
Perhaps the biggest challenge in securing IoT in financial services is knowing where the technology is being used and how. Forrester found 36% of bankers it surveyed felt that leveraging IoT to improve their operational efficiency is a “high or critical priority” and most of the use cases for IoT in banking were in areas where the type and role of connected devices often has less visibility, such as supply chain, trade finance and capital goods.
There are any number of connected devices involved behind the scenes at financial institutions: check scanners at teller stations, touch-enabled digital signage at branches, Bluetooth beacons that ping a customer’s phone as they enter. Even if on-premise ATMs are not strictly considered part of the IoT environment, they could be receiving data from connected devices.
Many of the IoT devices in financial institutions are not specific to financial services, said Lawrence Chin, a security architect at Palo Alto Networks. Security cameras, door locks, video screens, printers and other devices can create another avenue of attack for the malicious actors, partly because installing them didn’t involve the IT organization and many of those devices are not thought of as intelligent—or even necessarily connected to the corporate backbone network.
Consideration must also be given to things that are in every financial services organization, but not necessarily as part of the IT architecture. For instance, smart thermostats and CCTV security cameras are sending data to the network and servers, but those devices are typically managed by facilities staff. Operating systems for those “smart” devices may not have been updated for years, and less-IT-savvy facilities professionals often are not aware about how, when and why to update cybersecurity on those devices.
Consider Zero Trust
One of the key steps organizations need to take when securing IoT beachheads in financial services organizations is to accept the idea that there are far more risks than the security operations team is aware of at any point in time. Increasingly, this results in the organization adopting a Zero Trust approach to cybersecurity. As the name implies, organizations, rather than trusting that an attempt to access an application, data or service is authentic and allowable, need to start with the assumption that trust can only be given when it is verified and authenticated.
This became particularly important in the COVID-19 pandemic when employees began working from home, either primarily or exclusively. Many of those employees attempted to gain access to essential IT resources over their own personal networks, devices and cloud services. In those scenarios, Zero Trust became a must-have. Even trickier is the idea that potential hackers could find their way into enterprise networks and databases tangentially, by first accessing “smart” but unprotected devices at an employee’s home, and then working their way through the home network and, ultimately, into the corporate network.
Understand potential weaknesses, such as aging IoT devices that may not have been updated in a while and figure out what to do to reduce that level of risk, suggested Chin. He noted that financial services regulators in Hong Kong and Singapore recently updated their guidance to banks and financial institutions and for the first time pointed out the risk of IoT devices.
Indeed, a number of regulators have noted the need to think about security by design in IoT devices recently. The National Institute of Standards and Technology (NIST) published a document last year with core cybersecurity recommendations for IoT device manufacturers.
Segmenting networks and separating trusted devices and users from others is another possible strategy to help secure IoT. “Don’t let devices talk to things they shouldn’t be talking to,” said Chin. It’s relatively easy to set up a separate wireless network for public access and another, closed one for the organization’s connected devices that no one else can access.
Communicate and Educate
Hackers still find it easier to steal by phishing than trying to break into a bank using IoT. But with the shift toward digital, even traditional fraud and financial crimes such as money laundering have gone digital.
This convergence of fraud and cybersecurity should be spurring collaboration among security and banking professionals, but the two groups are still not talking to each other as a matter of course, noted Monday. “The majority of security organizations are trying to fight the fires of today and keep the lights on,” he added.
Meanwhile, it is the line-of-business units that are more engaged in how end users interact with connected devices. A disconnect between the two groups has led to the emergence of “shadow security” groups within lines of business, because they can’t command bandwidth from the larger organization for those efforts.
The number of employees working from home in the wake of the pandemic is increasing the risk of IoT breaches, according to a Forrester study. Its analysts offered a two-pronged suggestion to secure IoT: Endpoint security tools to monitor traffic and isolate anything suspicious, and employee training to make them aware of activities to reduce risk. These include such actions as turning off their smart speakers at home during company calls or segmenting their home network to separate their personal IoT devices from their work connection.
One side effect of the growth of devices has been a new focus on security responsibility among end users, according to experts. But it does not release the institutions from their accountability and responsibility to make sure their users are aware of schemes and campaigns being launched against them or the vendors from doing their due diligence and authenticating each device properly. “Education becomes a very, very critical point,” Monday said, “and it becomes a challenge too.”