The financial services industry – much like in healthcare, retail, education, and other sectors – is facing challenges securing its data in the cloud. These challenges are due in part to the normalization of remote and hybrid work, in which employees require access to collaboration and productivity tools anytime, anywhere. Additionally, employees are accessing the cloud from various devices, making it even harder to track cloud security. There’s also a higher volume of cybersecurity threats than ever before, and 82% of the breaches explored in IBM’s latest Cost of a Data Breach Report involved data stored in the cloud.
In many ways, financial services (finserv) firms – including banks, insurance companies, brokerage houses, and credit card companies – are approaching cloud security similarly to other industries and share the same concerns. For example, all sectors are seeing an increase in adoption and reliance on the cloud and have concerns about protecting this increased attack surface. However, finserv organizations face their own unique challenges, such as being held to more stringent compliance regulations for privacy and data protection. They are also at higher risk for threats waged by opportunistic, money-motivated cybercriminals and nation-state hacktivists.
Skyhigh Security’s recent Cloud Adoption and Risk Report, Financial Services Edition uncovered that 78% of financial services firms have experienced a cybersecurity breach, threat, and data theft – compared to only 75% across all industries who have dealt with all three. Finserv firms also experienced a larger increase in software-as-a-service (SaaS) security issues than all-industry percentages, up 13% from 2019. To make matters worse, the consequences of a finserv data breach can be devastating and tend to involve far more compromised personal data than other industries, by a longshot.
However, it’s not all bad news! Just because the stakes are higher for banks or brokerage houses doesn’t mean that strengthening cloud security programs in this industry needs to be a herculean task. In fact, finserv organizations may actually have a head start mitigating cloud data threats, since the industry possesses a higher degree of security maturity due to its need for extra vigilance. One example of this heightened awareness is that finserv organizations are already taking a more proactive approach to monitoring unauthorized cloud usage than other sectors and are taking extra precautions to reduce the associated risks.
Having this head start means that finserv security leaders are well-positioned to have the upper hand against even the savviest threat actors – as long as they stay on top of ever-evolving cloud security challenges in the industry. Here are five areas to focus on in 2023:
Better visibility and controls. Like other industries, finserv is sharing more and more data in the cloud these days. Since 2019, the use of public cloud services in this sector – such as Google, Amazon Web Services, Microsoft 365, and Microsoft SharePoint – has increased by over 50%, making it difficult for organizations to get a handle on where data is being stored, where it’s going, and how to protect it. To solve this problem, security leaders need technology that provides them with greater visibility into the cloud services in use and tighter security controls.
Less unauthorized cloud usage. Finserv organizations need a strategy for discovering employees’ usage of cloud apps or services that haven’t been authorized by the IT department – also known as Shadow IT – that may lead to unsecured data. One popular method to monitor Shadow IT usage is a Cloud Access Security Broker (CASB): an intermediary between cloud consumers and providers that enforces security policies as cloud resources are accessed. Secure web gateways (SWG) and next-generation firewalls are other helpful tools used to inspect network traffic and provide advanced protection.
But it’s not enough to just take stock of Shadow IT – organizations also need a plan for how to secure any unauthorized apps or services they discover. To do so, many finserv firms are already employing effective strategies like migrating users to similar IT-approved services, conducting regular audits to determine how risky different apps are, and zeroing in on identity and access management (IAM).
Prevention of data exfiltration. Finserv firms store an average of 61% of sensitive data in the public cloud – equal to other sectors. They also store similar types of vital data, but even more so in the way of competitor data, confidential internal documents, personal staff information, intellectual property, government identification, payment card information and network passwords. To prevent data loss and comply with strict privacy regulations, security leaders need to follow zero trust principles and increase their investments in security. Zero Trust is a security framework that follows a “never trust, always verify” approach.
Address talent shortages. With cybercrime on the rise and new technologies like generative AI being leveraged to aid attacks, cybersecurity professionals are in high demand. Studies show that approximately 3.4 million cyber experts are needed to support today’s global economy and there are more open roles than skilled workers to fill them. Our research shows these talent shortages are felt even more acutely in finserv, with 96% of finserv leaders noting that a lack of skilled security staff is affecting their ability to secure data in the cloud, compared to 92% in all other sectors. Growing the cyber workforce is our collective responsibility across industries and will require an increase in cyber education and STEM programs, upskilling and reskilling initiatives and open-minded recruitment and hiring.
Clear lines of program ownership. Most organizations today agree that securing cloud data is a shared responsibility, with C-suite executives like the CIO and CTO playing primary roles. However, 35% to 42% of finserv firms also count on IT managers and IT security managers to monitor and control sensitive cloud data. To successfully block data breaches and other threats, organizations need to get clear on who’s responsible for what part of the cloud data security program and create clearly defined swim lanes for ownership.
There’s no question that finserv security leaders have their work cut out for them when it comes to protecting data that now lives everywhere and is being accessed and used by employees in new ways. However, even the most pressing cloud security challenges are entirely possible to overcome by acting proactively, not reactively, in the face of heightened cyber threats. Finserv organizations can close critical security gaps by prioritizing converged programs and technologies, following zero trust principles, and boosting their data visibility and controls.
