Financial Services Knows It Needs to Do More to Protect Data in the Cloud

Originally published by Skyhigh Security.

Written by Rodman Ramezanian, Global Cloud Threat Lead, Skyhigh Security.

With hybrid work here to stay, the financial services industry is adapting to the increased risks associated with the enablement of a remote workforce. Much progress has been made, yet as evidenced in our latest report “Skyhigh Security Cloud Adoption and Risk Report: Financial Services Edition,” the industry still has a long way to go to improve cloud security.

Financial services organizations are particularly vulnerable to breaches, threats, and data theft compared to other industries because of the nature of the data they manage—and the percentage of these organizations that are experiencing security issues is on the upswing. In this report, we can see that the industry is aware it is a prime target for attacks, and so it generally demonstrates a higher security maturity than do other industries—but issues remain, particularly in the area of securing valued data in cloud services and applications. What is driving the problems and what can be done to solve them? Let’s dig in, and explore the research.

Financial services firms hold high-value assets, making them a more frequent target

Because financial services firms such as banks, insurance companies, brokerage houses, and credit card companies store large amounts of payment card information and other sensitive data, they are particularly vulnerable to attack. This makes them susceptible to nation-state hactivists who carry out attacks to drive political agendas and to cybercriminals hungry for monetary gain. Compared to other sectors, financial services are more likely to have experienced the triple combination of a cybersecurity breach, threat, and data theft: 78% compared to 75% in all sectors.

The shift to hybrid work has increased the attack surface and security risk

Like most other industries, the financial services industry has embraced hybrid work for all its benefits, despite its security drawbacks. An increased attack surface, issues with SaaS applications, and Shadow IT are some of the specific ways the shift to hybrid work has increased security risk, as evidenced by the following statistics from the report:

• In 2019, the average number of public cloud services in use was 20, compared to 31 in 2022. That’s an increase of over 50% in three years.
• For those firms that use SaaS applications and services, the percentage that experienced security issues has increased by 13%—from 82% of firms in 2019 to 95% of firms in 2022. The risk of threats from security issues with SaaS impact financial services more than other industries.
• 82% of financial services firms admit that Shadow IT impairs their ability to secure data.

For these reasons, we recommend that financial services firms adopt a data-centric security service edge (SSE) cloud security platform based on Zero Trust principles to secure data across the web, cloud, and private applications. The issues with SaaS in this industry indicate a greater need for visibility and control over data. An SSE platform provides that ability with consistent controls and policies.

Financial services is a highly regulated industry

On top of the heightened security risks faced by this industry, compliance adds another layer of complexity. Security executives must keep in mind how any new technology or security tools they adopt will affect their organization’s ability to manage ever-increasing regulatory compliance. To simplify compliance, we recommend that financial services firms look for solutions with consolidated technologies that can quickly scale with their workforce and streamline compliance reporting.

Cybersecurity staffing is a continuing challenge

While all industries are having a hard time finding skilled security professionals, the financial services industry feels the pain even more. Ninety-six percent of respondents in the sector say that insufficient skilled security staff is affecting their ability to secure the usage of cloud computing. That compares to 92% of their peers in all industries having the same challenge.

To counteract this problem, we recommend that financial services firms find a cloud security platform solution that utilizes automated tools and processes. This will help existing personnel work more efficiently by reducing false positives and eliminating redundant tasks such as having to recreate data classifications. A unified, centrally managed platform also provides far greater scalability and simplifies the process of creating and extending policies across the web and cloud.

Similar to other industries, the report indicates that in financial services firms, there may be some uncertainty as to who monitors and controls where sensitive data is stored or used in the cloud. On average, there are two roles (CIO and CTO) involved in this. However, 35% to 42% of financial services respondents surveyed say that cloud security is also the job of IT managers and IT security managers. Lacking clear definitions of roles and who owns what can lead to security gaps and vulnerabilities. This is yet another reason why a unified, integrated approach to cloud security is valuable, particularly for financial services.

To the credit of those who manage cloud security for financial services firms, it also appears they are proactively looking for ways to stay ahead of the curve. For example, financial services firms are more likely than other industries to utilize cloud access security broker (CASB) solutions to monitor non-IT approved cloud usage.

By taking the initiative to implement an SSE cloud security platform that integrates multiple security technologies such as CASB, data loss prevention (DLP), firewalls, and web gateways into one robust and holistic system, financial services firms can better secure their sensitive, high-value data while also enjoying the benefits of the cloud.