When the world moved online back in March 2020, with the majority of the workforce required to work from home, there were some questions of security surrounding remote work, particularly in the finance sector. With customer data needing to be secured from opportunistic cybercriminals, financial institutions needed to up their cybersecurity game.
Laurie Mercer is a Security Engineer at HackerOne with a strong technical background, having worked as both a Developer and Penetration Tester. Recently working as a solutions engineer for large SAST programs, and now a Bug Bounty platform – Laurie loves to find and fix vulnerabilities.
Here he shares his thoughts on why financial institutions are choosing to leverage the power of hackers.
Picture the scene. You’re the CISO of a high street bank in March 2020 and you’ve just been told to close your doors and send all your employees home to set up remote working stations. While some have elaborate home offices and spare rooms, others are working at the kitchen table, escaping their children to take calls in their car, or are creating a workstation from an ironing board in their living room. Overnight your corporate perimeter has expanded to thousands of domestic networks. That’s on top of an explosion of online and contactless banking needs driven by a fear of contaminated cash that has developers working flat out to provide solutions to customers, pushing code at a faster rate than ever before. It’s a recipe for a security disaster.
So what does this mean? Suddenly, your traditional cybersecurity solutions are no longer fit for purpose. As everything is interconnected, from third-party services to valuable consumer data, transparency and trust is going to be key, as it is through sharing information that the bank can best prepare and protect itself from software vulnerabilities and external threat actors. But the big question that many CISOs had to solve was – how can we as an organisation best manage operations, ensuring total protection over systems and data, whilst remaining transparent to employees, clients and customers? The CISO is required to establish new security solutions based on collaboration and transparency – no easy feat.
Safeguarding the world’s most valuable data
While safeguarding customer data has always been a top priority for financial institutions, they remain a target for cybercriminals who are attracted by the potential to make huge financial gains. As the consequences of cyber attacks against financial institutions can be extremely severe, with data breaches compromising customer confidentiality and risking reputational damage and huge financial losses, many institutions have turned to the power of hacker-powered security to shore up their defences.
Equipped with specialised skills, domain expertise and an outsider’s perspective, ethical (or white hat) hackers can explore vulnerabilities within banks’ systems, responsibly reporting them so they can be fixed before serious damage is done. Ethical hackers can provide financial institutions with information about security weaknesses so they can implement effective security measures that can prevent future attacks.
HackerOne data shows that the financial services industry is the second most popular industry to embrace ethical hacking. Financial organisations have a year-over-year bug bounty program growth of over 75%, and, evidently, more financial institutions are realising the potential over hacker-powered security. If we can learn anything from the past year, it is the need for financial institutions to implement effective security measures and regularly monitor evolving attack-surfaces to avoid huge potential losses, both financial and reputational. In response to the demand for improved security measures, more financial institutions have kick-started bug bounty programs to expose vulnerabilities before a cyber-attack occurs.
Large migration can lead to abundant losses
Using the cloud has a multitude of business benefits, from storing meta-data, to offering an array of products as-a-service, and bank migration to the cloud began long before the pandemic started. However, the digital transformation of banks – accelerated by remote working – has led to a surge of financial institutions moving on to cloud-based systems. according to EY, over a quarter of banks (27%) expect to move at least half of their business to the public cloud by next year. With more banks transferring large amounts of precious data to the cloud, it’s crucial that sensitive data is fully protected. Serious security risks can result from large migration, with ‘Lift ‘n’ Shift’ projects having the potential to leave large datasets exposed by accident, due to insufficient authentication or authorisation checks. If left unchecked, organisations automatically become a prime target for threat groups on the hunt for vulnerabilities to exploit – misconfigured services can lead to personal information being accessible and unsecure networks are an open invitation for cybercriminals to gather valuable consumer data.
Gartner indicates that 95% of cloud security issues will be the direct result of misconfiguration by 2022. This has not gone unnoticed by the hacker community; Hackers have rushed to help secure businesses going through this transformation, reports submitted by hackers for misconfiguration vulnerabilities increased by 310% in 2020, demonstrating the adaptability of a community that is always evolving and looking for creative new ways to discover weaknesses to better secure the companies they work for.
Security doesn’t end with endpoints
Cybercriminals are also taking advantage of the blurred boundaries between work and home networks. Initial ‘quick-fix’ measures that were put in place by organisations to facilitate remote working have widened attack surfaces, and over half of senior executives (64%) believe that their organisation is more likely to experience a breach because of the shift to remote working.
With thousands of home networks connected to the company’s network, financial institutions can’t just rely on devices and user end-points to be where the security stops. To be truly secure, banks need to approach their development with a hacker’s mindset, so they can fix issues at the source ahead of a catastrophic attack. An effective way that financial institutions can bolster their security by adopting a Zero Trust model, a concept that centred on organisations eliminating trust from internal users. As user access needs to be identified and verified, executives can feel more secure about who has access to banking data. But, to really ensure that cyber risk is kept low, financial organisations can seek help from a third-party service that can regularly check for vulnerabilities on their systems.
Keeping step with increased speed of change
Whilst handling new security risks that emerge from remote working and the cloud, a third major challenge for many financial executives has been managing the velocity of change within their business. Many, if not all, banks have had to work on expanding their digital banking offering at speed, investing more in digital service channels and products whilst local branches had to close their doors. From a consumer stand-point, changes and updates made to mobile banking apps may appear to be small, but the necessary tweaks made to ensure that consumer data remained protected were anything but minor.
The speed of software development cycles have made it essential for financial institutions to adopt a continuous testing model that covers all bases. A Bug Bounty Lifecycle (BBLC), that tests and feeds back vulnerability data into the SDLC to ensure the same vulnerabilities don’t keep cropping up, can help ensure systems are better protected from future attacks. Since financial institutions, from legacy banks to new industry players, remain a top priority for cybercriminals, a defence system that’s upheld by a reliable team of hackers is an innovative and adaptive way of keeping institutions fully protected, whilst remaining compliant.
Help from a hacker community is the most impactful
There’s a lot to get right when financial institutions welcome a team of hackers into their security operations. Organisations must foster effective communications with hackers to classify severity levels, discuss resolution processes and negotiate bounty amounts. To ensure communication is effective and that collaborative efforts reach their full potential, financial organisations can always seek help from external parties who are on hand to share guides and can arrange meetings with expert services teams.
In conclusion, legacy banks and new challengers have had to ensure the complete security of data and systems with less budget, whilst managing the challenges presented by mass cloud migration, new security risks of remote working and keeping step with increased speed of change. However, more financial institutions are embracing the ethical hacking community as they navigate through the pandemic, with the financial sector having year-over-year bug bounty program growth of over 75%. A financial organisation’s defence automatically becomes more impactful with the help of a community – by leveraging hacker-powered security, banks have a constant, skillful eye on their software, managed by a trustworthy team of security experts.
