Data is the lifeblood of the financial industry. Poor security management and the cyber attacks they enable are like sharp knives waiting to cause data hemorrhaging at financial companies.
In a recent survey, 90% of financial companies worldwide think they are vulnerable to data security threats. In 2014, 165 P2P Internet financial platforms in China were ravaged by hacker attacks.
Internet financial crime stole the limelight in 2015 with the financial attacks perpetrated by the Carbanak criminal organization. The gang targeted more than 100 banks and other financial institutions across more than 30 countries, and has stolen up to $1 billion since 2013.
Data is Money
Most cyberattacks are based on hijacking data for profit. With the formation of the online black market, financial enterprises have become a coveted target for hackers looking to sell personal and sensitive information obtained by exploiting system vulnerabilities. Data leaks not only cause financial losses but also negatively affect the company’s brand and reputation.
A growing number of high risk industries — finance, healthcare and E-commerce — have begun to put data security at the forefront of their business and are starting to take affirmative action. Vormetric’s Financial Industry Data Threat Report indicates that 70% of enterprises have or plan to increase their capital investment in data security. Among them, network protection (65%) and terminal protection (58%) have seen the largest increase.
Security Planning is Incomplete, and Vulnerabilities are Everywhere
In China, the financial security industry is not developing as quickly as the security threats it faces. DDoS attacks, brute force hacking, web application attacks, and fraud are the four major security challenges users face in the financial industry. External attacks are only the half of data security threats, the other half are typically from within the company itself.
Many financial enterprises, including large banks, can only provide makeshift solutions for managing data security. For example, in 2014, third-party security agencies conducted security assessments on 400 Internet lending platforms, 65% of which had security vulnerabilities and 35% had serious vulnerabilities. Because business release and promotion cycles are short, sometimes months or weeks, users in the financial industry have no time to consider internal security management. One application developer reluctantly admitted, “We just want to release the application on time. Nobody has time to think about security.”
The research also found that the biggest “enemies” of enterprise security are employees. Company employees can pose a number of security risks by exposing passwords publicly, downloading free software, and using unsecured cloud applications (Softchoice).
The Cloud is Trending Towards Security
Financial policymakers need to consider the broader context of Cloud Compute when formulating enterprise security policies.
The China Banking Regulatory Commission recently said that by 2020, 60% of the domestic financial industry will be built on the cloud. Financial enterprises are facing an increasing need to integrate security, especially security on the cloud, into the basic aspects of application development. Choosing a reliable cloud service provider is the foundation for ensuring data and business security for financial companies.
Enterprises can measure the security of cloud service providers from several aspects, including (but not limited to) ensuring application continuity, data security protection mechanisms, security capabilities (the amount of DDoS, brute-force and web attacks defended daily), security team, compliance programs, and so on.
At the same time, as more and more financial enterprises gradually transfer their businesses onto the cloud, they should also bring their security strategy more in line with the “cloud environment”. This new security strategy is very different from the previous makeshift solutions as cloud protection needs to be more comprehensively deployed.
Taking the basic topology of financial business systems as an example, App-side reinforcement and threat detection are used to limit security risks to within the app itself, while Anti-DDOS Pro and WAF (Web Application Firewall) are deployed at the entry/exit point of the cloud system so that network attacks are blocked before reaching the server load balancer, routers, switches, servers, or other applications.
On the server layer, the host side is reinforced by host security products to fix some vulnerabilities right away. Meanwhile, HTTPS is used to encrypt the entire link from the APP to the application system and then data is stored in the database.
On the cloud, the financial industry also needs security tools that are capable big data analytics to anticipate and respond to attacks that are happening or are about to happen in real time. These tools are capable of detecting threats by analyzing relevant security elements in the entire network, including user operation logs, database behavior, and security logs across the entire network. This allows the discovery of previously unknown threats and the tracking of hacker activity.
In addition, deploying systems and applications to the cloud requires the financial industry to further strengthen employee permissions management and use key management systems to keep system passwords secure. Enterprises must also further improve employees’ security awareness and encourage secure application development.