Investing in a good cybersecurity framework is paramount to minimise the blast radius of potential threats. For instance, the finance industry is riddled with credential abuse, an issue that can be resolved through good protocols. To know more about cybersecurity framework, Srajan Agarwal of Elets News Network (ENN), had a conversation with Maheswaran Shamugasundaram, Country Manager, Varonis.
As India is suffering from frequent financial fraud, what kind of security strategy do you think could help avert such incidents?
The robustness of protections for financial services is always in a situation where, while it is one of the sectors where security maturity has seen the most improvement, the comparative risks still remain high. Financial services are a favorite target of malicious attacks due to the amount of sensitive data they collect from users. According to government records, Indian banks reported 248 successful data breaches by hackers and miscreants between June 2018 and March 2022. With increasingly sophisticated attacks and changing dynamics in modern workplaces and finances, the frequency of these financial data breaches will only increase. This is not even factoring in the variety of ways that financial data can be used for fraudulent purposes by external and internal threat actors.
Since most attacks nowadays are targeting data one of the strategies that could help financial institutions significantly is to take a data-first approach towards cybersecurity. It is essential that institutions ask the following questions and assesses how prepared they are to answer them.
- What is their most sensitive data and where is it being stored?
- Who has access to this sensitive data and what read/write permissions do they have?
- How is this data being accessed/processed/transferred as it is being used?
Answering these three questions will enable organisations to prioritise the protection of especially sensitive data. The combination of monitoring location, identity, and usage can help institutions identify suspicious and unusual behaviors quicker with the use of data enrichment and AI and ML-powered analytic tools. Combine this data-first architecture with as well as a zero-trust approach that uses a least-privilege model that only grants access to users who cannot function without access to that data file, and you have the foundation of cybersecurity infrastructure that is both robust as well as responsive to threat and compliance requirements.
Where are the loopholes in the traditional security strategy that banks need to change right now?
Digital banking has become the norm and many banks have rushed through cloud adoption in order to provide modern financial services to their customers and stay ahead of the competition. Demonetisation and the lockdown period of the pandemic sped up the adoption of digital payments. This digital transformation has flipped the traditional security model, which focused on perimeter and endpoint, on its head. Instead of focusing on the outside in, organisations should think inside out, or a data-first security approach. This is particularly applicable for the finance industry which is dealing with tons of sensitive data on a daily basis.
Varonis compiled risk assessment findings after performing data analysis of over 4 billion files from 56 financial services organisations and the key findings of them are mentioned below.
- On average, a financial service employee gets access to nearly 11 million files.
- Nearly two thirds of companies have 1000+ sensitive files open to every employee
- 60 per cent of companies have at least 500+ passwords that never expire.
Securely transitioning to remote work and locking down exposed data to mitigate the risks stemming from remote logins were two of the highest security priorities for IT teams in financial services. Mobilising without proper security controls exponentially increases the risk posed by insiders, malware, and ransomware attacks, and exposes companies to possible non-compliance with regulations such as SOX, GDPR, CCPA, and PCI. Hence, it is critical for organisations to ensure only the right users are provided access to critical information assets with appropriate permissions.
Organisations should assume that their perimeters will eventually get breached and take steps to mitigate the possible damage when this happens. Limiting access and monitoring usage are just a few of the levers that can be used to create an effective cybersecurity strategy.
With the advent of crypto and instant payments, do you think the fintech space has become more vulnerable to cyberattacks?
Yes, definitely. India is one of the fastest growing fintech markets in the world. This is being fueled by a booming startup ecosystem that is being ably supported by the government through initiatives like UPI and the Digital India mission. While there are some concerns such as the level of financial literacy and digital access, cybersecurity is a big issue in the space.
An Akamai report titled State of the Internet | Phishing for Finance revealed that amongst the top web cyberattacks in 2020 was credential abuse, accounting for more than 3 Bn attacks, a 45 per cent increase from 2019. The most common cyberattacks affecting the finance industry include local file inclusion, followed by cross-site scripting, PHP injection, command injection, and distributed denial of service (DDoS) attacks.
How can investing in a good cybersecurity framework act as an insurance for the Indian BFSI sector?
The BFSI sector is particularly vulnerable to cyberattacks given the sensitivity of financial data and the scope to wreak havoc on livelihoods and economies. This is why the maturity and cyber preparedness amongst financial institutions is one of the highest in any sector. That being said, there is still a lot that needs to be done to protect India’s critical infrastructure.
Investing in a good cybersecurity framework is paramount to minimise the blast radius of potential threats. For instance, the finance industry is riddled with credential abuse, an issue that can be resolved through good protocols. Creating a least-privilege model of access and subsequently monitoring and analysing how data is being utilised by users can help detect fraudulent access. This understanding of the data landscape of a company allows CISOs to detect breaches of sensitive data faster and quicker which improves the effectiveness and turnaround times for responses. More importantly, it enables CISOs to take a proactive approach to security, ensuring that the potential for damage is minimised.
Identity verification and authentication solutions that worked in the past are proving to be ineffective these days. What do you think is the reason behind it?
Identity verification and authentication was working primarily on the old perimeter model – it was the key for verified users to unlock access to the network. There are many reasons why they are no longer as effective. The first is that passwords have never been the strongest authentication tool, and have only become easier to breach. They are vulnerable to social engineering tactics and do not provide a barrier to sophisticated phishing and malware attacks. But more importantly, the interconnectedness of networks and clouds means that perimeters can never be fully fenced, and will always be somewhat permeable. As such, most cybersecurity experts take an “always breach” mentality that assumes that the perimeter will be compromised. Instead of thinking about what verification and authentication tools will be more effective, the better question is perhaps what are these tools being used for? It would be wiser to use verification tools for only authorised users to access data types that are required for their job roles. That way, even if the authentication tool is compromised, the blast radius of the exploit is only limited to that specific data subset. This is not to say that tools like multi-factor authentication have little effect on cybersecurity, but to illustrate the design choices that are made when planning for worst-case scenarios.
Ideal identity verification and authentication tool should have the following:
- Least-Privilege Model – A Zero Trust approach that limits accessibility of data sets to only users who need access to them to perform their tasks.
- User Provisioning – Automated systems that allow you to quickly create new enterprise accounts for users and assign them to roles and groups through a front-end interface.
- Single Sign-On – Solutions that reduce the need for multiple usernames and passwords, instead, allowing users to log on through a central portal and be authenticated to all other internal systems and applications automatically.
- Multi-Factor Authentication – Using a secondary tool, like a smartphone or security token, to add another layer of authentication. Users log in with their primary account and then receive a unique code to verify their identity.
- Risk-Based Authentication – A dynamic solution that runs an algorithm to calculate the given risk of a user performing a specific action. If the risk score is too high, the action is blocked and the IT team is notified.
- Identity Analytics – Repositories that capture authentication and authorisation events to log activities and help troubleshoot issues. Running regular Windows audits will help to ensure your system stability.