The Bank of England Systemic Risk Survey for H1 2018 found that 62% of industry respondents cited cyberattacks as the greatest risk posed to the UK’s financial stability. Political risk (91%) and specifically Brexit (80%) came out on top.
But while cyberattacks are firmly embedded in the hearts and minds of CIOs and CISOs, IT departments may be too preoccupied with large-scale cyberattacks, according to Karl Lankford, lead solutions engineer at Bomgar, the secure access technology firm.
The departments of tier 1 banks in particular, according to Lankford, should be looking inwardly at internal networks and limiting access rather than focusing on the perimeters.
“It makes them incredibly easy targets,” said Lankford, over email. “The speed at which these attacks can happen is only increasing; even a novice can quickly execute automated attacks on an environment using widely available tools.”
Part of the problem lies in the arms-tied, over-reliance on unwieldy and mission critical legacy systems that present a weak link, allowing hackers to exploit tried and tested methods.
“Even a basic scan with open-source intelligence (OSINT) tools will give you a long list of insecure systems that are directly connected to the internet. It’s essentially a search engine for hackers,” said Lankford.
Despite increased concerns around ever more sophisticated cyber attacks, Lankford believes that basic digital hygiene and internal protections are poor: “Without the basics under control, such as passwords or spreadsheets, financial institutions are leaving themselves wide open to attack.”
However, poor digital hygiene does not necessarily translate to negligence from IT departments.
With the rise of ever more stringent regulations, such as PCI or SOX, IT departments, customer support organisations and third-party vendors need secure ways to access applications, devices, and critical systems while protecting sensitive data.
“Busy IT and security departments under pressure to keep things running smoothly, security is sometimes overlooked for productivity, or short-cuts are used instead of using the tools that are available as they can slow employees down,” according to Lankford.
Likewise, finding the right balance within a busy IT schedule to manage and track privileged accounts is equally challenging and for Lankford, present “the largest cybersecurity threat to any financial services organisation.”
It leaves financial services potentially exposed to crisis levels: “It’s a terrible combination: easily accessible legacy systems and automated tools leave the door wide open. And then with very little internal controls, it provides hackers the perfect opportunity to move around easily in the network once they’ve gained access.”
The solution could lie in the ‘principle of least privilege’, where administrator access is limited, and forms the basis of any privileged access management (PAM) solution that only grants certain permissions to certain users.
Therefore, it becomes imperative to implement procedures and processes to investigate and correct violations to the principle of least privilege.
With greater visibility on who needs access, when and where on the network, IT teams should be able to grant privilege based on user roles and what the employees need to be able to do at that time. In this respect, if an account is compromised by a threat actor, the account might not have the necessary permission to move throughout the infrastructure, extracting sensitive data.