Thales Blog

Financial Services Organizations Need to Adapt their Security Practices to the Shifting Environment

November 5, 2020

Simon Keates Simon Keates | Head of Strategy and Payment Security at Thales More About This Author >

Companies and organizations, whether in the public or in the private sector, are re-establishing their business in the era of information and data revolution. Labelled Industry 4.0, businesses are taking advantage of digital technologies like cloud, mobile, and IoT to digitally transform their operations. Even “traditional banks” seek to drive more revenue from digital products, personalized services and experiences. At the same time, financial services organizations need to adapt to a shifting global environment. The COVID-19 pandemic has urged all enterprises to alter their business and security models to support work-from-home practices.

Increased contactless and mobile payments introduce bigger risks

According to the 2020 Thales Data Threat Report-Global Edition, 30% of the respondents in the financial services sector are either aggressively disrupting their market or are embedding digital capabilities that enable greater enterprise agility. However, this percentage is expected to rise even further in 2020 considering the changes the COVID-19 pandemic has brought, with contactless and mobile payments representing the majority of in-store transactions.

Bring-your-own-device (BYOD) and other mobile risks have skyrocketed since coronavirus drove a considerable percentage of the workforce to a home base. According to the latest Verizon Payment Security 2020 Report, remote working has increased an organizations’ attack surface, and consequently has driven 70% of of these businesses to increase cybersecurity spending.

The coronavirus pandemic has impacted consumer behavior as well by driving customers to use contactless methods of payment with mobile devices. Although card-present payments are still prevalent in North America, contactless payments are forecasted to increase eightfold between 2020 and 2024. Mobile payment providers must continuously analyze their strategy to secure mobile payments to prevent fraud inherent in their method of purchasing goods.

Vulnerabilities on operating systems (OS) and apps allow attackers to infiltrate their exploits to hijack legitimate payment applications and exfiltrate information by tricking users into granting permissions. According to the RSA Quarterly Fraud Report Q4 2019, 72% of fraud transactions originated in the mobile channel, and specifically, 59% of fraud transactions were attributed to mobile browsers.

Weak security practices lead to data breaches

The financial services industry is a digitally determined one, seeking to harness the volume of big data generated by customer transactions in order to provide banking products tailored to the needs of clients. At the same time, the industry has increased regulatory compliance, with PCI DSS and the EU Directive on Payment Services (PSD2) dictating strong security controls for safeguarding transactions and financial data.

Despite the solid regulatory environment, digitalized industries have a greater threat exposure. That is also true for financial services organizations, where 54% of the 2020 Thales Data Threat Report-Global Edition respondents said that they had experienced a data breach or failed a compliance audit during 2019. Failed compliance audits are an indication of potential vulnerabilities waiting to be exploited by malicious actors.

The challenge for the financial services industry to meet regulatory compliance and safeguard their data increases as they store more of their data in cloud environments. According to the survey, almost all (99%) of financial services organizations store data in the cloud. More importantly, more than half (51%) of data in the cloud is sensitive.

To meet regulatory security requirements, financial services firms are spending more money on data security, increasing their expenditure as a percentage of their total budget. Financial institutions require tools to help them manage greater amounts of complexity, including those capable of spanning legacy on-premise needs as well as modern, cloud-based, edge technology-oriented technologies with solutions like encryption and tokenization. As edge computing and edge-based AI grows, this complexity will only increase.

However, the report also found that financial services organizations are not concerned enough about the issues creating the most risk. Encryption and tokenization rates remain low. Only 57% of sensitive data is protected by encryption and less than half (49%) is secured with tokenization.

The same trends are witnessed worldwide

The findings in the financial services industry reflect the trends at a global level. Digital transformation initiatives are well underway, with 43% of the survey respondents either aggressively disrupting their market or embedding digital capabilities that enable greater enterprise agility.

The level of digitalization does not reflect the level of corporate security maturity. While more digital savvy organizations have an increased attack surface, less sophisticated organizations also expose themselves to data threats and might have been breached without even knowing about it. Consequently, approximately half (49%) of all surveyed organizations have suffered from a data breach at some point and roughly a quarter (26%) have been breached in the past 12 months.

Organizations across the world are adopting a wide range of technologies, including cloud, mobile, social, big data and IoT. In addition, nearly all (98%) of organizations worldwide have some form of data stored in off-premises platforms. Data stored in the cloud is nearing an inflection point with respondents indicating that an estimated 50% of their corporate data is stored in the cloud, and 48% of that data is considered sensitive.

Smart data protection to address all risks

Data security solutions are critical to remain vigilant against the new data risk reality. This point is especially relevant as the current work from home migration has forced employees to access and modify greater amounts of corporate data off-premises, sometimes on BYO devices. Even if an organization loses visibility as to where data resides, data security technologies such as encryption are required to protect corporate data in a location-agnostic manner.

The coming year will bring new and increasingly complex challenges when it comes to data protection for organizations around the globe. Businesses will need smarter, better ways to approach data security. Encrypt everything, embrace a zero-trust model, and implement a strong multi-cloud key management strategy and you’ll be off to a good start.

Download the 2020 Thales Data Threat Report-Global Edition for more key findings.