Despite its growing popularity, cloud adoption shouldn’t be seen as a conclusion to your cybersecurity woes, explains Bharat Mistry, Technical Director (UK) at Trend Micro
Most organisations were hit by surprise when the pandemic struck back in early 2020. But the enterprises that adapted best were those already investing in cloud-centric transformation projects. Next-gen applications and infrastructure offer them the opportunity to become more agile, support flexible working and deliver enhanced customer experiences faster. Yet where there is cloud there is also cyber-risk. As we discovered in a study of IT decision makers across all industries including financial services, there’s a significant disconnect between headline confidence in their security strategy and the day-to-day reality.
The good news is that tools exist today to make cloud security more integrated, easier and a lot more effective than many IT leaders in the financial sector believe. As we approach the anniversary of the GDPR, finding the right security partner is more important than ever.
Driving digital growth
Global financial services organisations have been enthusiastic adopters of digital technology during the pandemic. The vast majority claimed that the crisis had considerably (46%) or somewhat (42%) accelerated their cloud migration plans. Most (86%) feel completely or for the most part where they need to be with adoption projects.
Yet these same projects risk broadening the attack surface—creating more workloads for threat actors to target, more accounts and services to potentially misconfigure and more complexity that must be managed. The sector may have more money than many others to spend on cybersecurity, but it’s also a popular target. And the fallout is often greater. Data breach costs in the financial sector are calculated to be the third highest globally, after energy and healthcare—amounting to nearly $6 million per incident.
Yet most (51%) of those financial organisations Trend Micro polled believe that cloud migration has in itself focused their minds more on cybersecurity. A majority (58%) also revealed that they’ve implemented information security training policies to mitigate any risk of user error impacting the business. This confidence extends to the security posture. Most said they feel fully (36%) or mostly (55%) in control of securing the remote working environment, and a similar number (87%) were confident about securing the future hybrid workforce. What’s more, over two-thirds feel certain they’re able to get visibility into data flows as business-critical information is sent from corporate systems to remote workers.
The bad news
All of which seems pretty reassuring. But on closer inspection, we began to notice some chinks in the armour which may indicate more deep-seated challenges. Despite confidence in their security strategy, nearly half (48%) of respondents claimed privacy and security challenges represent a “very significant” or “significant” barrier to cloud adoption. Only 10% felt there was no such roadblock on digital transformation. They singled out setting consistent policies, a lack of integration with on-premises security tech and patching and vulnerability management as the top three operational security headaches in this area.
Also of concern is awareness around the shared responsibility model, which defines how far protection from providers (CSPs) extends and what the customer is responsible for. Almost all (99%) of those we polled said their CSP provides “more than enough” or “sufficient” data protection. Most (90%) were also very or somewhat confident in their understanding of the model itself. Unfortunately, the reality is somewhat different. Responsibility for data security is 100% the customer’s responsibility in IaaS and PaaS environments.
It’s not difficult to see how such confusion could expose financial services organisations to greater cyber-risk. Assume your provider is taking care of data security, or any other area for that matter, could lead to under-investment by the customer and critical gaps in protection. On the other hand, it could also mean organisations wasting money on security controls that duplicate what the provider already offers.
Cloud security that works
We were also concerned to see that a greater number of financial sector IT leaders believe cloud security adoption makes life more complicated and expensive for them than those who do not. Over a quarter (27%) think it can also create more siloes, when in fact the right tools can bring IT security and developer teams closer together, for example. Such misconceptions may be based on bad experiences with first generation tools, or simply the result of skills gaps in responding organisations.
Fortunately, cloud security has advanced considerably in recent years and there are multi-layered platforms out there today which promise seamless connectivity into the major CSP platforms. That means powerful, streamlined security and compliance with a high degree of automation to simplify protection whilst mitigating risk and taking the heat off stretched IT security teams.
The financial services firms quickest to familiarise themselves with this new reality will be those in pole position for digital-powered innovation and growth as they exit the pandemic. There’s no time to waste.