Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity News

Why Financial Services Must Adopt a Zero Trust Approach to Cybersecurity

By Dan Panesar
cybercamera
July 5, 2018

The current approach to cybersecurity within the financial services industry is flawed. With regulations such as the new General Data Protection Regulation (GDPR) and New York State’s DFS Cybersecurity Regulation being enforced, putting ever greater pressure on data protection, combined with the fact that the financial services industry is one of the most targeted, regulatory and consumer eyes alike are firmly on financial institutions to improve their cybersecurity processes and models. 

If they haven’t already, then the 146 million records of U.S. consumers stolen in the Equifax breach should be causing alarm bells to ring; there is no excuse for any organizations that don’t have proper cybersecurity and data protection processes in place.

Fundamentally, the current “protect, detect, react” approach is no longer fit for purpose; instead, firms must focus on the critical element of breach “containment,” and this can only be achieved by adopting a Zero Trust approach to cybersecurity.

 

Dated Security Postures

Unsurprisingly, the financial services industry is a prime target for hackers. In 2016, it was attacked 65% more than the average organization across all industries, and according to IBM, 200 million financial services records were breached in 2016, a 900% increase from 2015. 

Yet these breaches are not occurring at companies that have failed to recognize the risk to customer data – indeed many have occurred at organizations that are meeting regulatory compliance requirements to protect customer data.  Clearly, organizations are struggling to lock down data against the continuously evolving threat landscape. Moreover, it is becoming ever more apparent that regulatory compliance is no safeguard against data breach.

Meanwhile, the motivation to attack the industry is not likely to diminish. The goldmine of sensitive data – from credit card to consumer details – means that financial institutions are likely to be under constant attack from hackers trying to find weaknesses in the network so they can get in. So whilst the regulators are taking an increasingly hard stance on data protection, organizations that take a regulation-only approach to cybersecurity are actually putting themselves at greater medium- to long-term risk. 

The reason should be apparent: with new threats emerging weekly, the time lag inherent within the regulatory creation and implementation process is a problem. It can take upwards of 24 months for a regulatory body to understand and identify weaknesses within its existing guidelines, update and publish requirements, and then set a viable timeline for compliance, often 12 to 18 months.

During this time an organization with a security strategy dictated by compliance is inherently insecure. Furthermore, these are catch all standards that are both open to interpretation and fail to address specific business needs or operational models – immediately creating security weaknesses.

And worse, they actually provide hackers with an “access blueprint,” as weaknesses in the security model that are not covered by regulation are clearly visible for any hacker to exploit.

Innovation is needed.

 

Zero Trust Security

The entire security model is flawed not least because most regulatory bodies are still adhering to the “secure the border” model. Breach prevention, even breach detection, are not adequate security postures. They assume a level of trust – that anyone or anything inside the border is trusted until proved otherwise. But this is patently untrue, as the raft of breaches – many of them undetected for months – reveal.

The solution lies in the Zero Trust model. A phrase coined by Forrester, the Zero Trust approach to cybersecurity abolishes the idea of a trusted network inside the corporate perimeter. It assumes that you can no longer trust anything that is within the extended infrastructure – no users, apps or devices. It assumes that the network can be compromised at any time, by anything. 

This means decoupling security from the complexity of the IT infrastructure and addressing specific user/IoT device vulnerability. Instead of firewalls, network protocols and IoT gateways, organizations should consider data assets and applications; and then determine which user roles require access to those assets.

Building on the existing policies for user access and identity management, organizations can then deploy cryptographic segmentation to ensure only privileged users have access to privileged applications or information. Each cryptographic domain has its own encryption key, making it impossible for a hacker to move from one compromised domain or segment into another – it is simply not possible to escalate user privileges to access sensitive or critical data, meaning that in the inevitability of a breach, the threat is both contained and rapidly identifiable – and any fallout limited. 

 

Conclusion 

Organizations are understandably concerned about the financial penalties associated with failing to achieve regulatory compliance. But take a step back and consider the financial implications of a data breach or of a high-profile customer data compromise. That is a far more significant cost and an event that will have long term repercussions on customer perception and loyalty.

If the financial services industry is to keep itself out of the headlines and prevent high-profile data breaches, then attitudes need to change. The heavy focus on regulatory compliance over data security means that financial institutions will not achieve the robust security posture required to protect data against the continually evolving threat landscape.

It is time to ensure that innovation plays a part in security best practice and deploy solutions that are in line with a Zero Trust approach.

KEYWORDS: cybersecurity compliance data breach finance cybersecurity security posture

Share This Story

Dan Panesar, Certes Networks, has a real passion and love for sales. This is reflected by more than 12 very successful years in various leading-edge technology sales roles with organisations including Sipera Systems and Avaya Inc. Prior to joining Certes, Dan has advised and worked with a number of UK-based cyber security start-ups through the Cylon – (Cyber London) accelerator program.

Blog Topics

Security Blog

On the Track of OSAC

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing