FSIs have embraced cloud – but what’s next in the name of security?

Stock image of cybersecurity | Accenture Federal Services and Google Public Sector

The financial services industry is evolving. The pandemic highlighted a growing desire among customers to be able to do all their banking digitally. As a result, the banks have embraced digital as a transformational advantage, to meet the demands of customers seeking seamless, reliable and “always-on” solutions.

In an industry well known for caution, taking to the cloud was a big step for banks as they sought to move on from legacy systems and modernize, whilst remaining compliant in a highly regulated field. The introduction of remote working presented a particularly good opportunity to implement these long-awaited changes, but it was also a strategic move. Traditional institutions face stiff competition from fintech challengers and neo-banks with an eye on customer service and low overhead costs, as they gain ground due to customers responding to app-based offerings.

The cloud offers the flexibility and agility that organizations now need to compete in an ever-changing economic landscape, with the ability to scale up, quickly, in ways that simply had not been possible in the past. Alongside a strategic edge, cloud platforms can also offer increased cost efficiencies, greater integration and security – the latter of which has never been more critical for financial services organizations in light of the increasing threat of cyber attacks.

A key target for cybercrime

Cloud, mobile, and edge platforms have driven unprecedented business innovation, adaptation, and resilience within the financial services sector during the last few years, but this broad mix of technologies has also introduced incredible complexity for security and compliance teams. In the new hybrid working reality, security operations must keep pace with safeguarding identities, devices, data, apps, infrastructure and identify where blind spots may exist across a broad new set of users, devices and destinations.

These challenges come at a critical time – as organizations around the world are forced to reckon with sophisticated ransomware and nation-state attacks, with financial institutions considered the prime target for cyber criminals. Last year, cybersecurity incidents targeting UK FSIs increased by 52 percent according to the Financial Conduct Authority (FCA), with one in five incidents involving ransomware and a third classed as data breaches.

Despite investing heavily in security and data protection and being among the best prepared and capable industries at detecting and responding to cyber incidents, the increasing sophistication of attacks, including those by nation-states, is an important reminder for firms to make continuous improvements to their security infrastructure.

To defend against today’s threats as well as tomorrow’s, security teams must have ready access to all security data. But as the volume of those security data points continues to grow exponentially, a one-size-fits-all model is no longer sufficient – and that’s where multicloud comes in.

 A changing regulatory environment

To predict and prevent cyber threats, firms must look at ways to bolster their operational resilience and third-party risk management, whilst retaining all the benefits of the cloud. By moving away from a single cloud provider model and diversifying provider partnerships, FSIs can ensure that they are better prepared to mitigate the risks they are exposed to, whilst also adhering to the increasing regulatory oversight in this area.

All regulatory modernization that provides a safer and more resilient environment for digital transformation and competitive innovation is to be welcomed, including recent recommendations from the Bank of England around the role of cloud service providers in modern financial services and the importance of establishing a Critical Third Party (CTP) regime.

Although the UK’s FSI regime does not prohibit any financial services function being migrated to private or public cloud, the government and regulators are rightly focused on ensuring the correct customer outcomes. Their attention is on the materiality and systemic importance of the service, and accountability for the risk and control environment on the part of the financial firm, which makes security a more crucial element of a cloud strategy than ever.

When the business goals and compliance obligations of financial institutions and the rising concerns around cyber threats are combined therefore, it is clear that security is the defining opportunity and challenge of our time. To address this, more financial organizations are investing in a multicloud strategy – by spreading their operations across multiple cloud service providers.

Looking to multicloud

Flexibility and choice are clear requirements for businesses looking to innovate in line with developing customer expectations and fierce demand for digital experiences. Investing in a mix of cloud providers and the tools that accompany them is one such way that firms can embrace the challenge. Many organizations are looking at their requirements and going hybrid: adopting a cloud in some areas of their business, whilst retaining other business information on premises – primarily for regulatory reasons. While other companies are choosing multicloud with strategic intent, by deploying additional cloud platforms for specific purposes, such as a cloud just for AI.

A recent study from Microsoft found that the majority of Fortune 500 companies say they are likely to make changes to their cloud infrastructure in the next year, including half who plan to increase the number of cloud providers they are using.

Done well, multicloud and multi-platform strategies allow banks to address business demands including scalability, risk management and the ability to govern data and digital sovereignty. However, deploying a multicloud environment isn’t without its challenges. As the cloud environment grows and becomes more disparate, misconfiguration can occur and put the organization at risk if processes aren’t tightened up and safeguards put in place.

Control and visibility

In a multicloud world, the number of platforms, devices, users, services, and locations multiplies exponentially and grows at an abundant speed, so securing those dynamically changing identities and permissions, wherever they are, is a core pillar of multicloud protection.

Bringing in strong governance from day one is the only way to ensure that an organization can reap the benefits of a multicloud approach and be best placed to shore up their security and compliance obligations from the start. Managing multicloud environments doesn’t always have to be a challenge, as long as organizations ensure that their security solutions can reduce complexity and deliver comprehensive protection.

Ultimately, the goal is to ensure that customer and business data remains secure and compliant. This can be achieved by working with a cloud provider to develop a standard way to deploy, operate and monitor cloud-native applications in whichever environment the organization has chosen, private clouds or on-premises environments. Solutions such as Microsoft Defender for Cloud identifies configuration weak spots to help strengthen the organization’s overall security position and provides threat protection across workloads – from a single viewpoint.

Ensuring that IT teams have full control and visibility across the multicloud environment, allows them to take stock of all evolving cyber risks and identify potential blind spots, as well as control access to workloads, devices and digital identities. As these environments become more complex, the risk of cyber breaches and ransomware attacks remaining unnoticed across the network grows, so it is imperative that security teams have access to tools which offer one single view of the entire data estate across multiple clouds. For example, as alert fatigue becomes a growing problem for overstretched teams, these tools can enable security teams to identify the most pressing threats and take action, at the right time. This will enable the financial services sector to govern, protect and manage the entire data estate and spot malicious attacks before they are able to cause widespread damage – by cutting through to see the alerts that need urgent attention

Although the cloud is not the panacea for every challenge that financial organizations face in 2022, it can be a pivotal tool for the sector’s much needed modernization. As part of a considered and informed digital transformation strategy, supported from the top down by business leaders and governed robustly by skilled teams, cloud can allow banks to truly revolutionize their customer experience and compete in a post-pandemic digital-first environment.