Banking on a secure (open) data influx

by Adam Palmer31 Aug 2020

The advent of open banking means that financial organisations now have the opportunity to cross-sell and tailor financial products by accessing consumer data through different authorised third-party providers and vendors.

While open banking presents new business opportunities, this more connected ecosystem further expands the cyber-attack surface and creates potential pathways for attacks.

Security teams now also face added pressure to maintain the confidentiality and integrity of data required by other global regulations – such as the GDPR (General Data Protection Regulation) and the PSD2 (Payment Services Directive 2) – when processing personal data relating to citizens of the European Union.

With banks opening their systems to authorised third-party financial service providers, security needs to form the foundation of this initiative. Therefore, it’s critical for financial leaders to focus on effective risk management in this unique, new and complex digital environment. Following are five key considerations for successfully managing potential security risks in relation to open banking.

The first is the limitations of legacy systems. Traditional IT systems in financial organisations tend to consist of data silos and outdated operational processes that are not integrated with new market technologies and requirements. These systems now mixed with cloud-based open banking technology make scanning for vulnerabilities in the digital environment more complex. This is because traditional vulnerability management solutions weren’t designed to handle an attack surface of this size and complexity. Therefore, organisations can completely miss critical vulnerabilities across their dynamic environments.

The second is access to critical systems and internal data. Open banking requires an effective verification and access management strategy so authorised users can gain access to the network. Implementing strong privileged access management protocols for sensitive data helps protect critical systems and limits access to confidential data.

The third potential security risk is the fact that Australia’s financial sector has always been an attractive target for cybercriminals, hence staying vigilant and focusing on key risks is imperative. A report from Tenable Research has shown that 73% of vulnerabilities still exist within 30 days of the first assessment. Beyond that, 32% of those flaws still lurk after a year, and the vast majority of those over a year old are never dealt with.

The same research also found that only 5.5% of organisations were able to remediate more vulnerabilities than they discovered in their systems, meaning that 94.5% of organisations are falling behind and building a deficit of vulnerabilities. This shines a spotlight on the fact that attaining 100% remediation is unsustainable for most organisations.

It’s critical that financial leaders focus on effective risk management in this unique, new and complex digital environment

With so many threat vectors and vulnerabilities emerging in the financial environment, it’s challenging for security professionals to know which ones to focus on first without the right resources and insight. This exposes organisations to excessive and unnecessary cyber risk.

By taking a risk-based approach to vulnerability management, financial organisations can focus on the vulnerabilities and assets that matter most to the business instead of wasting valuable time on vulnerabilities that have a low likelihood of being exploited.

The fourth potential issue is around managing risk across third-party providers. Every decision and technology investment made within a business has long-term implications, and this is particularly true in an open banking environment.

One solution for managing compliance and policies is to use a cloud access security broker (CASB). In an open banking environment, it’s essential that businesses secure connected SaaS applications through a security gatekeeper like a CASB to ensure security as well as prevent data loss. Integrating all applications into a central identity and access management solution can also protect data and provide a centralised platform for monitoring.

The fifth and final consideration is the ability to measure security by risk reduction. To understand the level of risk, security leaders need to know the business and the compliance requirements, and benchmark the security program both internally and externally. By doing this, they can pinpoint their level of risk without blindly applying generic maturity levels. The security team can focus on identifying and reducing critical vulnerabilities that are most likely to be exploited.

While open banking is kick-starting a financial revolution in Australia, it’s also providing access to a large amount of consumer data – an open target for cybercriminals. Retaining customer loyalty depends on an organisation’s ability to secure all assets and make customers feel safe. Effective cybersecurity management should be considered a cornerstone of trust to ensure both financial organisations and consumers can safely benefit from the opportunities of open banking.

Adam Palmer, Chief cybersecurity strategist, TenableAdam Palmer
Chief cybersecurity
strategist, Tenable