Fostering Total Trust with A ‘Zero-Trust’ Approach in Financial Services

By Stefan Auerbach, CEO, Utimaco

Despite annual spending on cybersecurity by the financial services industry reaching $600 million annually – a figure which is growing every year – trust in financial institutions (FIs) remains relatively low. According to new research, which surveyed consumers in countries as varied as the United States, Mexico, Germany, and the UK, just 13% of people across the globe trust FIs completely, while 5% don’t trust them at all. The majority of people around the world say that they only have ‘some’ trust in FIs’ digital security.

As a result, we found that cash remains the most trusted payment option and is believed to be secure by 36% of people. On the other hand, only 12% of respondents said that they believe credit and debit cards are secure. Being prudent about digital security is always sensible of course, but this wariness from customers can directly impact an FI’s bottom line. The tiny processing fees that FIs make on individual card transactions often comprise a huge part of their revenue, so customers using cash due to trust concerns can be problematic.

It also poses an issue for companies trying to expand their capabilities and services: consumers in our research had the lowest levels of trust in cryptocurrency, for example, with only 2% worldwide citing it as secure. Trust plays a crucial role in whether new payment methods achieve mass adoption, regardless of their benefits for the end user. Although our own survey didn’t cover open banking, similar surveys have found that trust is a major factor in why it is not more widely adopted.

What is Zero-Trust?

Many modern-day security systems are not sufficient as hackers will have full access to a company if they breach the system. Meanwhile, while it may seem contradictory, a new security framework called zero-trust may in fact be the solution. With zero-trust, everyone has their own biometric profile or passcode that only permits them to enter the parts of the facility that are relevant to their work, and their identity must be verified every time they enter a new area.

Zero-trust fundamentally uses robust access controls and continuous authentication mechanisms to ensure that sensitive financial systems and data are only accessed by authorized entities. This entails meticulous user identity verification through multifactor authentication (MFA) and the least privilege principle, which restricts user access only to the resources required for completing tasks.

This approach is more formidable against modern threats. Everything from account takeover to sophisticated malware attacks make other forms of security inadequate. Banking trojans are capable of emptying customer bank accounts in seconds and, despite their strong security, banks are not immune from cyberattacks. In 2021, for example, Flagstar Bank lost its members’ social security numbers after it was breached by an attack. Malware attacks on FI companies are extremely frequent, which is why the sector could lose $700 million to cybercrime over the next five years.

While zero-trust’s segmentation strategy breaks the network down into distinct zones, each segment can be isolated and fortified to prevent specific threats. Network microsegmentation leverages firewalls, intrusion detection systems, and encryption to bolster these barriers.

The zero-trust approach can be implemented by FIs to mitigate data breaches, safeguard customer financial information, and uphold regulatory compliance standards such as PCI DSS and GDPR. As digital channels and remote work arrangements become increasingly prevalent, zero-trust’s holistic and adaptive cybersecurity approach emerges as a cornerstone for bolstering the industry’s resilience against the evolving threat landscape.

However, there are some costs or drawbacks associated with implementing this new security framework. Many FIs, including banks, are still using legacy systems, which means extra security checks are needed. This can hinder the customer experience and increase the possibility for user error. With FIs’ networks located in ‘the cloud’, having full control can also prove difficult. Although a rock-solid zero-trust environment can be created, the companies they work with might not have the same capabilities.

How do you create a zero-trust environment?

Here are some steps for creating a successful zero-trust environment in a financial services company:

1. Define your perimeter: Today, the complexity of FIs, M&A activity, and cloud computing make them even more so, means we must define what is and isn’t within the remit of the company’s zero-trust policy.
2. Microsegmentation: Segmenting your company’s digital operations into segments is useful when using zero-trust. If a company is compromised by a malware attack but the data is encrypted, then its damage can only spread so far.
3. Continually monitor devices: Devices used by FIs are constantly being connected / reconnected and are made up of dozens (if not hundreds) of components and many third parties may not have security practices. Thus, every device needs to be continually monitored, even after it has passed security checks.
4. Data inventory: You need to categorize your company data by its importance and allocate appropriate levels of protection, while ensuring it’s still made available to those who need it. There will need to be strong governance protocols so that going forward every new piece of data can be classified.
5. Implement security controls: Finally, systems can be put in place that enable the zero-trust system, deciding what methods of verification are appropriate for each ‘checkpoint’, where to use multi-factor authentication, which types of encryption to use for what data and how to adapt to future threats like quantum computing.

Hardware and software systems which encrypt data and manage the digital keys are the foundations of a zero-trust environment since they allow each user and device to access the parts of the system that they are supposed to access – but nothing more.

Organizations that are best placed to deploy a zero-trust environment usually have the experience of a partner that has been building and integrating these systems for over 40 years.

About the author

Stefan Auerbach, CEO, Utimaco. Stefan Auerbach, who was Chairman of our Advisory Board in 2018, took over the position of CEO in January 2019. Stefan has a background of more than 30 years in R&D, Service, Marketing and Management of Global Sales Organizations for Information Technology and Mobile Security. He started his career in Nixdorf Computer, held several key management positions in Siemens Nixdorf and was a long-term Board Member in Wincor Nixdorf and Giesecke & Devrient.

About UTIMACO

UTIMACO is a global platform provider of trusted Cybersecurity and Compliance solutions and services with headquarters in Aachen (Germany) and Campbell, CA (USA). UTIMACO develops on-premises and cloud-based hardware security modules, solutions for key management, data protection and identity management as well as data intelligence solutions for regulated critical infrastructures and Public Warning Systems. UTIMACO is one of the world’s leading manufacturers in its key market segments.

550+ employees around the globe create innovative solutions and services to protect data, identities and communication networks with responsibility for global customers and citizens. Customers and partners in many different industries value the reliability and long-term investment security of UTIMACO’s high-security products and solutions. Find out more on www.utimaco.com.