For Financial Services, Encryption is Essential – But So Is Performance

istock 641772870

The financial services industry is one hit hardest by the heightened expectations of consumers to access information, receive help, and conduct transactions anywhere and at any time via their mobile devices. By 2025, Millennials are expected to generate 46 percent of all U.S. income, and yet over a fifth of them have never written a physical check to pay a bill. Instead, 38 percent use apps and mobile tools to make bill payments, and 71 percent consider their banking relationship to be transactional rather than relationship-driven.

In addition, more than one-quarter (27 percent) of Millennials are completely reliant on a mobile banking app. In fact, they are 1.3 times more likely than Gen-Xers and 2 times more likely than Baby Boomers to rely on a mobile banking app for regular banking activities.

For financial firms, the ability to offer such services represents a competitive advantage, with 75 percent of banks making investments to create and improve a customer-centric digital business model. Aside from benefitting consumers, greater accessibility to data on various devices and applications can also improve employee efficiency, meeting the common request for more open networks.

Personal Data at Greater Risk

This shift to online consumer banking has led to increasing data traffic volumes as more users rely on applications and endpoints to interact with their personal data. Addressing this growing volume of traffic has led many financial institutions to adopt cloud, and increasingly, multi-cloud environments. Which means that personally identifiable information (PII) is now regularly travelling across different network domains.

While this increases the accessibility of data for consumers, thereby making financial services firms more competitive, it also means that their data spans a larger potential attack surface, making it more susceptible to cyberattacks. As these attacks become more sophisticated, leveraging artificial intelligence and automation to more effectively detect and exploit vulnerabilities, financial services firms not only need to engage in digital transformation but to also do so securely – protecting the private data of consumers.

Greater Interest in Encryption

Regulators are taking a close look at financial services firms to ensure they are implementing the security controls necessary to keep user data private. One of the core security features being required by these bodies is encryption. Encryption refers to converting plain text into secure code that can only be deciphered with a decryption key. This ensures that data in motion across the network and the web, as well as data at rest in the cloud or data center, cannot be seen by anyone without the key – even if it is stolen – adding a strong layer of security.

Encryption for financial services firms is being recommended today by several regulatory guidelines, including the Federal Financial Institutions Examination Council (FFIEC) and the new General Data Protection Regulation (GDPR).

  • FFIEC: This Council, which provides standards and principles for the supervision of financial institutions, states that financial services should incorporate encryption to protect personal data in transit and storage.
  • GDPR: This regulation took effect on May 25, 2018 and is changing the way organizations collect, use, and store consumer data. The GDPR expects financial firms to have state-of-the-art security in place to protect data. While these rules do not provide specific security tool requirements, Article 32 of the regulation does recommend the use of pseudonymization and encryption.

These are just two examples of the desire for adding another layer of security to PII within financial networks. Fortunately, this is becoming simpler and more affordable thanks to programs such as the “Let’s Encrypt” project, which provides sites with the tools needed to encrypt data at a low cost. However, there are some drawbacks to encryption that financial services firms must learn to balance in order to provide robust security while enhancing their digital capabilities.

The Challenges of Encryption

Though encryption has been adopted by many organizations to provide data protection as it moves across applications, endpoints, and the cloud, it can also present challenges in terms of productivity and even diminish visibility into potential attacks.

  • Visibility and Encryption

Recent Fortinet FortiGuard Labs infrastructure trends research reveals that encrypted data has grown to nearly 60 percent of all network traffic, rising 6 percent this past quarter alone, which is the highest rate to date. With cybercriminals using SSL and TLP encryption to hide malicious code and exfiltrate data, inspection of encrypted traffic continues to be crucial. Unfortunately, as evolving networks significantly expand their potential attack surface, many legacy threat detection devices and signature-based antivirus tools currently in place are simply unable to keep pace with the volume, variety, and velocity of today’s evolving malware, especially when detection requires processing-heavy inspection of encrypted data.

  • Traditional Security Tools Are Lagging

The high processing power required to inspect encrypted traffic can result in slowed throughput for network security devices, while some firms may not be inspecting encrypted data at all because they assume it’s secure. Of course, without inspection, encryption can simply become a secure mechanism for delivering malware, rendering the security provided by encryption irrelevant. This is why it is important that as encryption is adopted by financial services firms to comply with regulations, they have a security infrastructure in place that can inspect encrypted traffic at network speeds.

The Marriage of Security and Productivity 

Adopting encryption is an excellent step for financial services firms, as it adds security and the ability to comply with a growing number of regulations. However, it is equally important that they are able to maintain visibility across the security infrastructure without compromising performance, which means being able to see into encrypted data streams.

To accomplish this, firms first need to assess the effect encryption has on security throughput and replace isolated point solutions with an integrated security solution that can automatically process large quantities of encrypted data without slowing productivity or hindering visibility – especially since the volume and percentage of encrypted data will only continue to grow.

Next, they need to assess other impacted security processes, such as authentication and segmentation, to understand the effects that encryption technology will have on overall security. This requires being able to see and manage security as a single, integrated framework rather than a collection of largely independent and isolated devices.

For encryption to work in the financial services industry, firms must take an integrated approach within their security strategy to make sure encryption is doing its job: providing critical security and data protection without decreasing the productivity of the security infrastructure as a whole. Encrypted data must be inspected – but at the speed of the network, and without compromising digital business requirements. The use of automation and high-performance security resources tied together in order to extend protection from the network edge out to the cloud and deep across the distributed network will prevent any negative consequences related to protecting data, while ensuring the positive experience that today’s digital consumers demand.

About the author:

Aamir Lakhani is a leading global cybersecurity strategist and researcher with experience in zero-day research, exploit development, network and infrastructure implementation, malware research, digital forensics and cyber underground research. He has worked with multiple vendors and technologies on large-scale deployments, leads research on major global malware outbreaks with multiple competitive security corporations, has appeared on major media outlets discussing cyber security, and is the author of several cybersecurity books.


Copyright © 2018 IDG Communications, Inc.