A zero trust environment is critical for financial services
Source: Finance Derivative
Boris Bialek, Managing Director of Industry Solutions at MongoDB
Not long ago security professionals were still focused on protecting their IT in a similar formation to mediaeval guards protecting a walled city – concentrating on making it as difficult as possible to get inside. Once past this perimeter though, access to what was within was endless. For financial services, this means access to everything from personal identifiable information (PII) including credit card numbers, names, social security information and more ‘marketable data’. Unfortunately, we have many examples of how this type of security doesn’t work, the castle gets stormed and the data isn’t protected. The most famous is still the Equifax incident, where a small breach has led to years of unhappy customers.
Thankfully the mindset has shifted spurred on by the proliferation of networks and applications across geographies, devices and cloud platforms. This has made the classic point to point security obsolete. The perimeter has changed, it is fluid, so reliance on a wall for protection also has to change.
Zero trust presents a new paradigm for cybersecurity. In this context, it is already assumed that the perimeter is breached,no users are trusted, and trust cannot be gained simply by physical or network location. Every user, device and connection must be continually verified and audited.
What might seem obvious, but begs repeating, with the amount of confidential customer and client data that financial institutions hold – not to mention the regulations – this should be an even bigger priority. The perceived value of this data also makes financial services organisations a primary target for data breaches.
But how do you create a zero trust environment?
Keeping the data secure
While ensuring that access to banking apps and online services is vital, it is actually the database that is the backend of these applications that is a key part of creating a zero trust environment. The database contains so much of an organisation’s sensitive, and regulated, information, as well as data that may not be sensitive but is critical to keeping the organisation running. This is why it is imperative that a database is ready and able to work in a zero trust environment.
As more databases are becoming cloud based services, a big part of this is ensuring that the database is secure by default, meaning it is secure out of the box. This takes some of the responsibility for security out of the hands of administrators because the highest levels of security are in place from the start, without requiring attention from users or administrators. To allow access, users and administrators must proactively make changes – nothing is automatically granted.
As more financial institutions embrace the cloud, this can get more complicated. The security responsibilities are divided between the clients’ own organisation, the cloud providers and the vendors of the cloud services being used. This is known as the shared responsibility model. This moves away from the classic model where IT owns hardening the servers and security, then needs to harden the software on top – say the version of the database software – and then needs to harden the actual application code. In this model, the hardware (CPU, network, storage) are solely in the realm of the cloud provider that provisions these systems. The service provider for a Data-as-a-Service model then delivers the database hardened to the client with a designated endpoint. Only then does the actual client team and their application developers and DevOps team come into play for the actual “solution”.
Security and resilience in the cloud are only possible when everyone is clear on their roles and responsibilities. Shared responsibility recognizes that cloud vendors ensure that their products are secure by default, while still available, but also that organisations take appropriate steps to continue to protect the data they keep in the cloud.
In banks and finance organisations, there is always lots of focus on customer authentication, making sure that accessing funds is as secure as possible. But it is also important to make sure that access to the database on the other end is secure. An IT organisation can use any number of methods to allow users to authenticate themselves to a database. Most often that includes a username and password, but given the increased need to maintain the privacy of confidential customer information by financial services organisations this should only be viewed as a base layer.
At the database layer, it is important to have transport layer security and SCRAM authentication which enables traffic from clients to the database to be authenticated and encrypted in transit.
Passwordless authentication is also something that should be considered – not just for customers, but internal teams as well. This can be done in multiple ways with the database, either auto-generated certificates that are needed to access the database or advanced options for organisations already using X.509 certificates and have a certificate management infrastructure.
Tracking is a key component
As a highly regulated industry, it is also important to monitor your zero trust environment to ensure that it remains in force and exompasses your database. The database should be able to log all actions or have functionality to apply filters to capture only specific events, users or roles.
Role-based auditing lets you log and report activities by specific roles, such as userAdmin or dbAdmin, coupled with any roles inherited by each user, rather than having to extract activity for each individual administrator. This approach makes it easier for organisations to enforce end-to-end operational control and maintain the insight necessary for compliance and reporting.
Next level encryption
With large amounts of valuable data, financial institutions also need to make sure that they are embracing encryption – in flight, at rest and even in use. Securing data with client-side field-level encryption allows you to move to managed services in the cloud with greater confidence. The database only works with encrypted fields and organisations control their own encryption keys, rather than having the database provider manage them. This additional layer of security enforces an even more fine-grained separation of duties between those who use the database and those who administer and manage it.
Also, as more data is being transmitted and stored in the cloud – some of which are highly sensitive workloads – additional technical options to control and limit access to confidential and regulated data is needed. However, this data still needs to be used. So ensuring that in-use data encryption is part of your zero trust solution is vital. This also enables organisations to confidently store sensitive data, meeting compliance requirements, while also enabling different parts of the business to gain access and insights from it.
Securing data is only going to continue to become more important for all organisations, but for those in financial services the stakes can be even higher. Leaving the perimeter mentality to the history books and moving towards zero trust – especially as cloud and as-a-service infrastructure permeates the industry – is the only way to protect such valuable data.
How to identify the signs that your IT department need restructuring
Source: Finance Derivative
Eric Lefebvre, Chief Technology Officer at Sovos
For firms to execute transformations and meet their overall vision, it is crucial that their CIOs are able to recognise the signs that their department is in need of some internal change. In the current economic climate, CIOs working to fulfil their organisation’s priorities and meet business goals might hesitate to acknowledge that their IT department needs restructuring, never mind be able to identify the signs.
However, these problems rarely fix themselves and organisational restructuring requires conviction and determination from leadership for it to occur successfully. So, what are some of the key signs that CIOs should look out for?
Struggling to keep up with industry demands
CIOs unsurprisingly are working in an extremely demanding environment at the moment. Meeting these evolving demands is crucial for companies. When demands are not met and not handled properly, this can have a lasting impact on organisational goals and objectives, and even impact the way in which transformations are put into effect.
Depending on the organisation’s structure, the way in which being unable to keep up with demands manifests itself can differ. Despite double digit reductions across the industry, the search for talent across the tech world continues, project costs continue to rise as the cost of labour has increased and schedules have been disrupted by significant attrition. Many companies will also find business costs, such as that of third-party software, are higher than planned and technology debt continues to pile up faster than it can be sunset.
Whilst leadership teams might dedicate their department’s attention on the factors discussed above, they may find that their team will fall short when it comes to timely deliverables and helping maintain your organisation’s tech stack and guide its business transformations. Looking beyond the immediate problems of high costs and considering an internal reshuffle may be the solution for many IT departments.
Internal conflict within the team
Organisational designs with underlying issues can cause constant friction, especially when they go unacknowledged. An IT department that lives in conflict will certainly be reflected in results and less than successful tech transformations. CIOs will find that by adopting an organisational design which works through staffing issues, will better innovate, especially if they can all work together.
Department leads should have a strong understanding of their team’s work environment and guide them through any long-term or potential problems. When an individual is working in a demanding or complex industry, working well with your team shouldn’t be the main impediment to innovation. By acting quickly to eliminate internal conflict, CIOs can better lead and ensure their team’s focus is entirely on producing more optimal outcomes.
Delays are commonplace
When a large amount of your team’s time is spent setting objectives, budgets and timelines for the projects they are working on, it is vital that they are met. When delays are coming from the IT department, they will inevitably hinder the development of any business transformation, especially if it prompts teams to spend excessive amounts of time rearranging budgets and timelines and therefore hindering innovation.
IT departments are a crucial aspect in many different parts of a company’s transformations, so remaining on track when it comes to timelines and innovation is critical to operational plans. If delays have become commonplace in an IT team, and external factors are impacting projects, CIOs should look at restructuring an IT department to solve these issues.
The strongest team relationships do not happen by accident and are the result of good planning, strong leadership and a motivated team. CIOs can ensure this by providing vision and long-term strategy with clear goals and objectives to produce high levels of quality output.
When internal issues are noticed in an IT department, and are noticeably impacting team morale or productivity, this should indicate the need for departmental restructuring. Be that due to an inability to meet market demands, issues with productivity and meeting deadlines or internal conflict, these issues all risk a department’s functionality and an organisation’s ability to achieve its goals. In short, don’t overlook the warning signs!
Why the future is phygital
Source: Finance Derivative
By Eric Megret-Dorne, Head of Card Issuance Services and Service Operations at Giesecke + Devrient
Digital banking has become increasingly ingrained in people’s everyday lives. Today, 73% of people globally use online banking at least once a month. Traditional bricks-and-mortar banks, which have long relied on the in-person experience with customers, are now having to step up their offering. With new ways of working blurring the work-home boundary, banks must ensure a fast, seamless connection between face-to-face processes and virtual customer experiences.
However, this does not mean that physical and digital banking are in competition with each other. In fact, many continue to use physical bank cards, with 1.12 billion in circulation in 2021, which provides the basis for digital payments and offerings. As a result, the benefits of digitalisation should converge with the comfort of physical touchpoints to create a holistic, “phygital” experience.
The path to phygital
Banks are accelerating their digital transformation strategies to keep up with the fast pace of fintech innovations. To meet the changing needs and preferences of customers, the payment world is leveraging new technologies to create personalised experiences through a range of different channels.
While the digitalisation of banking has been underway for quite some time – particularly for younger generations – events such as the Covid-19 crisis forced banks and customers of all ages to use digital tools and processes to compensate for branch, office, and call centre closures. With branches worldwide typically operating at reduced capacity due to social distancing requirements, consumers embraced online banking to avoid both the virus and potentially long queues.
However, some consumers still enjoy physical touchpoints, meaning a digital-only approach won’t suit everyone.
Striking a balance
It’s all about options – consumers now want to freely switch between traditional and digital channels without being forced into one. But how can banks achieve this phygital balance? One way is to equip physical channels with digital capabilities, so that online tools can augment the physical experience. For example, personalised bank cards with a bespoke design can be activated digitally, offering customers an extra layer of convenience. Having to wait for a new PIN to arrive in the mail is a common bugbear for consumers, so bringing card activation processes into the digital ecosystem will ensure a more seamless experience.
Greater automation in the card issuance and activation process enables the benefits of digital to be integrated into the physical banking experience without being intrusive. For instance, self-service kiosks empower customers to print their own cards, reducing the time between acquisition and card issuance, while still allowing for in-branch expertise if needed.
The personal touch
Phygital strategies also give banks a range of valuable data insights that can help them better serve their customers. This includes data on purchasing behaviours and habits, which can then be utilised to improve banks’ offerings and unify the physical and digital brand experience. Using omnichannel data helps to build a hyperpersonalisation strategy to provide real-time services.
In this way, digital solutions help banks maximise their user experience. Whenever a consumer interact with a bank, it creates data and behaviours. With fragmented databases, legacy systems and real-time data created by interactions with third-party partners through Application Programming Interfaces (APIs), it is not always easy for banks to streamline this data from different sources. By understanding patterns in that data and behaviours, banks can tailor and personalise unique experiences for each and every user.
Where security meets innovation
With big data opportunities abound, banks should be mindful of their consumers’ security concerns. Customers are now demanding much more transparency when it comes to how information is stored and collected. At the same time, they still desire greater personalisation via digital methods. Therefore, any successful phygital strategy requires a robust digital security to ensure customers have the same peace of mind as when they complete physical transactions.
To close the gap between innovation and security, banks should utilise tokenised infrastructure, which ensures the safe provision of payment credentials and securing of customer payments across all touchpoints. This is particularly important as regulations such as PSD2 and SCA demand strong authentication requirements.
The use of a token greatly enhances the consumer experience. For example, it allows for card details to be automatically updated for subscription services upon the expiry of an existing one, avoiding any service disruption. Multi-factor authentication can also ensure an additional layer of security, as it combines a password with verifiable human biometrics such as fingerprints or facial recognition.
Best of both worlds
Every consumer has unique preferences when it comes to banking. Therefore, banks must evolve by bringing both physical and virtual touchpoints into a ‘phygital’ world. Only a phygital approach can meet the needs of all end users – whether they favour an in-person experience, an online one, or a blend of the two. The holistic data insights, personalisation opportunities, and optimised security ensured at every touchpoint are also critical in building future-ready banks.
51% of Apprenticeships Axed: Alternative Ways To Secure The Future of SMEs
More than half of UK-based SMEs expect to increase their workforce numbers by the conclusion of 2023. However, many industries are experiencing a skills shortage problem, instigated by Brexit and a rise in economic inactivity.
One of the solutions has traditionally been the hiring of appearances. Unfortunately, due to the cost of living crisis, SME apprenticeships are under threat. Financial difficulties led to 51% of apprenticeships being axed in 2022, hindering both the job market and smaller businesses that rely on their talent.
Apprentices are valuable to SMEs for several reasons, addressing skills shortages, and allowing businesses to mould the ideal candidate whilst securing government funding.
Luckily, there are several other ways SMEs can dominate their market, with SME-focused digital marketing agency Add People providing their top tips:
7 Practices All SMEs Should Implement To Succeed:
- Invest In Employees
“Employees are obviously one of the most important elements of a successful business.
By investing in your staff, such as rewarding them for hard work, offering incentives and cultivating a space for them to flourish, you can help your SME succeed. From increased productivity and morale to a more positive workplace that attracts top talent, success often begins here.”
- Create A Strong Digital Presence
“The internet should not be underestimated as a tool for generating business. From allowing individuals to find out information, contact you and even purchase products and services, establishing an online presence is essential. Consumers are also more likely to trust and purchase from a business with a visible, credible online presence, so creating a user-friendly website is more essential than ever.”
- Diversify Revenue Streams
“If the last few years of instability have proven anything, it is that diversifying revenue streams is paramount to mitigating risks. Whether the blockage of the Suez Canal or the mass shipping delays caused by the Covid-19 pandemic, too much reliance on a single product can threaten your business.
Expanding into new products and services means SMEs are resultantly capable of reaching new audiences and new sources of revenue.”
- Collaborate & Form Partnerships
“Small-to-medium-sized enterprises can strongly benefit from collaborating with one another, especially across market sectors. These partnerships can provide your business with access to new resources, to enter new markets and improve your brand image within multiple markets.
Similarly, sharing your knowledge with another market can lead to increased innovation, allowing you to develop and improve both existing products and conceptualise new ones.”
- Use AI & Other Technologies
“AI is one of the most exciting developments of the 21st century and is set to revolutionise all industries. SMEs should be taking advantage of implementing AI into their offering, allowing them to stand out in their relevant markets and retain their competitiveness.
AI can also help to improve the decision-making made by a business due to analytics and insights. These can be particularly useful for any markets that are data-driven, but will ultimately help any business with regard to scalability.”
- Adapt To Industry Trends
“ World markets are continually changing, meaning industries are constantly having to evolve. By keeping on top of these changes, you allow your business to remain competitive and attract new customers.
This flexibility is one of the key tools to secure long-term success for any SME, and will allow you to capitalise on new opportunities for years to come.”
- Seek Feedback
“No business will get it right the first time, and the new and unpredictable changes to the market complicate this. Luckily, by always asking your customers and clientele for ways you can improve your business, you gain valuable insights into your consumer demographic and their needs. Learning from this information will allow you to become one of the most valuable and trusted providers within your industry.”
Peter Marshall, Chief Marketing Officer at Add People, a digital marketing agency specialising in small-to-medium-sized enterprises, had the following to say:
“While apprenticeships are a key feature of many SMEs, they are not vital for their success. One of the main reasons that apprenticeships are so popular is the funding that small employers can gain through their recruitment, allowing these smaller businesses to train staff that work to their standards and ethos. This means they are fully trained for a job role when the apprenticeship concludes.
Instead, businesses should focus on long-term solutions at the heart of operations. Making these changes will ensure a healthy future in any market, protecting both the business and the future workforce – including any apprentices!”
Simon Bell, Founder and Director at Careermap, the UK’s leading Early Career website also had the following to add about apprenticeships:
“’Apprenticeships are a win-win situation. Not only for the apprentice but for businesses alike. Training your workforce of the future is vital to keep businesses growing, helping to bridge the skills gap and offering unique perspectives. Reverse mentoring is a hot topic; apprentices can help your organisation do just that by re-energising current employees, encouraging creativity, open-mindedness and innovation.’