The impact of global cybercrime is shocking:
- 38.5% of firms have experienced a cyber attack in the past 12 months;
- 21% of cyberattacks result in costs exceeding €5M.
Financial services is arguably the industry most targeted by hackers. As such, these numbers will likely skyrocket as the industry undergoes disruption.
Disruption driven by consumer demands and regulations
Consumers today expect more personalized and self-driven digital experiences. In banking/payments, this means easier access to their money within the context of their digital lives.
At the same time, and partly for the same reason, new regulations are coming into effect around the globe, such as PSD2 in Europe, and the OBWG’s (Open Banking Working Group’s) Open Banking Standard in the UK. These regulations will bring radical change to the market, such as the allowance of TPPs (Third Party Processors) by PSD2.
Under the new regulation, TPPs can be authorized by a customer to retrieve their financial data from the issuing bank. This means banks will have to provide TPPs with access to their back end systems to retrieve the data. This access will be facilitated by open (or
public) APIs. Interesting new business models are emerging from this environment. But from a security perspective, the complexity of keeping customer data secure will increase significantly.
Prior to PSD2, customer data lived in the bank’s back office, and the APIs used to access it were internal APIs that communicated in a secure, black box environment. But now, these APIs have to leave the back office and be fully exposed to third-party web and/or mobile applications.
In practice, this means that the bank’s back end systems will be accessed via the internet whenever the customer clicks a button onscreen. Such internet-driven interactions make customer data a much softer target for cybercrime. In fact, according to the Verizon 2016 DBIR (Data Breach Investigation Report), 40% of all data breaches occur via web applications.
OK… But how can I protect my open APIs?
For starters, you’ll need state-of-the-art API protection, which goes beyond the standard industry protocols. You now need protection against attacks that occur between the internet client and your server (often referred to as Man-in-the Middle attacks).
Currently, most companies focus on protecting their systems from the outside-in with strong perimeter security. But it’s too easy for hackers to get past the perimeter in an open, distributed environment. And once that happens, you need security that can protect your APIs from the inside-out. Using the latest security technologies, even if the hacker finds the key to break into your vault, they won’t be able to steal what’s inside.
In my upcoming blogs, I will cover in more detail the threats that will increase as a result of disruption and how you can mitigate them using the latest security technologies.