Submarkets
- Banking
- Insurance
- Pension
- Professional Services
Finance
Submarkets
Knowledge on threat actor motivation and tactics
By NCSC data and the MITRE ATT&CK framework, we know what actors target financial organizations and what commonly used tactics, techniques and procedures are.
Cloud initiatives of EU institutions
We provide support with implementing cloud security in line with European Banking Forum.
Long-standing experience in TIBER
As part of the first wave of TIBER-NL, Secura has good grasp of TIBER-EU and maps results on the MITRE ATT&CK framework to support further blue team training.
Trust is critical in the financial industry. Whether you are an (inter)national bank, an insurance company or a pension fund, you manage large sums of money as well fraud- and privacy-sensitive information. This makes you an attractive target.
Realistically however a substantial amount of data breaches happens via internal actors (about 1/3) most often caused by misconfiguration or an error. About 2/3 of breaches comes from external actors led by financial motivated organized crime. Most initial entries happen via a web-application attacks or simple error in systems (misconfigurations). Preventing a hacker to transfer money from your accounts, steal your confidential data or overcoming large-scale DDOS attacks is key to maintain customers’ trust. You have to remain on the forefront of security to protect against the inside and outside threats. Key areas to win in the CIS baselines are: 1) Security awareness amongst employees (CSC 17), 2) Boundary defense (CSC12) and Secure configurations (CSC5 and CSC 11).
The financial world is regulated through specific law, regulations and joint organizations. For instance:
- Central banks require financial institutes to be in control regarding the risks with the security of their systems. This implies that regular audits and tests need to be performed on all their systems. One of these is TIBER: Threat Intel Based Ethical Red-Teaming. This started with banks, but apply to insurance companies and pension funds too.
- If financial institutes use (third party) cloud infrastructure, this needs to be reported to the central bank of that country, like the Dutch Central Bank, or on European level like directives from the EBF.
- The Payment Services Directives (PSD2) from the EU helped in creating the Single European Payments Area (SEPA) and currently force banks to open-up their infrastructure for third party service providers.
- The payments domain is heavily dependent on SWIFT (and the SWIFT payment gateway).
- The card payments domain in governed by Payment Card Industry (PCI).
All these regulations include security requirements and requirements to audit, test, and provision of proof that the risks are reduced to an acceptable level. In many cases, the bar is set high. Requirements are extensive and stringent, and there’s no winging it.
How to secure the financial market?
From testing physical ATMs to creating money by tweaking exchange rates, from highlighting insight into all your pension recipients to hacking your mobile app or from doing an insurance company TIBER exercise to testing your new cloud solution link to the SWIFT network, we would welcome the challenge. We can help you to improve the maturity level of security within your organization and the security of your products and services. We can help you with a variety of (compliance) testing & auditing. We do this by offering the following services.
People
Cases of phishing and social engineering are often the initial step in larger cyber-attacks and proof that even established organizations with Chief Information Security Officers (CISOs) and a Data Protection Officers (DPOs) in charge of security, have to face the reality that the human factor remains a critical one. Employees have access to sensitive data and exchange important files. Even though they might have the knowledge and be aware of security aspects, to get them to behave accordingly requires a comprehensive security awarenesss & behavior program.
Process
From a process perspective, most financial institutions have processes and controls in place as defined in ISO 27001 or COBIT next to Best Practices from the DNB as well as full-blown security integration in the CI/CD processes. Assurance over their effectiveness, from GRC levels of organizational control down to the operational control level, requires state-of-the-art audit capabilities with in-depth security knowledge like Secura has.
For organizations in the financial sector, security management for vendors and partners is key. This holds for cloud service providers as well as software providers as well as the cleaning company for example. When your suppliers have a less rigorous security approach, this can put you at risk. Security needs to be part of vendor management.
Technology
With the huge digital footprint financial organizations have, this requires continuous updating and patching of your systems to stay ahead at all times. All sorts of cloud and mobile app solutions are combined to offer ever-better services to customers, however they have to be safe. Not only do each of these systems need to be (pen)tested separately and checked for vulnerabilities, often the true risks hide in the grey areas between the various platforms. Even with reputable SIEM/SOCs in place, these control systems cannot be trusted blindly. Our Red Team thoroughly assesses security with detail (including social engineering), while our training courses support your team to learn how to incorporate security independently.
Contact us
Contact us by phone or email and we will get back to you within 24 hours.
