Financial institutions should adopt a zero-trust approach to security

By Avinash Gupta, General Manager at AlphaCodes

The BFSI sector is one of the most vulnerable

to cyberattacks, even in a ‘normal’ business environment. However, the pandemic has placed addition pressure on this industry, as organisations not only have to deal with a large percentage of users working from home, but also with evolving risks and ensuring compliance with regulatory requirements. At the same time, the sector also has to protect both its customers and staff while encouraging the adoption of remote transacting and access.

Organisations within critical business sectors such as BFSI, manufacturing, healthcare and fuel and energy must protect three fundamental things: data, devices and applications, as well as the network itself. Traditional perimeter-based network security architecture is allowing trusted users to access resources on the network infrastructure and kept unauthorised users out. Yet, as companies become increasingly distributed and their workforces operate outside the corporate network, this methodology no longer works effectively and poses a significant security risk.

Instead of relying on traditional perimeter-based security architecture, organisations should adopt a zero-trust security architecture that always verifies users, irrespective of their role, locality, or managed or unmanaged device – even those already inside of the network perimeter. In a zero-trust security framework, each user, device, and application is verified and authenticated with contextually aware tools. Zero-trust security architecture enables users to securely access applications and sensitive data from anywhere, using any device. This allows organisations to achieve agility, improved efficiency and to reduce IT costs, without losing control over their data, devices, users and networks. The best starting point for this journey is to replace the traditional perimeter-centric view of security with an identity-centric approach that confirms secure access for various user types, irrespective of their location, device, or network. Any specific solitary solution can’t solve for all aspects of zero-trust security, so it is critical to leverage identity to optimise mitigation across the security stack.

Organisations must also keep in mind that the Protection of Personal Information (PoPI) Act became effective on 1 July this year and will be mandatory for all companies. The Act is especially important for those operating with the BFSI sector, as they process clients’ personal information. It requires the implementation of technical and organisational measures to secure the integrity of personal information, and to guard against the risk of loss, damage, or destruction to or of such personal information. The best way to achieve compliance with this legislation is to update or create an organisational security policy that refers to clear, comprehensive, and welldefined plans, as well as compliance, rules and practices that regulate access to an organisation's systems and information.

Implementing a zero-trust architecture will also assist with PoPI Act compliance, as this makes up for any lack of visibility by allowing for discovery of data flow at every access point within and across networks and platforms by requiring that all communication be verified across every channel. By adopting a zero-trust posture, companies are able to automatically discover and inventory all assets, including applications and databases and incorporate asset management into their security plan. This has the effect of reducing the attack surface, providing accountability and transparency, and showing that organisations and their clients are taking data privacy and security seriously. Providing this type of proof is one of the requirements of the PoPI Act.  Avinash Gupta, General Manager at AlphaCodes