IoT and Financial Services: Back to the Future.
What to Do Now to Prepare for and Leverage the Inevitable.
Debate over whether IoT will transform financial services is over. The opportunities that arise from a deep understanding of contextual customer behavior make IoT adoption a question of “when”, not “if”.
In this article, we’ll explore why this transformative trend is inevitable, the inherent risks, and how financial services firms should prepare for and leverage the results of a connected world.
Opportunities Arise from Connected Devices
If we were to define the single biggest customer challenge for any financial services firm, an accurate (albeit oversimplified) statement may be: to find the intersection of what a customer needs, when they need it, and how it aligns with what a financial services firm has to offer.
It’s a problem rooted in a lack of information and context. Not knowing “when” and “why” a customer is looking is the reason we see a flood of insurance ads and mailboxes full of credit card offers.
In the absence of context, financial services firms simply try to grab customer attention everywhere knowing that their offers are hitting at the wrong time.
But what if all the data were available in real-time?
A few examples:
• Smart branches – Using a combination of facial recognition technology and sensors, a customer could walk into the branch, and a teller would know the customer’s name, their history, and the most likely reason they are visiting.
• Mortgage and Insurance Intelligence – Using sensors to understand both the physical aspects of a structure and the environmental status of the area (water table, seismic activity, erosion) would help both underwriters and mortgage holders determine risk.
• Custom offers – Based on a customer’s online banking activity coupled with location data, a bank could send a customized offer when the customer’s mobile phone is within a mile of a branch.
Obviously this is just the beginning. The opportunities that result from a deep, contextual understanding of customers, their behavior, and anticipated needs are incredible.
The Downside: Attracting Bad Actors
Of course, any time data is collected and analyzed to better understand and provide value to customers, there are those that seek to steal the data for nefarious purposes. Just recently, Frost Bank announced that it had detected unauthorized access into third-party lockbox software program that allowed unauthorized users to view and copy images of checks stored electronically in the image archive. In short, Information from the accessed images can be used to forge checks.
Additionally, the simple economics of IoT devices dictates that each connected device must be manufactured as inexpensively as possible. The value of
the data collected must far outweigh the cost of the device, and when cost is a major driver, security is often the first sacrifice made.
To put some context around IoT security:
• 70 percent of IoT devices are vulnerable to attack
• A 2017 report from F5 Labs showed that IoT attacks grew 280% from a prior six-month reporting period, with a large chunk of this growth stemming from Mirai malware.
• In 2017, 8.4 billion connected devices will be in use worldwide—up 31% from 2016, according to a Gartner report. That means that the number of Internet of Things (IoT) devices on the globe will surpass the number of people alive this year, with spending on IoT endpoints and services predicted to reach nearly $2 trillion.
Finally, in a TechRepublic article on the biggest IoT security threats facing the enterprise in 2017, Chip Witt from HPE Security Research described the issue concisely:
“IoT sensors, with their limited computing power are only as secure as the firmware running on them, which means that their security posture depends on the readiness of device manufacturers to quickly react to attacks when they happen. Successful attacks on IoT sensors are difficult to detect because of the limited access to the device’s system state, insufficient computing power for endpoint protection software to be installed on them, and lack of security compliance standards for IoT security best practices.”
Like any new technology IoT is an enabler, to be used for good or for bad depending on intent. Let’s look at how financial services firms can leverage the positives while minimizing risk.
The Key to IoT: Universal Visibility
You can only secure what you can see. A simple statement, but one that is a central tenet and difficult challenge in cybersecurity. While every financial services firm employs multiple security solutions like SIEM, EDR, Vulnerability Assessment, and Mobile Device Management, those solutions can only protect those devices they know about.
In talking with many CISOs in financial services, we often ask how many devices are in a firm’s environment.
We usually hear one of two answers:
1. “Between 10,000 and 30,000.”
2. “I don’t know. That’s a difficult question to answer.”
And that’s totally understandable. Given the explosion in the number and types of devices that are hitting our networks, it’s very difficult to answer even the most basic question: how many devices do I have, and are they secure? While each of the security solutions can answer a piece of the overall visibility puzzle, firms don’t have a way to get a single view and cross-correlate. All of the answers are there, but are fragmented into separate silos.
Enter Cybersecurity Asset Management
The newest approach to universal device visibility and control is cybersecurity asset management. By connecting to all of the different security and management systems in an organization’s environment, customers are able to get a unified view of all devices – both managed and unmanaged – as well as the security status of each device.
This approach aims to answer 6 essential questions about every device:
1. Is the device “known” and managed?
2. Where is the device?
3. What is it?
4. Is the core software up to date?
5. What additional software is installed?
6. Does the device adhere to my security policy?
Once implemented, a cybersecurity asset management solution is able to answer questions that couldn’t be answered before. These are things like:
• Which of the devices in my environment do not have the endpoint security agent required by my security policy?
• Are there devices that are unknown to my vulnerability assessment scanner?
• Are there devices that have deleted their EDR software?
• Which devices are completely unmanaged, yet have network access?
At Axonius, we’ve developed a cybersecurity asset management platform that allows customers to see and secure all devices. By easily integrating with customers’ existing management and security technologies, and using an extensible plugin infrastructure to add custom logic, customers are able to get a unified view of all devices – both known and unknown. A very brief look at our approach follows:
The use of IoT devices will transform the relationship between financial services firms and their customers, but the size of the opportunity presents risk. By taking steps to proactively see and secure all devices, firms can leverage the benefits of this inevitable shift in technology while minimizing risk.
Nathan Burke is Chief Marketing Officer at cybersecurity asset management startup Axonius. Passionate about bringing new cybersecurity technologies to market to solve real problems, Nathan has held marketing leadership roles at Hexadite (acquired by Microsoft), CloudLock (acquired by Cisco), and is a frequent contributing author on topics related to the intersection of collaboration and security.
For more information: