Financial Sector Cybersecurity Is National Security

Mouse over the statistics below to reveal more.
9 in 10 9 in 10

Americans are concerned about cyberattacks on U.S. financial institutions *1

7 in 10 7 in 10

Americans say the PRC and Russia are the biggest threat to U.S. cybersecurity *1

6 in 10 6 in 10

Financial services firms are only in the early or intermediate stages of implementing the NIST Cybersecurity Framework *2

*1 Source: The Pearson Institute and The Associated Press-NORC Center for Public Affairs Research

*2 Source: Cybersecurity Solutions for a Riskier World, ThoughtLab

Key Steps to Take Now

Protect cloud deployments from today’s common problems and tomorrow's challenges.

Fix misconfigurations, excessive privileges, a lack of visibility and compliance, and an overreliance on click-ops (manual activities) that can lead to widespread data spills and exposure of personal identifiable information (PII) and financial data. Use a threefold approach:

  • Build security into the deployment process by default. Small mistakes in the cloud pose big risks because cloud network, data, and access services are seamlessly integrated and automated. Use automated deployment processes to avoid human errors and misconfigurations that can jeopardize sensitive data and systems.
  • Adopt and enable continuous integration/continuous delivery (CI/CD) pipelines that enforce security, end-to-end automation, and compliance from Day One for all cloud infrastructure as code (IaC) deployments. Provisioning cloud infrastructure with code leads to better documentation and auditability of configurations, improves the quality and speed of the development and testing lifecycles, and reduces the level of effort for ongoing operations and maintenance.
  • Enforce least privilege, separation of duties, and role-based access controls for cloud-based person entities and non-person entities to limit the blast radius in the event of compromise. Cloud identity and access management systems are extremely granular and complex because so many services are constructed using application programming interfaces (API)—a legacy on-premises strategy for least privilege is not sufficient for secure cloud operations. 

Implement steps to secure your data with zero trust.

Moving to a zero trust architecture (ZTA) can be overwhelming. Organizations often need greater perspective to assess their current cybersecurity posture—and to determine where and when to modernize the infrastructure and capabilities within their current environment to best secure their critical data. Booz Allen recommends the following four-step approach to identifying and deploying new cybersecurity solutions when moving to a ZTA:

  1. Diagnose – Identify current IT capabilities and roadmaps covering the zero trust (ZT) focus areas outlined in guidance issued by the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Department of Defense (DOD). Conduct a ZT maturity assessment to attain objective insights into your organization’s ZT strengths and improvement areas.
  2. Design – Create an overarching ZT strategy, identifying solutions to close critical gaps identified during the diagnose phase. The overarching strategy spans the ZT pillars, provides a unified ZT target state and a multiyear roadmap blueprint, and prioritizes the development of strong governance policies that drive enforcement of conditional access. It’s a comprehensive strategy to enable secure anytime, anywhere access to resources that utilizes risk-based access controls while continually inspecting, monitoring, and alerting on key events. 
  3. Develop – Test new configurations, integrations, and solutions. Conduct proof-of-concept trials of new technologies with a limited user set and develop migration and implementation plans.
  4. Deploy – Reconfigure existing systems using validated implementation plans. Integrate new solutions to support capability gaps. Migrate users to new solutions. Provide continuous visibility by adopting a data-driven cybersecurity approach to unlock the benefits of security analytics at scale in real time and enable the use of predictive analytics to turn threat intelligence into actionable insights.

Zero trust is not a security product for sale in the marketplace. It’s a journey propelled by a change in mindset that brings people, processes, and technologies together to deliver better cybersecurity outcomes. Booz Allen is a proven developer of innovative solutions to help agencies implement zero trust, as required in Executive Order 14028.

Treat the anticipated cracking of public-key encryption by quantum computers as a current threat.

While most of quantum computing’s potential is more than a decade away, it is important to start investing in risk management now:

  • Identify critical assets that will be vulnerable to quantum attack and create a post-quantum cryptography (PQC) transition strategy sensitive to the risk that an adversary may capture inadequately encrypted information today for later decryption using a quantum computer (a “hold now, decrypt later” attack).
  • Develop comprehensive PQC testbed facilities to inform PQC algorithm selection in different use cases and anticipate network and infrastructure impacts, including latency and interoperability challenges.
  • Use the PQC migration as an opportunity to improve cryptographic agility. Develop network infrastructure and policies that enable rapid updates to cryptographic protocols in the event new quantum or conventional vulnerabilities are discovered.

By proactively anticipating and preparing for these future challenges, financial sector organizations can outpace emerging threats, build resiliency, and deliver continued reliability in support of national and economic security.

To learn more about Booz Allen’s national cybersecurity solutions, head to BoozAllen.com/NationalCyber