For as long as banks and financial institutions have existed, so too have those seeking to steal from them. The infamous bank robber Willie Sutton, active in the 1920s, famously quipped that he targeted banks “because that’s where the money is.”

While the methods have evolved since Sutton’s time, the motivation remains largely the same. Today, the vast majority of wealth in these institutions is digital, and the sensitive records they hold can be as valuable as money itself.

The digital transformation of banking has made the sector a prime target for cybercriminals, who are increasingly sophisticated in their attacks. According to Verizon’s Data Breach Investigations Report[1], cyberattacks on banks surged by 238% in 2022 compared with the previous year.

These breaches come at a steep price. IBM’s 2024 Cost of a data Breach Report[2] indicates the average cost of addressing such incidents is $US5.9 million per breach, excluding the losses from stolen funds. As the financial services sector battles this wave of cybercrime, the stakes have never been higher.

Tempting targets

While the physical security measures in place within many banks today are impressive – large vaults, bullet-proof glass, silent holdup alarms – it can be a very different story when it comes to cybersecurity.

While many banks have focused on strengthening their public-facing applications, these often need to work with 50-year-old core banking applications written in ageing computer languages such as COBOL which are long past being actively supported.

The regulatory environment can also make cybersecurity a challenge. This is particularly the case for larger institutions which are subject to state, national, and international laws and standards.

The result is a complex business environment in which it is difficult to protect without running afoul of regulatory requirements. And adding more fuel to an already challenging fire, in recent years, financial firms have also had to deal with increasingly distributed and hybrid workforces, which significantly expands potential attack surfaces and adds additional challenges when it comes to cybersecurity.

Improving protection

Financial institutions require large teams of skilled security personnel to overcome the many challenges facing their industry, and software developers are an especially important part of the mix. This is because security-aware developers can write secure code for new applications, which can thwart attackers by denying them a foothold in the first place. If there are no vulnerabilities to exploit, an attacker is far less likely to succeed.

Properly trained developers can also help to support both modern and legacy applications by examining the existing code that makes up some of the primary vectors used by attackers. This includes cloud misconfigurations, lax API security, and legacy bugs.

However, the task of nurturing and maintaining security-aware developers in the financial sector is not something that will happen automatically. It requires precise, immersive training programs matched to the specific complex environment that a financial services institution is using.

This training also requires significant flexibility so that developers can learn about the most modern aspects of cybersecurity while also providing support for legacy languages. It should also be hands-on, allowing developers to learn in continuous contextual bursts that match what they will find in the real-world financial services environment.

Aiming for a brighter future

The financial services sector will always be one of the most attacked of any industry. This was true back when people first started using banks and is still true today. With a challenging regulatory landscape and a complex business environment, it might at first seem impossible to stop the majority of those attacks.

However, finance is also one of the verticals most willing to try new cyber defence strategies and more modern training techniques. Security leaders can be receptive to learning programs that align developers and AppSec professionals with common security goals and approach secure coding, in particular, with empathy for developers and how they experience security in their workflow.

Many financial firms understand the immense value of having a core of security-aware developers trained in everything from modern cloud and API security to the perils found within legacy systems.

They can level the playing field and deny cyber attackers room to move. This requires both highly flexible and customisable training and the creation of a cohesive security culture.

By providing this kind of training alongside things such as incentives for security champions and privilege-based initiatives where only the best, most security-aware developers who have completed their training are allowed to work with critical assets, financial services firms can increase their level of resilience to even the most determined attackers.

[1] https://www.verizon.com/business/resources/reports/dbir/

[2] https://www.ibm.com/reports/data-breach