The Cost of Trust: Preventing Breaches with Damages in the Millions

In Financial Services, trust is foundational. In cybersecurity, implicit trust can be a costly liability, running up millions of dollars in losses. 

To help ground this statement, I want you to consider a specific amount: $6.08 million to be exact. This is the real-world price tag that Financial Services enterprises are paying for putting their trust in the wrong people, processes, and technologies—it’s the average cost of a data breach in the sector, according to the latest data from IBM. 

The astronomical stakes make the case for a zero trust approach and highlight that traditional security models, despite their enduring presence in the market, are no longer enough.

The Financial Impact of Breaches

Financial Service organizations have always been on cybercriminals’ radar. Over the past two decades, nearly one-fifth of all global cyber incidents have targeted—you guessed it—a financial firm according to the latest IMF report.

It’s a significant number and includes many high-profile breaches. For example, in 2019, a CNN headline read: A hacker gained access to 100 million Capital One credit card applications and accounts. This was one of the biggest breaches in recent history, with considerable financial fallout for the American credit provider. There were regulatory fines to the tune of $80 million, because the OCC regulator found that Capital One failed to put risk management practices in place before migrating to the cloud. There was also a hefty $190 million Class Action Settlement to resolve lawsuits from affected customers.

When we think about financial consequences of cyber incidents, the first point that comes to mind is the very tangible cost needed to recover and secure operations. Then come potential costs in regulatory fines. But one impact that’s most damaging and enduring is to a brand’s reputation. Customers are increasingly wary of entrusting their data to organizations that have faced a breach. Their concern is valid: the latest ThreatLabz research revealed that data exfiltration surged 92.7% from last year. It shows that data theft is fuelling extortion campaigns, so it makes sense that 47% of businesses (across sectors) say they struggle to attract new customers after publicized cyberattacks according to Hiscox Cyber Readiness Report.

Gaining trust is a competitive advantage, but one that’s easily lost. Especially in a digital system ‘protected’ by legacy security. 

Where Traditional Models Fail

Legacy security tools fall short of today’s demands in many ways. They focus on protecting the perimeter yet do not offer enough visibility and, as such, deprioritize resilience.

Legacy tools like VPNs, firewalls, and static access controls were designed for a time when users and data stayed inside the network perimeter. Today’s cloud-first hybrid environments render these tools insufficient. Once attackers breach the (blurred boundary of an imagined) perimeter, they often face little resistance. And lateral movement could mean unfettered access to masses of sensitive data.

What about visibility? There are several reasons why security architects managing traditional set-ups aren’t getting the necessary visibility they need to enforce least privilege or respond quickly to anomalies. One is a flat network architecture where tools like firewalls struggle to differentiate between normal and suspicious traffic because everything looks the same. Without traffic segmentation, it's hard to apply context-aware monitoring that delivers the necessary visibility. Another is broad network access, where the activity of connected users isn’t monitored, meaning suspicious behavior can go unnoticed. Bottom line? Security should provide always-on, real-time visibility of user and device activity.

Finally, we touch on the topic of resilience; it’s become something of a mantra at Zscaler, and for good reason. When we look at technology and processes, resilience isn’t only about securing but about responding: how quickly can you contain a breach and bring business back online? We’re in a ‘when not if’ cyberattack era where no business is immune, which is why running threat detection alone is shortsighted. Unfortunately, the reality is, traditional security models struggle to contain an attack, which is disastrous for business continuity. 

Zero Trust as a Cost-Saving Strategy

Considering the financial ramifications of a security breach, I feel that zero trust can be framed as a cost-saving investment. We should move away from the notion of zero trust being ‘just’ a security upgrade—embracing this modern approach has more to do with implementing a solid business resilience strategy.

The return on investment plays out in a few ways. For one, it stops attackers moving from one compromised system to others. Zero trust is also about implementing privilege escalation. In the case of a breach, unauthorized access to higher-level systems is blocked because every access request is verified. Another feature of zero trust architecture is that it enables micro-segmentation to, similarly, reduce the attack surface, but also enact real-time access-policy enforcement without disrupting other workflows.

When a zero trust architecture is powered by AI, the ROI is about saving time for often overburdened security architects. They will be able to detect anomalies as they occur and can reduce manual triage because containment measures can be automated. The result is faster incident response and recovery times, which helps lower remediation costs. The cost benefit is especially important in regulated environments like Financial Services, where fines for non-compliance around data protection can be hefty.

Cybersecurity is no longer just a technical issue. As this blog shows, the cost of getting it wrong isn’t limited to a dollar figure. It’s tied to your brand’s reputation and affects your ability to give customers what they’re paying for. For decision-makers serious about protecting their brand value and business continuity, zero trust is a logical next step in what has, to date, been a legacy journey. Time to leave that legacy behind. 

Ready to implement zero trust? If you’re just starting your journey, consider Zscaler’s checklist of features ahead of investing in zero trust architecture. It’ll give you an overview of what you need to embed the necessary control and resilience for navigating our complex world. Details in our Financial Services eBook and our Financial Services Page.