By Rajnish Gupta, Managing Director and Country Manager, Tenable India
For the third consecutive year, the banking sector ranks as the second-most breached industry globally. As financial institutions embrace advanced technologies like cloud computing and AI, they become even more attractive targets for cybercriminals, who exploit vulnerabilities in these sophisticated systems. In a PWC report, CXOs from the financial sector have identified cloud-based pathways as the most exploited attack vector. Weak encryption, poor access controls, and misconfigurations in critical syste,
Why are banks at greater risk?
India’s booming digital payments ecosystem has significantly increased banks’ reliance on third-party services, creating substantial supply chain risks. Any vulnerabilities within a third-party provider can compromise the entire bank’s infrastructure. For instance, cybercriminals could breach an API provider or a third-party payment processor, exposing massive amounts of sensitive data and disrupting operations. This was evident earlier this year when 300 smaller banks across India were compromised in a coordinated cyberattack.
The risk is further magnified without robust preventive security measures, inadequate vendor verification processes, and insufficient continuous monitoring of third-party practices. Sophisticated threat actors increasingly target banks through supply chain attacks, embedding malware directly into software updates or development tools, allowing them to infiltrate networks indirectly.
Preventive security: The best defence
Relying on reactive security strategies—where teams focus on addressing threats after they occur—is no longer a viable option. Banks, particularly in India, must move beyond compliance-driven approaches. Regulatory audits are crucial, but they primarily focus on consumer protection rather than safeguarding a bank’s infrastructure. To truly protect themselves, banks need to adopt proactive, preventive security measures. Modern financial institutions require comprehensive security strategies that extend beyond traditional IT solutions. Banks must gain a deeper understanding of their vulnerabilities in the context of business risk and prioritise remediation accordingly.
Preventive security starts with complete visibility into all assets and vulnerabilities across the entire attack surface. This comprehensive view is crucial for assessing risks and implementing tailored mitigation strategies. It’s especially vital for dynamic assets such as cloud-based banking software, AI-powered systems, and mobile banking apps, where vulnerabilities can emerge at any time.
Unfortunately, many legacy vulnerability management tools deployed by banks fall short of this need. These traditional tools do not prioritise vulnerabilities based on their potential impact on critical business functions, forcing security teams to address every vulnerability—a near-impossible task. This approach often leaves banks scrambling to react to vulnerabilities that gain media attention, causing unnecessary disruptions.
Moving to exposure management
Instead of attempting to address every vulnerability, banks can shift to exposure management. This approach enables security teams to continuously analyse data from all assets across the attack surface, predict which vulnerabilities are most likely to be exploited and prioritise risk reduction efforts accordingly. Legacy approaches to managing the attack surface struggle to keep pace with rapid digitisation. In today’s environment, banks cannot fix every vulnerability nor can they afford to postpone critical remediation without a clear understanding of the risks. Exposure management offers a pragmatic and efficient solution for continuously refining vulnerability priorities.
A successful exposure management strategy encompasses a broader range of assets than traditional VM programs—extending beyond on-premise systems and cloud environments to include less tangible elements such as social media accounts, online code repositories, and third-party supply chain systems.
Focusing on the greatest risks
The primary objective of exposure management is not to remediate every vulnerability or zero-day threat, but to focus on the cyber risks that pose the greatest threat to the organisation. For cybersecurity professionals in banking, the stakes are high. Financial institutions are prime targets for highly skilled, well-funded adversaries, and each new service or digital initiative presents additional attack vectors. At the same time, regulators are intensifying scrutiny of security practices, and non-compliance can result in substantial financial penalties and reputational damage.
In this high-risk environment, banks must cut through the noise and focus on the vulnerabilities that matter most. By adopting preventive security strategies, banks can maximise their limited resources, enhance operational resilience, and stay one step ahead of increasingly sophisticated adversaries.