Financial institutions believe they are secure, yet hidden systemic gaps in visibility and control allow attackers to move freely once inside.
Firms and financial market infrastructures have built control libraries mapped rules and aligned with best practices for years. However, Bank of England CBEST found weak access controls and poor password practices remain common. Aishwarya Ramani argues these are systemic gaps enabling attackers to move freely in flat networks with little resistance.
A few years ago, I sat in a review meeting between the Federal Reserve Bank of New York – my employer at the time – and a large, well-reputed financial firm, one that takes their security seriously! The sort that makes you send in your birth certificate and a referral from your third-grade PE teacher before you get access to the turnstiles that let you into the building.
Midway through that meeting, we identified a network device that hadn’t been patched – for nineteen months. Sitting quietly inside the perimeter, this trusted, invisible device had been miscategorised during an infrastructure migration and simply fell off the asset register. Nobody had noticed it.
I’ve thought about that meeting a lot since the Bank of England published its most recent CBEST report. It found that weak access controls, poor password hygiene, and inconsistent implementation of even basic safeguards were common among UK financial institutions.
These are sophisticated institutions with mature security programs and cybersecurity budgets that would make most CISOs do the happy dance.
They’ve passed the audits. They’ve checked the boxes. They’ve presented clean dashboards to boards that had every reason to believe them. And underneath all of it, the same quiet failures — unpatched devices, stale credentials, access controls that looked right on paper and drifted badly in practice.
The problem is not a lack of controls, but that the prevailing security model no longer delivers the resilience organisations believe it does. The fundamental way we approach cybersecurity in the sector is completely broken.
So mature, and yet, so fragile
We’ve come a long way in this industry. We know what cyber maturity looks like. The frameworks are defined, documented, measured, and continuously improved. The audits are rigorous. The investment is genuine. By every conventional measure of what a mature security program looks like, most institutions today have one.
The challenge is that when regulators probe these established frameworks and process threat-led penetration tests like the CBEST, the cracks are more visible.
Maturity frameworks are oriented around the same fundamental question: how well are we keeping attackers out? The old model never asked them to look inwards. And we’re not talking philosophy.
Institutions that assume the attacker is still outside have almost no rigorous measurement of what happens the moment that assumption breaks down.
Our own study showed that while nearly all financial organisations believe they can detect unauthorised lateral movement, 41% admit they struggle to stop it. A conversation I often have with industry leaders, particularly in banking, is around flat networks. Attackers, once inside, move laterally quickly and quietly, and detection mechanisms are frequently reactive.
Dwell time — the number of days an attacker sits inside a network before anyone notices they are there — has quietly gotten worse in 2026. Mandiant’s M-Trends report, released last month, puts the global median at 14 days. Up from 11 the year before. In the worst cases, dwell time stretches past 400 days, all while the dashboard continues to show green.
The actual number of ransomware incidents in banking is higher because materiality thresholds mean that if an attack does not disrupt operations or expose sensitive records, it never gets reported.
Three things changed at once
Being a CISO can sometimes feel like raising a teenager. Just when you think you have finally gotten into a rhythm, the threat landscape shifts.
Three things seem to have shifted simultaneously, and none of them are going to sort themselves out in a few years.
The first is speed. AI-assisted attacks have collapsed the time window between breach and damage. The average lateral movement time inside a network is now 29 minutes. Sometimes 27 seconds. AI-assisted attacks don’t move like humans do. They probe, pivot and propagate at machine speed through a network designed assuming the threat moved like a person.
The second is state-sponsored actors. Attacks, like the ones on ICBC or the US Treasury, are deliberate, targeted operations. Interconnectedness is the vulnerability. When your “trusted” third party has access to your most critical systems, your perimeter ends where their security ends. A boundary no third-party risk assessment questionnaire can find.
The third is the regulator. They are now asking whether you can prove operational resilience under live attack conditions. That is a fundamentally different question that comes with mandatory incident-reporting windows and board-level accountability.
What actually must change
Three things must change in practice. First, you need a map, and I don’t mean static network diagrams from your last audit. An actual, live picture of how every system, identity, application, and data flow connects to every other one in your entire environment, including the cloud.
Ask your team whether they could pull up every unexpected pathway in your network (on-prem and on the cloud) this afternoon. The answer tells you whether you have a visibility problem or a visibility crisis.
Second, treat internal boundaries the way you would treat the perimeter. Decide what should be allowed to talk to what and then enforce it.
Third, start reporting blast radius. If a compromise happens tomorrow morning, how far can it travel before it is contained? That is the conversation that belongs in the next risk committee meeting.
That question is not whether anything got through. It is how far it can go once it does.
Financial institutions are the backbone of the global economy. They cannot afford to keep optimising for a threat landscape that no longer exists.
About the Author
Aishwarya Ramani is a cybersecurity leader and solutions marketing strategist. At the Federal Reserve Bank of New York, she served as a Cyber/IT Supervising Examiner, shaping governance standards. Previously at Deloitte, she led transformation programmes and advised executives. She is also a mentor passionate about connecting people, ideas, and cultures.
