How banks and financial institutions can step up enterprise security

How banks and financial institutions can step up enterprise security

Gerald Beuchelt

CISO at LogMeIn

Views 258

How banks and financial institutions can step up enterprise security

14.02.2019 06:15 am

Cyber-attacks are increasing at an alarming rate, and in 2018 we’ve witnessed breaches hit several trusted brands across various industries, including British Airways, Ticketmaster, and most recently, Facebook. However, the financial sector continues to be one of the most lucrative targets for criminals: UK banking customers lost £358 million to unauthorised fraud in the first half of this year.   With the appeal of huge financial gain, along with access to a wealth of high value personally identifiable information (PII), it’s perhaps unsurprising that financial services firms are targeted more than any other sector

Although the threat landscape is fast evolving and attackers’ techniques are becoming increasingly sophisticated, passwords continue to play a major role in breaches: 81% of data breaches involve weak, reused or stolen credentials. Bearing in mind the level of risk involved in banks and financial institutions, we could be forgiven for assuming that such organisations would be ahead of the game in their security practices. However, a recent studythat scored businesses on password practices and multi-factor authentication (MFA) adoption found the industry performing below average.   

With security practices continuing to plague organisations, what steps can banks and financial institutions take to strengthen defences?

Technology: invest and evaluate  

Breaches occur when vulnerabilities within a company’s security architecture are exploited by attackers. Cybercriminals, especially those motivated by the huge potential monetary rewards in attacks on financial institutions or FinTech companies, are constantly adapting and evolving their techniques, so the financial industry must continue to invest in technology to stay ahead and defend against emerging threats. Banks simply cannot afford to make assumptions about the effectiveness of their technological defences. Just because something protected a business last year (or even last month), that doesn’t mean it will be sufficient today.  

Whilst risk assessments of critical systems should be a regular occurrence within financial institutions, organisations should also ensure they assess secondary systems containing non-critical assets. Employee-private activities and accounts, such as personal emails or Facebook, are still potential gateways to an internal network, so authentication policies should be a main focus of these assessments. 

It’s also important that organisations consider roles and permissions to ensure employees only have access to the information they need to carry out their job. Implementing privileged access management technology can help mitigate the risk of data falling into the wrong hands. 

Don’t underestimate effective authentication

With threats showing no signs of slowing, a wealth of new technologies have been introduced to the financial sector, including the likes of AI, machine learning, and biometrics. But even those organisations with the newest ground-breaking technology in place can be compromised by something as simple as a weak password. Getting the basics right with authentication and password policies is therefore crucial to safeguarding enterprise data and should really be considered a basic staple of security hygiene. 

As such, password management should be a top priority. This should include education for all staff on safe password practices, how to create a strong password, and the importance of using unique credentials across all accounts. Because memorising complex passwords for multiple accounts is practically impossible, organisations should consider implementing solutions that take the burden off staff. By using a password management tool, all the work is done for you, and password data remains secure. 

Multifactor authentication (MFA) is one of the most effective ways to add another layer of security to password protected accounts, because the hacker will be required to provide an additional factor (a one-time code generated by a hardware token, fingerprint, etc.), even if they do obtain the password. The recent Timehop breach, which affected nearly its entire customer base of 21 million users, occurred because the company hadn’t protected access to its cloud network with MFA. While the risks of skipping this step are clear, a recent reportfound that only 16% of banking/financial institutions had adopted MFA, compared to 31% of technology businesses. 

Financial institutions can also seriously benefit from leveraging advanced offensive security, such as penetration testing and “red team” exercises to improve visibility and security awareness across the organisation. Red team testing comprehensively exposes physical, hardware, software and human vulnerabilities before they become entry points for hackers or provide opportunities for bad actors and malicious insiders to compromise systems.

Embed security culture through training 

Even financial institutions with the best technological defences can be unwound by a social engineering attack. Along the same lines, security policies can be redundant if staff don’t receive the necessary training or are not motivated to follow them. Employees should be made aware of all the possible threats to gain an understanding of what they are defending against. Guidelines should be issued to all staff, for example with information on how to spot phishing emails or the dangers of accessing company data on public WiFi networks. Regular training and refresher sessions will be key to embedding security and vigilance within company culture, to make safeguarding data a priority, and help staff to be both the first and last lines of defence. 

Given what’s at risk, banks and financial organisations simply cannot allow security to be an afterthought. Banking is going through a period of huge change, with Open Banking and PSD2 being some of the biggest shake ups to the industry in years, which brings new opportunities for innovation – as well as threats. Organisations cannot risk overlooking the basics of training and staff awareness, nor can they underestimate the power of effective authentication and password management policies to keep the business and customers safe. 

Latest blogs

Euan Davis Cognizant’s Center for the Future of Work

The fintech antidote – why banks need to be more resilient

The European banking industry is under extreme pressure. Although the looming risk posed to financial stability by Brexit is perhaps the most notable risk, 2019 is looking like it will be a challenging year all round. To survive, simply ’doing’ Read more »

Nikhil Sengupta Five Degrees

The Future of Financial Regulation

The rise of big tech: setting new expectations The fundamentals of what businesses and individuals perceive as banking have evolved from a traditional high street model to a complex ecosystem of financial and technology providers - all working in Read more »

Chris Skinner Financial Services Club

Will a Global Platform Connect All of Our Money?

When I talk about FinTech, I often reflect on the first time I encountered what I would, today, call a truly FinTech firm. It was on March 30, 2005, and a newly formed firm presented at the Financial Services Club an idea. The idea was to connect Read more »

Lina Andolf-Orup Fingerprints

Finger on the pulse! 2019’s big biometric news so far…

It’s already Q2! It has been a momentous few months for biometrics, so it’s not surprising the year is passing so quickly. New products launched, new milestones reached, and new market trials initiated. Biometrics is expanding and advancing rapidly Read more »

Stan Swearingen IDEX Biometrics

How Asia is leading the way for fingerprint biometric innovation in the payments industry

PIN verification will soon become a thing of the past. Thanks to advances in fingerprint biometric technology, the reality of being able to authenticate a payment with a simple touch of the finger is set to explode across the globe. Whilst some Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel