Connect with us

Top Stories

Catch me if you can: using identity governance to remove the disguise from cybercrime

Published

on

Catch me if you can: using identity governance to remove the disguise from cybercrime

Mark McClain, CEO and co-founder, SailPoint 

It was hardly the crime of the century, but there was certainly a great deal of planning and panache in its execution.

In 2016, a gang of thieves in New York targeted Apple Stores in a series of heists that netted iPhones and other devices to the value of $16,000, simply by strolling into the shops dressed in the famous Apple uniform of branded blue t-shirts and jeans.

In crime, subtlety and disguise is usually a much safer and more effective option than violence and brute force, and the same principle is as true for cyber offences as it is for bank robberies. In effect, these cyber-heists are committed by thieves disguising themselves as legitimate employees, stealing the keys to the company server room and making off before anyone notices there has been a break-in. And unfortunately, as the world becomes ever more connected, it’s becoming increasingly easy for criminals to hide behind a cyber disguise.

For highly regulated industries like finance, government and healthcare, the threat of a cyber-heist is even more real as the implications involve not just the usual financial loss and reputational impact but also potential compliance implications, too. And, with recent research valuing the average cost of a data breach at nearly £700,000 (or $1 million), it’s imperative that organisations like banks continue to protect their sensitive data and applications. The key to that is understanding who within the organisation has access to all of the digital tools, systems and data that keep the company moving forward, and importantly, whether they should have access and how they are using that access.

Identity governance is critical to addressing these three questions, because it helps IT teams manage and govern access for their organisation’s digital identities – or users, which today span across employees, contractors, partners and even software bots. Keeping up with these users and their access is incredibly complex for IT teams and becomes even more so when you think about the number of organisational changes that happen on a daily basis as users join or leave the organisation or change job responsibilities and roles. Failure to manage these changes leaves the door open for hackers. For example, if a user leaves the organisation but their access isn’t properly shut down, this now ‘orphaned’ user account is ripe for the taking by hackers.

These orphaned identities – which have legitimate access but are no longer being used by a current employee – as well as identities that have picked up new entitlements as they change roles or responsibilities, are two of the biggest vulnerabilities to business security today, and these area problem largely of an organisations’ own making. It seems obvious, but it is vital that companies can answer the question of who has access to what information and whether or not they should have that access. Ensuring that all existing and new applications are automatically added to a system that can govern access throughout a user’s career and importantly, revoke access after it’s no longer needed, can achieve this. And it’s not just employees that organisations have to contend with. Today’s business operations rely on other users within the enterprise beyond employees, including contractors, business partners and even software bots – and these users can sometimes be far outside of the traditional corporate firewall. It is for this reason that organisations today need to think of the slew of digital identities that make up the enterprise as the new ‘security perimeter.’

This identity problem isn’t just confined to temporary staff and business partners, however. In many cases, permanent employees can retain their former access privileges long after they have left the company, while internal moves (either through promotion, or horizontally within the organisation) can leave workers with inappropriate access to data and systems. This multiplies the opportunities for criminals to target individuals through social engineering or spear-phishing attempts – in effect, giving the keys to the company safe not just to one security guard, but to every worker on the premises.

It’s apparent that cybersecurity needs to be at the top of the agenda for every business, ensuring visibility into all digital identities– from interns to board members –to govern appropriate access to applications and data. So how can businesses succeed?

Harnessing the power of Identity governance and AI

Identity governance allows organisations to answer the critical questions of who has access to what, who should have access and what they’re doing with that access, addressing exposure points and reducing the risk of a data breach by mitigating the amount of damage hackers can do, if a breach were to occur. This also allows employees to be more efficient and focus on their respective roles with access to the right applications, systems and data to do their jobs – but without putting their organisation at risk.

The latest generations of identity governance solutions are now exploring behaviour analytics through artificial intelligence and machine learning as a new frontier in identity governance. Bank robbers may be adept at disguising themselves as real employees, but they can’t hide their actions, which is why it’s become important that identity governance solutions start to incorporate machine learning to look for unusual activity, including anomalies like a user logging on with unusual frequency; a user downloading large amounts of data from unexpected devices or file storage systems; or a user accessing data and applications at odd or abnormal times.

Enterprisescreatesuch a slew of identity data, including false positive alerts, that it’s nearly impossible for IT teams to process it, let alone identify anomalous behaviour. Adding identity analytics as an extension of existing identity governance programs can take the leg-work out of analysing this mass of data, and with the right identity context, help IT teams identify the proverbial needle in the haystack. With identity analytics, companies can also identify low-risk tasks like access requests that can be automated or allowing certification decisions to be delegated to team managers who have the best overview of what data is required by each employee. This helps organisations not only govern smarter, but govern more efficiently, too.

Technology isn’t the sole solution to the problem though: every organisation needs to get back to ‘identity governance 101’ basics first: identifying who has access to what, and how that access is being used. By harnessing the power of identity governance and then layering in identity analytics, enterprises of all types, including financial institutions, can ensure they not only know who they’re handing the keys to, but what’s being done once the door has been unlocked.

Top Stories

TCI: A time of critical importance

Published

on

TCI: A time of critical importance 1

By Fabrice Desnos, head of Northern Europe Region, Euler Hermes, the world’s leading trade credit insurer, outlines the importance of less publicised measures for the journey ahead.

After months of lockdown, Europe is shifting towards rebuilding economies and resuming trade. Amongst the multibillion-euro stimulus packages provided by governments to businesses to help them resume their engines of growth, the cooperation between the state and private sector trade credit insurance underwriters has perhaps missed the headlines. However, this cooperation will be vital when navigating the uncertain road ahead.

Covid-19 has created a global economic crisis of unprecedented scale and speed. Consequently, we’re experiencing unprecedented levels of support from national governments. Far-reaching fiscal intervention, job retention and business interruption loan schemes are providing a lifeline for businesses that have suffered reductions in turnovers to support national lockdowns.

However, it’s becoming clear the worst is still to come. The unintended consequence of government support measures is delaying the inevitable fallout in trade and commerce. Euler Hermes is already seeing increase in claims for late payments and expects this trend to accelerate as government support measures are progressively removed.

The Covid-19 crisis will have long lasting and sometimes irreversible effects on a number of sectors. It has accelerated transformations that were already underway and had radically changed the landscape for a number of businesses. This means we are seeing a growing number of “zombie” companies, currently under life support, but whose business models are no longer adapted for the post-crisis world. All factors which add up to what is best described as a corporate insolvency “time bomb”.

The effects of the crisis are already visible. In the second quarter of 2020, 147 large companies (those with a turnover above €50 million) failed; up from 77 in the first quarter, and compared to 163 for the whole of the first half of 2019. Retail, services, energy and automotive were the most impacted sectors this year, with the hotspots in retail and services in Western Europe and North America, energy in North America, and automotive in Western Europe

We expect this trend to accelerate and predict a +35% rise in corporate insolvencies globally by the end of 2021. European economies will be among the hardest hit. For example, Spain (+41%) and Italy (+27%) will see the most significant increases – alongside the UK (+43%), which will also feel the impact of Brexit – compared to France (+25%) or Germany (+12%).

Companies are restarting trade, often providing open credit to their clients. However, there can be no credit if there is no confidence. It is increasingly difficult for companies to identify which of their clients will emerge from the crisis from those that won’t, and whether or when they will be paid. In the immediate post-lockdown period, without visibility and confidence, the risk was that inter-company credit could evaporate, placing an additional liquidity strain on the companies that depend on it. This, in turn, would significantly put at risk the speed and extent of the economic recovery.

In recent months, Euler Hermes has co-operated with government agencies, trade associations and private sector trade credit insurance underwriters to create state support for intercompany trade, notably in France, Germany, Belgium, Denmark, the Netherlands and the UK. All with the same goal: to allow companies to trade with each other in confidence.

By providing additional reinsurance capacity to the trade credit insurers, governments help them continue to provide cover to their clients at pre-crisis levels.

The beneficiaries are the thousands of businesses – clients of credit insurers and their buyers – that depend upon intercompany trade as a source of financing. Over 70% of Euler Hermes policyholders are SMEs, which are the lifeblood of our economies and major providers of jobs. These agreements are not without costs or constraints for the insurers, but the industry has chosen to place the interests of its clients and of the economy ahead of other considerations, mindful of the important role credit insurance and inter-company trade will play in the recovery.

Taking the UK as an example, trade credit insurers provide cover for more than £171billion of intercompany transactions, covering 13,000 suppliers and 650,000 buyers. The government has put in place a temporary scheme of £10billion to enable trade credit insurers, including Euler Hermes, to continue supporting businesses at risk due to the impact of coronavirus. This landmark agreement represents an important alliance between the public and private sectors to support trade and prevent the domino effect that payment defaults can create within critical supply chains.

But, as with all of the other government support measures, these schemes will not exist in the long term. It is already time for credit insurers and their clients to plan ahead, and prepare for a new normal in which the level and cost of credit risk will be heightened and where identifying the right counterparts, diversifying and insuring credit risk will be of paramount importance for businesses.

Trade credit insurance plays an understated role in the economy but is critical to its health. In normal circumstances, it tends to go unnoticed because it is doing its job. Government support schemes helped maintain confidence between companies and their customers in the immediate aftermath of the crisis.

However, as government support measures are progressively removed, this crisis will have a lasting impact. Accelerating transformations, leading to an increasing number of company restructurings and, in all likelihood, increasing the level of credit risk. To succeed in the post-crisis environment, bbusinesses have to move fast from resilience to adaptation. They have to adopt bold measures to protect their businesses against future crises (or another wave of this pandemic), minimize risk, and drive future growth. By maintaining trust to trade, with or without government support, credit insurance will have an increasing role to play in this.

Continue Reading

Top Stories

What Does the FinCEN File Leak Tell Us?

Published

on

What Does the FinCEN File Leak Tell Us? 2

By Ted Sausen, Subject Matter Expert, NICE Actimize

On September 20, 2020, just four days after the Financial Crimes Enforcement Network (FinCEN) issued a much-anticipated Advance Notice of Proposed Rulemaking, the financial industry was shaken and their stock prices saw significant declines when the markets opened on Monday. So what caused this? Buzzfeed News in cooperation with the International Consortium of Investigative Journalists (ICIJ) released what is now being tagged the FinCEN files. These files and summarized reports describe over 200,000 transactions with a total over $2 trillion USD that has been reported to FinCEN as being suspicious in nature from the time periods 1999 to 2017. Buzzfeed obtained over 2,100 Suspicious Activity Reports (SARs) and over 2,600 confidential documents financial institutions had filed with FinCEN over that span of time.

Similar such leaks have occurred previously, such as the Panama Papers in 2016 where over 11 million documents containing personal financial information on over 200,000 entities that belonged to a Panamanian law firm. This was followed up a year and a half later by the Paradise Papers in 2017. This leak contained even more documents and contained the names of more than 120,000 persons and entities. There are three factors that make the FinCEN Files leak significantly different than those mentioned. First, they are highly confidential documents leaked from a government agency. Secondly, they weren’t leaked from a single source. The leaked documents came from nearly 90 financial institutions facilitating financial transactions in more than 150 countries. Lastly, some high-profile names were released in this leak; however, the focus of this leak centered more around the transactions themselves and the financial institutions involved, not necessarily the names of individuals involved.

FinCEN Files and the Impact

What does this mean for the financial institutions? As mentioned above, many experienced a negative impact to their stocks. The next biggest impact is their reputation. Leaders of the highlighted institutions do not enjoy having potential shortcomings in their operations be exposed, nor do customers of those institutions appreciate seeing the institution managing their funds being published adversely in the media.

Where did the financial institutions go wrong? Based on the information, it is actually hard to say where they went wrong, or even ‘if’ they went wrong. Financial institutions are obligated to monitor transactional activity, both inbound and outbound, for suspicious or unusual behavior, especially those that could appear to be illicit activities related to money laundering. If such behavior is identified, the financial institution is required to complete a Suspicious Activity Report, or a SAR, and file it with FinCEN. The SAR contains all relevant information such as the parties involved, transaction(s), account(s), and details describing why the activity is deemed to be suspicious. In some cases, financial institutions will file a SAR if there is no direct suspicion; however, there also was not a logical explanation found either.

So what deems certain activities to be suspicious and how do financial institutions detect them? Most financial institutions have sophisticated solutions in place that monitor transactions over a period of time, and determine typical behavioral patterns for that client, and that client compared to their peers. If any activity falls disproportionately beyond those norms, the financial institution is notified, and an investigation is conducted. Because of the nature of this detection, incorporating multiple transactions, and comparing it to historical “norms”, it is very difficult to stop a transaction related to money laundering real-time. It is not uncommon for a transaction or series of transactions to occur and later be identified as suspicious, and a SAR is filed after the transaction has been completed.

FinCEN Files: Who’s at Fault?

Going back to my original question, was there any wrong doing? In this case, they were doing exactly what they were required to do. When suspicion was identified, SARs were filed. There are two things that are important to note. Suspicion does not equate to guilt, and individual financial institutions have a very limited view as to the overall flow of funds. They have visibility of where funds are coming from, or where they are going to; however, they don’t have an overall picture of the original source, or the final destination. The area where financial institutions may have fault is if multiple suspicions or probable guilt is found, but they fail to take appropriate action. According to Buzzfeed News, instances of transactions to or from sanctioned parties occurred, and known suspicious activity was allowed to continue after it was discovered.

Moving Forward

How do we do better? First and foremost, FinCEN needs to identify the source of the leak and fix it immediately. This is very sensitive data. Even within a financial institution, this information is only exposed to individuals with a high-level clearance on a need-to-know basis. This leak may result in relationship strains with some of the banks’ customers. Some people already have a fear of being watched or tracked, and releasing publicly that all these reports are being filed from financial institutions to the federal government won’t make that any better – especially if their financial institution was highlighted as one of those filing the most reports. Next, there has been more discussion around real-time AML. Many experts are still working on defining what that truly means, especially when some activities deal with multiple transactions over a period of time; however, there is definitely a place for certain money laundering transactions to be held in real time.

Lastly, the ability to share information between financial institutions more easily will go a long way in fighting financial crime overall. For those of you who are AML professionals, you may be thinking we already have such a mechanism in place with 314b. However, the feedback I have received is that it does not do an adequate job. It’s voluntary and getting responses to requests can be a challenge. Financial institutions need a consortium to effectively communicate with each other, while being able to exchange critical data needed for financial institutions to see the complete picture of financial transactions and all associated activities. That, combined with some type of feedback loop from law enforcement indicating which SARs are “useful” versus which are either “inadequate” or “unnecessary” will allow institutions to focus on those where criminal activity is really occurring.

We will continue to post updates as we learn more.

Continue Reading

Top Stories

How can financial services firms keep pace with escalating requirements?

Published

on

How can financial services firms keep pace with escalating requirements? 3

By Tim FitzGerald, UK Banking & Financial Services Sales Manager, InterSystems

Financial services firms are currently coming up against a number of critical challenges, ranging from market volatility, most recently influenced by COVID-19, to the introduction of regulations, such as the Payment Services Directive (PSD2) and Fundamental Review of the Trading Book (FRTB). However, these issues are being compounded as many financial institutions find it increasingly difficult to get a handle on the vast volumes of data that they have at their disposal. This is no surprise given that IDC has projected that by 2025, the global “datasphere” will have grown to a staggering 175 zettabytes of data – more than five times the amount of data generated in 2018. As an industry that has typically only invested in new technology when regulations deem it necessary, many traditional banks are now operating using legacy systems and applications that haven’t been designed or built to interoperate. Consequently, banks are struggling to leverage data to achieve business goals and to gain a clear picture of their organisation and processes in order to comply with regulatory requirements. These challenges have been more prevalent during the pandemic as financial services firms were forced to adapt their operations to radical changes in customer behaviour and increased demand for digital services – all while working largely remotely themselves.

As more stringent regulations come in to play and financial services firms look to keep pace with escalating requirements from regulators, consumer demand for more online services, and the ever-evolving nature of the industry and world at large, it’s vital they do two things. Firstly, they must begin to invest in the technology and processes that will allow them to more easily manage the data that traditional banks have been collecting and storing for upwards of 50 years. Secondly, they must innovate. For many, the COVID-19 pandemic will have been a catalyst for both actions. However, the hard work has only just begun.

Legacy technology

Traditionally, due to tight budgets and no overarching regulatory imperative to change, financial institutions haven’t done enough to address their overreliance on disconnected legacy systems. Even when faced with the new wave of regulation that was implemented in the wake of the 2008 banking crash, financial services organisations generally only had to invest in different applications on an ad hoc basis to meet each individual regulation. However, as new regulations require the analysis of larger data sets within smaller processing windows, breaking down any and all data siloes is essential and this will require financial institutions that are still reliant on legacy systems to implement new technologies to meet the regulatory stipulations.

With this in mind, solutions which offer high-quality data analytics and enhanced integration will be key to the success of financial institutions and crucial to eliminate data silos. This will enable organisations to achieve a faster and more accurate analysis of real-time and historical data no matter where they are accessing the data from within smaller processing windows to keep pace with regulatory requirements, while also benefiting from low infrastructure costs.

This technology will also play a huge part in helping financial institutions scale their online operations to meet demand from customers for digital services. According to PNC Bank, during the pandemic, it saw online sales jump from 25% to 75%. Therefore, having data platforms that are able to handle surges in online activity is becoming increasingly important.

Real-time analysis of data

Tim FitzGerald

Tim FitzGerald

While the precise solution financial services institutions need will differ based on the organisation, broadly speaking, the more data they are storing on legacy solutions, the more they are going to require an updated data platform that can handle real-time analytics. Even organisations that have fewer legacy systems are still likely to require solutions that deliver enhanced interoperability to help provide a real-time view across the business and enable them to meet the pressing regulatory requirements they face. Let’s also not lose sight of the fact that moving transactional data to a data warehouse, data lake, or any other silo will never deliver real-time analytics, therefore, businesses making risk decisions based on this and thinking it is real-time is completely inappropriate.

As such, financial services firms require a data platform that can ingest real-time transactional data, as well as from a variety of other sources of historical and reference data, normalise it, and make sense of it. The ability to process transactions at scale in real-time and simultaneously run analytics using transactional real-time data and large sets of non-real-time data, such as reference data, is a crucial capability for various business requirements. For example, powering mission-critical trading platforms that cannot slow down or drop trades, even as volumes spike.

Not only will having access to real-time data enable financial institutions to meet evolving regulatory requirements, but it will also allow them to make faster and more accurate decisions for their organisation andcustomers. With many financial services firms operating on a global basis, this is vital to help them keep up not only with evolving regulations but also changing circumstances in different markets in light of the pandemic. This data can also help them understand how to become more agile, help their employees become productive while working remotely, and how to build up operational resilience. These insights will also be vital as financial institutions need to consider the likelihood of subsequent waves of the virus, allowing them to gain a better understanding of what has and hasn’t worked for their business so far. 

Innovation

The financial services sector is fast-paced and ever-changing. With the launch of more digital-only banks, traditional institutions need to innovate to avoid being left behind, with COVID-19 only highlighting this further. With more than a third (35%) of customers increasing their use of online banking during this period, it is those banks and financial services firms with a solid online offering that have been best placed to answer this demand. As financial institutions cater to changing customer requirements, both now and in the future, implementing new technology that provides access to data in real-time will help them to uncover the fresh insights needed to develop new and transformative products and services for their customers. In turn, this will enable them to realise new revenue streams and potentially capture a bigger slice of the market. For instance, access to data will help banks better understand the needs of their customers during periods of upheaval, as well as under normal circumstance, which will allow them to target them with the specific services they may need during each of these periods to not only help their customers through difficult times but also to ensure the growth of their business. As financial institutions not only look to keep pace with but also gain an advantage over their competitors, using data to fuel excellent customer experiences will be essential to success.  

With the current economic uncertainty and market volatility, it’s critical that financial services are able to meet the changing requirements coming from all angles. With COVID-19 likely to be the biggest catalyst for financial institutions to digitally transform, they will be better able to cater to rapidly evolving landscapes and prepare for continued periods of remote working. As they look to achieve this, replacing legacy systems with innovative and agile technology solutions will be crucial to ensure they can gain the accurate and complete view of their enterprise data they need to comply with new and changing regulations, and better meet the needs of consumers in an increasingly digital landscape, whether they are located in an office or working remotely.

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Call For Entries

Global Banking and Finance Review Awards Nominations 2020
2020 Global Banking & Finance Awards now open. Click Here

Latest Articles

Business recovery from COVID-19 lies in implementing the practice of Open Book Management 4 Business recovery from COVID-19 lies in implementing the practice of Open Book Management 5
Business8 hours ago

Business recovery from COVID-19 lies in implementing the practice of Open Book Management

By Suranga Herath is CEO of English Tea Shop, the leading independent speciality and organic tea company. Over the course of the...

Making Connectivity A Key Part of Cloud Strategy for Finance 6 Making Connectivity A Key Part of Cloud Strategy for Finance 7
Technology8 hours ago

Making Connectivity A Key Part of Cloud Strategy for Finance

By Eric Troyer, CMO at Megaport Finance organisations across the board are facing unprecedented disruption, with new technology entering the industry...

The Impact of Covid-19 on Planning 8 The Impact of Covid-19 on Planning 9
Business9 hours ago

The Impact of Covid-19 on Planning

By Nilly Essaides, Sherri Liao and Gilles Bonelli, The Hackett Group The economic consequences of the coronavirus outbreak vary by...

Covid-19 can reboot belt and road initiative towards a sustainable future 10 Covid-19 can reboot belt and road initiative towards a sustainable future 11
Business9 hours ago

Covid-19 can reboot belt and road initiative towards a sustainable future

A new CMS report reveals that Covid-19 has boosted Chinese enthusiasm for adopting the principles of BRI 2.0, leading to...

The (U)X Factor: The software bringing biometric payment cards to market 13 The (U)X Factor: The software bringing biometric payment cards to market 14
Technology9 hours ago

The (U)X Factor: The software bringing biometric payment cards to market

By Jonas Nilsson, Product Manager at Fingerprints With over 20 bank trials in progress and a second commercial roll-out imminent in...

Corporate treasuries under pressure need multi-banking trade finance technology 15 Corporate treasuries under pressure need multi-banking trade finance technology 16
Finance10 hours ago

Corporate treasuries under pressure need multi-banking trade finance technology

By Andrew Raymond, CEO, Bolero International The pressures on corporate treasuries in global trade have continued to mount since an...

How can financial services companies deliver great customer service and retain customer loyalty?  17 How can financial services companies deliver great customer service and retain customer loyalty?  18
Finance10 hours ago

How can financial services companies deliver great customer service and retain customer loyalty? 

By Chris Angus, Senior Director, 8×8 The reality many banks are facing now is that given Amazon Prime can deliver...

Embracing digital automation without compromising on customer experience 19 Embracing digital automation without compromising on customer experience 20
Technology10 hours ago

Embracing digital automation without compromising on customer experience

By Mang-Git NG, CEO & Founder of Anvil Community banks have always prided themselves on their ability to serve their...

Two-thirds of finance professionals are now more efficient due to the Covid-19 crisis 21 Two-thirds of finance professionals are now more efficient due to the Covid-19 crisis 22
Business10 hours ago

Two-thirds of finance professionals are now more efficient due to the Covid-19 crisis

The Covid-19 crisis is making a big impact on the efficiency of the UK’s finance departments, with 66% of financial...

Two thirds of people believe their work travel patterns have changed permanently 23 Two thirds of people believe their work travel patterns have changed permanently 24
Business11 hours ago

Two thirds of people believe their work travel patterns have changed permanently

Alphabet research shows accelerating demand for mobility and EVs after lockdown Only 35% of people expect to return to normal...

Newsletters with Secrets & Analysis. Subscribe Now