Gerald Beuchelt, CISO, LogMeIn
Cyber-attacks are increasing at an alarming rate, and in 2018 we’ve witnessed breaches hit several trusted brands across various industries, including British Airways, Ticketmaster, and most recently, Facebook. However, the financial sector continues to be one of the most lucrative targets for criminals: UK banking customers lost £358 million to unauthorised fraud in the first half of this year. With the appeal of huge financial gain, along with access to a wealth of high value personally identifiable information (PII), it’s perhaps unsurprising that financial services firms are targeted more than any other sector.
Although the threat landscape is fast evolving and attackers’ techniques are becoming increasingly sophisticated, passwords continue to play a major role in breaches: 81% of data breaches involve weak, reused or stolen credentials. Bearing in mind the level of risk involved in banks and financial institutions, we could be forgiven for assuming that such organisations would be ahead of the game in their security practices. However, a recent study that scored businesses on password practices and multi-factor authentication (MFA) adoption found the industry performing below average.
With security practices continuing to plague organisations, what steps can banks and financial institutions take to strengthen defences?
Technology: invest and evaluate
Breaches occur when vulnerabilities within a company’s security architecture are exploited by attackers. Cybercriminals, especially those motivated by the huge potential monetary rewards in attacks on financial institutions or FinTech companies, are constantly adapting and evolving their techniques, so the financial industry must continue to invest in technology to stay ahead and defend against emerging threats. Banks simply cannot afford to make assumptions about the effectiveness of their technological defences. Just because something protected a business last year (or even last month), that doesn’t mean it will be sufficient today.
Whilst risk assessments of critical systems should be a regular occurrence within financial institutions, organisations should also ensure they assess secondary systems containing non-critical assets. Employee-private activities and accounts, such as personal emails or Facebook, are still potential gateways to an internal network, so authentication policies should be a main focus of these assessments.
It’s also important that organisations consider roles and permissions to ensure employees only have access to the information they need to carry out their job. Implementing privileged access management technology can help mitigate the risk of data falling into the wrong hands.
Don’t underestimate effective authentication
With threats showing no signs of slowing, a wealth of new technologies have been introduced to the financial sector, including the likes of AI, machine learning, and biometrics. But even those organisations with the newest ground-breaking technology in place can be compromised by something as simple as a weak password. Getting the basics right with authentication and password policies is therefore crucial to safeguarding enterprise data and should really be considered a basic staple of security hygiene.
As such, password management should be a top priority. This should include education for all staff on safe password practices, how to create a strong password, and the importance of using unique credentials across all accounts. Because memorising complex passwords for multiple accounts is practically impossible, organisations should consider implementing solutions that take the burden off staff. By using a password management tool, all the work is done for you, and password data remains secure.
Multifactor authentication (MFA) is one of the most effective ways to add another layer of security to password protected accounts, because the hacker will be required to provide an additional factor (a one-time code generated by a hardware token, fingerprint, etc.), even if they do obtain the password. The recent Timehop breach, which affected nearly its entire customer base of 21 million users, occurred because the company hadn’t protected access to its cloud network with MFA. While the risks of skipping this step are clear, a recent report found that only 16% of banking/financial institutions had adopted MFA, compared to 31% of technology businesses.
Financial institutions can also seriously benefit from leveraging advanced offensive security, such as penetration testing and “red team” exercises to improve visibility and security awareness across the organisation. Red team testing comprehensively exposes physical, hardware, software and human vulnerabilities before they become entry points for hackers or provide opportunities for bad actors and malicious insiders to compromise systems.
Embed security culture through training
Even financial institutions with the best technological defences can be unwound by a social engineering attack. Along the same lines, security policies can be redundant if staff don’t receive the necessary training or are not motivated to follow them. Employees should be made aware of all the possible threats to gain an understanding of what they are defending against. Guidelines should be issued to all staff, for example with information on how to spot phishing emails or the dangers of accessing company data on public WiFi networks. Regular training and refresher sessions will be key to embedding security and vigilance within company culture, to make safeguarding data a priority, and help staff to be both the first and last lines of defence.
Given what’s at risk, banks and financial organisations simply cannot allow security to be an afterthought. Banking is going through a period of huge change, with Open Banking and PSD2 being some of the biggest shake ups to the industry in years, which brings new opportunities for innovation – as well as threats. Organisations cannot risk overlooking the basics of training and staff awareness, nor can they underestimate the power of effective authentication and password management policies to keep the business and customers safe.