By Kyle Benson, Director of Product Marketing at Saviynt

The cybersecurity landscape in banking organisations is complex and filled with challenges. For one, with the enormous amount of valuable data on the books, financial institutions will always be a top target for cybercrime, with BCG finding that financial services are 300 times more likely to be the victim of a cyberattack than any other type of organisation. A VMware survey also found that 63% of financial institutions said they’ve seen an increase in destructive attacks targeting their organisation, while nearly three in four survey respondents said they’d been hit by at least one ransomware attack.

A particularly malicious type of attack sees hackers looking to exploit stolen credentials to gain access to bank customer data for the purposes of double extortion. First, they take control of IT resources and demand payment to regain access, and then threaten to divulge or sell customer data on the dark web if a second extortion payment isn’t made. This exposure is a board-level consideration, as any violation of their fiduciary responsibility can lead to serious sanctions, fines and tremendous reputational damage.

The move to hybrid working has also introduced new hurdles and challenges to be mitigated, particularly when it comes to risk. With remote work, hybrid workforces, and cloud-based software technologies becoming ubiquitous, organisations across the banking sector have had to rapidly adopt new strategies to support this new way of working – but have further complicated IT networks, increased the attack surface for cybercriminals and created new risks in the process. Additionally, as banks adopt new technologies such as AI, extend their services across multiple platforms like mobile, and look to digitally transform their operations, the attack surface increases further still.

Added to this, the current labour shortage has seen organisations increasingly turn to third-party suppliers and subsequently put themselves in even greater risk. Without proper due-diligence and governance, these third-parties could have access to information they shouldn’t, and when organisations don’t know how many third-parties have this kind of access, the risk factor is increased again. According to the Ponemon Institute, 66% of companies have no idea how many third-party relationships they have or how they’re managed – even though 61% reported having a breach attributable to a third party.

Finally, legislation and regulation environments in the banking sector are constantly evolving to protect customer data and keep up with the introduction of new technology and services. But complying with these ever-changing standards can be time-consuming and expensive, and not always easy to implement – according to Banking Policy Institute’s technology division research, CISOs spend 40% of their time resolving numerous regulatory requirements.

So how can banks tackle these challenges head on, and take proactive steps to mitigating risks and securing their environments and their customers’ data? They can start with automated Identity and Access Management.

What is Identity and Access Management?

At its core, Identity and Access Management (IAM) is about ensuring that the right users have the right access to the right resources for the right amount of time and for the right reasons.

IAM is a set of tools used to provide visibility, control and management of identity and access. It does this by focusing on user authentication (the user/identity is who they say they are), authorisation (what permissions do they have), access (what are they allowed to access and who provides them this access) and administration (governance and management of access and identities). With these tools, organisations can continuously monitor access, and enforce the principles of ‘Zero Trust’, where everything and everyone is considered to be untrustworthy until they are verified.

IAM consists of two parts: identity management and access management. These govern how users interact with data and applications across information systems, networks, databases, and software. An identity can be any person, object, or code that interacts with information, from on-premise and remote employees, to robotic process automation bots that perform administrative tasks. Each of these identities needs certain resources to complete their job, and access is establishing what exactly these resources are and who needs access to what. An account manager at a bank, for example, will require different resources and access than a customer-facing chatbot on that bank’s mobile app.

Why banks should care about IAM

As security perimeters continue to change and expand, with increasingly complex hybrid and cloud infrastructures, and organisations continue to integrate new technologies and an ever-increasing number of identities that require identification, authentication and privileges, the approach to protecting identity and access needs to be proactive.

This means creating and implementing a policy that limits what information and applications identities – both human and robotic – can access. This is where IAM is indispensable, providing banking organisations with a huge array of benefits, including:

Effective lifecycle management: IAM helps banking organisations keep track of their employees through every stage of their employment, from onboarding to retirement. This is important as when employees progress throughout an organisation, their permissions and resource requirements change. And when an employee leaves or transfers, their access needs to be restricted or removed completely. Managing identity lifecycles for an entire organisation is extremely complex, so having an IAM programme that facilitates this process is invaluable.

Accurate request fulfilment: With an increasing number of new identities cropping up across an organisation, from third-parties to bots, all requesting access to different resources in different places, IAM can help fulfil those requests accurately and quickly.

Intuitive user experience: Every identity will require different access, and it’s likely most of these identities will have a different level of IT knowledge (this is even true of bots). IAM solutions can make things easier by ensuring everyone can make requests to get to the resources they need to do their job properly.

Extra layer of auditing: Compliance-heavy banks are no strangers to an audit, and they can ensure they are continuously compliant and secure by using IAM systems to identify weaknesses. By using the data from IAM solutions to produce activity reports and by analysing the data for any discrepancies or risk factors, like Separation of Duties violations, banks can work to mitigate issues before any damage is done.

Flexible cybersecurity: In the world of hybrid work, organisations are constantly changing shape and need to manage identities across multiple technologies, across different work environments and for an ever-changing number of users. Having a flexible IAM system that is compatible with either on-premise or cloud technologies is key to protecting an organisation, based on the needs of the business.

Conclusion

Banking organisations will always be facing new and different risks, and will always have the need to meet stringent compliance requirements for data privacy and security. With IAM, they can ensure their data is protected from unauthorised access and that they remain compliant with industry regulations by ensuring that the right users have the right access to the right resources for the right time and for the right reason.