TIME FOR AN UPGRADE: WHY FINANCIAL SERVICES FIRMS MUST LOOK BEYOND PASSWORDS TO MINIMISE DATA BREACHES

Nick Colin, Regional Sales Manager, Financial Services at Centrify

Perimeter security as we know it is dead. Hackers made off with over 2.7 million identities every single day in 2016, despite organisations spending billions trying to stop them. The threat to systems is particularly acute in financial services thanks to the highly lucrative customer and corporate information stored by organisations. So where does the problem stem from? Passwords. They’re easy to steal, guess and crack. And with privileged credentials in their back pocket, the ‘bad guys’ have the keys to the kingdom – open-door access straight to your most sensitive information.

It’s time for financial services firms to stop spending money on outdated perimeter defences and focus on making their identity and access management (IAM) systems fit for purpose.

A tipping point

You’d have to have been living on Mars for the past decade not to see the rapid escalation in data breach incidents. Forrester claims some organisations suffered as many as seven breaches on average over the past two years, with identities and passwords the prime target. In the US, five of the country’s 20 biggest banks suffered data breaches in the first half of 2016 alone. As hackers are well aware, financial institutions might have the resources to throw money at the problem, but if internal systems are protected only by passwords and usernames, they’re an easy target.

Focus on the right user, for example a senior manager or – even better – an IT administrator, and cyber criminals could gain access to your organisation’s most closely guarded customer and IP data. They may even target your partners and other third parties like contractors in so-called “stepping stone” attacks if they think it will be easier to do so. It could be as simple as sending a phishing email. Most employees won’t know they’ve been hit, and in the meantime the hackers are walking through your network masquerading as legitimate users.

Their job is made even easier by poor password management. Users will often write down their log-ins, reuse them across multiple systems inside and out of work, and maintain easy-to-guess credentials. IT employees can be just as guilty. In fact, given the intense pressure they’re under from the business, these insecure workarounds are understandable. And the explosion in cloud, virtual, mobile and IoT systems is only adding to the problem. Gartner estimates businesses worldwide will be using three billion IoT devices by the end of 2017 – each one could be compromised to launch an info-stealing attack if protected only with a password.

For a heavily regulated industry like financial services, the implications of a breach are particularly severe. And they’re about to get even more punitive with forthcoming European data protection laws, which will levy fines of up to 4% of global annual turnover for serious infractions. Plus, new regulations for those operating in New York State will require “risk-based minimum standards for technology systems including access controls”.

 A new perimeter

In short, the traditional network boundary is rapidly changing, and that means legacy endpoint security tools are no longer fit for purpose. Instead, we have to accept a new, more fluid ‘perimeter’that surrounds cloud, mobile and IoT systems andis largely defined by users’ identities and log-in credentials. But that requires us to upgrade from the password/username combination that has secured systems for the past several decades.

“Passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”

So says Verizon in its DBIR 2016 report. In this way, we must enhance traditional log-in systems with multi-factor authentication (MFA), which combines passwords with something the hackers can’t use, like a biometric or one-time passcode. One criticism frequently levelled at MFA is that it’s not user-friendly enough. So consider combining it with Single Sign-On (SSO) to give users simultaneous access to all their accounts. Plus, it will help IT managers better understand exactly which users are accessing which systems. Being able to enforce consistent and centralised authentication policies across the entire organisation will also do wonders for your compliance efforts and help minimise shadow IT.

IT leaders can go further still, by investing in IAM systems which will evaluate a user based on things like their location and past behaviour and only “step-up” to MFA if the log-in attempt is judged high risk. It’s another way of reducing friction for staff and enhancing productivity.

IAM maturity is not all about passwords, though. Financial services firms also need to look at reducing the volume of privileged accounts they maintain. Implement a “least privilege” approach which ensures staff have no more access to systems, commands and functions than they strictly need. That means that if their credentials get compromised, the damage a hacker can do with them will be limited. For maximum effectiveness, use automated systems to provision and de-provision access.

For those still not convinced, just consider that firms with the most mature, integrated IAM systems can save 40% in technology costs and an average of $5 million (£4m) in breach costs, and generate 90% more productivity and efficiency benefits, according to the Forrester study.

Passwords are long overdue an upgrade. So take the fight to the hackers by ensuring IAM systems are ready for anything.

Nick Colin, Regional Sales Manager, Financial Services at Centrify

Perimeter security as we know it is dead. Hackers made off with over 2.7 million identities every single day in 2016, despite organisations spending billions trying to stop them. The threat to systems is particularly acute in financial services thanks to the highly lucrative customer and corporate information stored by organisations. So where does the problem stem from? Passwords. They’re easy to steal, guess and crack. And with privileged credentials in their back pocket, the ‘bad guys’ have the keys to the kingdom – open-door access straight to your most sensitive information.

It’s time for financial services firms to stop spending money on outdated perimeter defences and focus on making their identity and access management (IAM) systems fit for purpose.

A tipping point

You’d have to have been living on Mars for the past decade not to see the rapid escalation in data breach incidents. Forrester claims some organisations suffered as many as seven breaches on average over the past two years, with identities and passwords the prime target. In the US, five of the country’s 20 biggest banks suffered data breaches in the first half of 2016 alone. As hackers are well aware, financial institutions might have the resources to throw money at the problem, but if internal systems are protected only by passwords and usernames, they’re an easy target.

Focus on the right user, for example a senior manager or – even better – an IT administrator, and cyber criminals could gain access to your organisation’s most closely guarded customer and IP data. They may even target your partners and other third parties like contractors in so-called “stepping stone” attacks if they think it will be easier to do so. It could be as simple as sending a phishing email. Most employees won’t know they’ve been hit, and in the meantime the hackers are walking through your network masquerading as legitimate users.

Their job is made even easier by poor password management. Users will often write down their log-ins, reuse them across multiple systems inside and out of work, and maintain easy-to-guess credentials. IT employees can be just as guilty. In fact, given the intense pressure they’re under from the business, these insecure workarounds are understandable. And the explosion in cloud, virtual, mobile and IoT systems is only adding to the problem. Gartner estimates businesses worldwide will be using three billion IoT devices by the end of 2017 – each one could be compromised to launch an info-stealing attack if protected only with a password.

For a heavily regulated industry like financial services, the implications of a breach are particularly severe. And they’re about to get even more punitive with forthcoming European data protection laws, which will levy fines of up to 4% of global annual turnover for serious infractions. Plus, new regulations for those operating in New York State will require “risk-based minimum standards for technology systems including access controls”.

 A new perimeter

In short, the traditional network boundary is rapidly changing, and that means legacy endpoint security tools are no longer fit for purpose. Instead, we have to accept a new, more fluid ‘perimeter’that surrounds cloud, mobile and IoT systems andis largely defined by users’ identities and log-in credentials. But that requires us to upgrade from the password/username combination that has secured systems for the past several decades.

“Passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”

So says Verizon in its DBIR 2016 report. In this way, we must enhance traditional log-in systems with multi-factor authentication (MFA), which combines passwords with something the hackers can’t use, like a biometric or one-time passcode. One criticism frequently levelled at MFA is that it’s not user-friendly enough. So consider combining it with Single Sign-On (SSO) to give users simultaneous access to all their accounts. Plus, it will help IT managers better understand exactly which users are accessing which systems. Being able to enforce consistent and centralised authentication policies across the entire organisation will also do wonders for your compliance efforts and help minimise shadow IT.

IT leaders can go further still, by investing in IAM systems which will evaluate a user based on things like their location and past behaviour and only “step-up” to MFA if the log-in attempt is judged high risk. It’s another way of reducing friction for staff and enhancing productivity.

IAM maturity is not all about passwords, though. Financial services firms also need to look at reducing the volume of privileged accounts they maintain. Implement a “least privilege” approach which ensures staff have no more access to systems, commands and functions than they strictly need. That means that if their credentials get compromised, the damage a hacker can do with them will be limited. For maximum effectiveness, use automated systems to provision and de-provision access.

For those still not convinced, just consider that firms with the most mature, integrated IAM systems can save 40% in technology costs and an average of $5 million (£4m) in breach costs, and generate 90% more productivity and efficiency benefits, according to the Forrester study.

Passwords are long overdue an upgrade. So take the fight to the hackers by ensuring IAM systems are ready for anything.