Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


Nick Colin, Regional Sales Manager, Financial Services at Centrify

Perimeter security as we know it is dead. Hackers made off with over 2.7 million identities every single day in 2016, despite organisations spending billions trying to stop them. The threat to systems is particularly acute in financial services thanks to the highly lucrative customer and corporate information stored by organisations. So where does the problem stem from? Passwords. They’re easy to steal, guess and crack. And with privileged credentials in their back pocket, the ‘bad guys’ have the keys to the kingdom – open-door access straight to your most sensitive information.

It’s time for financial services firms to stop spending money on outdated perimeter defences and focus on making their identity and access management (IAM) systems fit for purpose.

A tipping point

You’d have to have been living on Mars for the past decade not to see the rapid escalation in data breach incidents. Forrester claims some organisations suffered as many as seven breaches on average over the past two years, with identities and passwords the prime target. In the US, five of the country’s 20 biggest banks suffered data breaches in the first half of 2016 alone. As hackers are well aware, financial institutions might have the resources to throw money at the problem, but if internal systems are protected only by passwords and usernames, they’re an easy target.

Focus on the right user, for example a senior manager or – even better – an IT administrator, and cyber criminals could gain access to your organisation’s most closely guarded customer and IP data. They may even target your partners and other third parties like contractors in so-called “stepping stone” attacks if they think it will be easier to do so. It could be as simple as sending a phishing email. Most employees won’t know they’ve been hit, and in the meantime the hackers are walking through your network masquerading as legitimate users.

Their job is made even easier by poor password management. Users will often write down their log-ins, reuse them across multiple systems inside and out of work, and maintain easy-to-guess credentials. IT employees can be just as guilty. In fact, given the intense pressure they’re under from the business, these insecure workarounds are understandable. And the explosion in cloud, virtual, mobile and IoT systems is only adding to the problem. Gartner estimates businesses worldwide will be using three billion IoT devices by the end of 2017 – each one could be compromised to launch an info-stealing attack if protected only with a password.

For a heavily regulated industry like financial services, the implications of a breach are particularly severe. And they’re about to get even more punitive with forthcoming European data protection laws, which will levy fines of up to 4% of global annual turnover for serious infractions. Plus, new regulations for those operating in New York State will require “risk-based minimum standards for technology systems including access controls”.

 A new perimeter

In short, the traditional network boundary is rapidly changing, and that means legacy endpoint security tools are no longer fit for purpose. Instead, we have to accept a new, more fluid ‘perimeter’that surrounds cloud, mobile and IoT systems andis largely defined by users’ identities and log-in credentials. But that requires us to upgrade from the password/username combination that has secured systems for the past several decades.

“Passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”

So says Verizon in its DBIR 2016 report. In this way, we must enhance traditional log-in systems with multi-factor authentication (MFA), which combines passwords with something the hackers can’t use, like a biometric or one-time passcode. One criticism frequently levelled at MFA is that it’s not user-friendly enough. So consider combining it with Single Sign-On (SSO) to give users simultaneous access to all their accounts. Plus, it will help IT managers better understand exactly which users are accessing which systems. Being able to enforce consistent and centralised authentication policies across the entire organisation will also do wonders for your compliance efforts and help minimise shadow IT.

IT leaders can go further still, by investing in IAM systems which will evaluate a user based on things like their location and past behaviour and only “step-up” to MFA if the log-in attempt is judged high risk. It’s another way of reducing friction for staff and enhancing productivity.

IAM maturity is not all about passwords, though. Financial services firms also need to look at reducing the volume of privileged accounts they maintain. Implement a “least privilege” approach which ensures staff have no more access to systems, commands and functions than they strictly need. That means that if their credentials get compromised, the damage a hacker can do with them will be limited. For maximum effectiveness, use automated systems to provision and de-provision access.

For those still not convinced, just consider that firms with the most mature, integrated IAM systems can save 40% in technology costs and an average of $5 million (£4m) in breach costs, and generate 90% more productivity and efficiency benefits, according to the Forrester study.

Passwords are long overdue an upgrade. So take the fight to the hackers by ensuring IAM systems are ready for anything.