When an intruder breaks into your environment, you're not aware of when they broke in, how they broke in, and what they compromised. How do they break in? Well, Tessian suggests around 90% of data breaches are caused by social engineering - meaning, some type of human error and stolen passwords lead to a successful cyber attack.
Today, banks and other financial services are facing growing cyber security issues. The pressure from cybercriminals has resulted in the FFEIC and OCC to raise security standards, which in turn is forcing banks to implement stronger security standards.
So, what's the first step to addressing these security threats? It could be better authentication and stepping away from passwords entirely, but better authentication doesn't necessarily lead to a stronger security.
It's an understatement to say the cost of a cyber attack is extremely high. On average, every financial institution experiences an annual cost of $18.3 million due to cyberattacks.2 But cost isn't the only concern: 8 out of 10 US citizens2 fear banks can't secure their financial information. This leads to a lack of trust, loss of customers, and brand and reputational damage.
The age of new technology sparked new problems for banks. Even though banking is easier with customers moving to digital systems, cyber threats have skyrocketed in tandem. For one, with more financial information stored electronically, a ransomware attack can happen more frequently than before and it's possible to do more damage to financial assets that are stored online. Secondly, if your employees' devices have been compromised with malware, they can pose a risk to your bank's cyber security measures.
Lastly, your bank can be compromised via a third-party service, especially if the third-party service has no security controls. Banks typically work with third party services like cloud or data storage to provide a better banking experience for their customers or their employees, but these services may be liable to a cyber attack. If these services get breached, your bank can also experience a cyber attack. Your bank can suffer if your vendors do not have the proper measures in place. Since you can't control what security controls your partners and services have, you must improve your own security controls to mitigate damage control.
Unfortunately, it's a matter of when your bank will be a victim of a cyberattack, but banks can mitigate the fallout effects with proper response plans. A response plan is crucial to determine immediate next steps and how quickly your bank can recover. The best practice to develop a response plan is having tabletop exercises amongst your company and communicate with the executives.
These tabletop exercises involve cyber training with all your end users (including your employees) about certain scenarios, specifically ones that involve phishing and ransomware attacks, and practicing what to do to avoid cyber risks. For example, you can use tabletop exercises to teach how your company should perform in the case of an outage. Showing a practical use of cyber security controls can increase user adoption and tackle the issues ahead.
Besides a response plan, getting your team to be well-versed in cyber information can set you up for success against cyber threats. Many banks are investing in a CISO (Chief Information Security Officer) to discuss the best actions to take when an intruder gets into the environment. CISOs also point banks in the right direction - getting the right staff, acquiring cyber insurance coverage, and advocating stronger security.
Banks should be worried about still using passwords. Even with stronger security, a password-based approach leaves you more open to be exploited. The strongest passwords are likely to still be compromised by hackers, ultimately giving them access to private account information.
How are hackers compromising passwords? Besides credential stuffing, social engineering or phishing attacks take the lead. 85% of data breaches3 are caused by human error, typically from falling for a phishing scam attempt. Statistically, 1 out of every 4 employees will click on a phishing email while connected to their company's network or using a work-based device. Phishing attacks today are more sophisticated to the point where employees perceive the email to be legitimate - 41% of all phishing emails sent appear like they were sent by senior executives and 40% appear like they were sent by well-known brands.
With phishing attacks being common and calculated, securing confidential financial information with only a password makes you an easy target. Just one successful phishing attack means access has been granted to all of your confidential information due to as single compromised password.
Now, let's take a step further and consider today's remote work environment. With passwords, there is no guarantee that the user logging into the account is actually the intended user, and if the hacker has the user's password, they can pose as that individual. According to IBM Security, the average cost of a data breach4 of an organization where 81-100% of their employees are working remotely is an alarming $5.54 million.
What if banks use passwords? Are there ways to make passwords stronger? Well, the only way to improve password security is to have your users change passwords often and have strong password constraints in place. However, requiring this action once a quarter with a minimum of 12 characters will lead to password fatigue and decreased overall productivity.
The first step to improve your security strategy is to upgrade your authentication method. With passwords becoming a cyber concern for banks, banks should be migrating to a biometric solution. Biometrics can alleviate the cyber issues that banks are experiencing from having passwords, like password fatigue, because users only need to use their fingerprint.
If you or your employees are using any other type of authentication method, you must trust that the person using the device is the actual owner of their device, which isn't always the case. Hackers can use stolen devices or stolen passwords and access your organization as if they're one of your employees.
Biometrics, specifically Identity-Bound Biometrics (IBB), is not device based. You're verifying the actual person using the device, not just the device, itself.
To address the password fatigue and decreased productivity, biometrics are also the more convenient option. Unlike passwords, you do not need to remember or change anything. Your unique authenticator is unique to you - at all times - anywhere you go, forever.
However, biometrics alone can only alleviate your cyber issues to an extent. Implementing multi-factor authentication can greatly improve that. Multi-factor authentication isn't a mandate for banks or financial institutions, but it's highly recommended. CISOs are highly suggesting it for cyber security planning. Having MFA with biometrics makes implementing MFA easy, increases user adoption, and gets the users involved in the security process faster.
If you're looking for cyber insurance coverage in the future, having multi-factor authentication can improve your odds of qualifying and getting the best possible plan.
No matter how prepared you think you are, you should be concerned about the current cyberthreats, especially with the increasing impact and occurrence.
To address these cyber issues, you can implement stronger security like biometrics, which is better than only relying on passwords. But no matter the security control, without multi-factor authentication, your company can be exposed to plenty of cyberattacks, especially a phishing or a ransomware attack.
Want to see for yourself? We spoke to one of our customers: Orange Bank and Trust Company about the journey they took to go from passwords to biometrics. In our webinar, they discussed their cyber issues and what decisions they made to get to biometrics and MFA. How did they first confront their cyber issues? Watch the webinar here.
1 Cyber Threats In The Banking Industry (archonsecure.com)
2 The Weakest Link in Cybersecurity (shrm.org)
3 This type of data breach will cost you more time and money - IBM A/NZ Blog