Financial services organizations have been increasingly under attack from cyber threat actors, and this trajectory is unlikely to abate. Firms need to ensure they have the right solutions in place to protect and defend themselves, their customers, and the financial systems in which they participate. It is important to note that solutions require people with an advanced understanding of how the parts of an effective cybersecurity implementation work together. For this, management must allocate funds, resources, and employee time to learn, understand, and think about these intersections. Ongoing education for cybersecurity professionals is key, which involves more than just getting a security certification.
In this blog post, we focus on three key solutions that banks and credit unions must pay attention to: two focused on identity and access, and one on elevating employee preparedness to address security threats.
Identity And Authentication for Employees and Customers
Credentials give access to systems and authorization rights for approving all sorts of financial transactions and requests. Hackers go after credentials through credential stuffing attacks, phishing, and social engineering. For example:
- Phishing attack
Customers of the OCBC Bank in Singapore lost a combined $10.1 million in December 2021 when they responded to SMS alerts supposedly coming from OCBC to alert of account irregularities. Almost 800 customers clicked the link in the SMS alert and entered their internet banking account credentials, at which point the fraudsters transferred funds out of their accounts. The bank refunded all affected victims as a “one-off gesture of goodwill,” making the phishing attack on its customers a costly one for the bank.
- Social engineering attack
A hacker breached personal data on more than seven million users of the Robinhood brokerage app by calling the customer support line and tricking a customer support employee into giving up their account credentials to various customer support systems.
Banks and credit unions must protect against identity attacks or suffer costly consequences. This means taking several steps.
First, move in the direction of fewer passwords and more biometrics for stronger authentication processes for employees and customers. Uniquely identifying an employee and ensuring the person supplying the authentication credentials is the correct employee is increasingly likely to fail with usernames, passwords, and even basic forms of multi-factor authentication. Managed identity solutions where biometric identification using fingerprints or facial recognition is tied to an identity provides high-assurance authentication for employees doing their work, along with cryptographic hardware keys used in combination with managed biometrics.
Secondly, financial services organizations need to strengthen identity and authentication workflows for customers too, not just employees. Customers form an integral part of the financial system; they access and interact with accounts and loan products, and initiate standard and high-value transactions. Providing system access to customers using only a username and password is an open invitation for compromise, and stronger methods of authentication within mobile apps, biometrics for multi-factor authentication, and zero-trust principles for detecting abnormal device and network characteristics are essential. High assurance that the person requesting access to an account or initiating a transaction is who they claim to be is critical for avoiding fraud and loss. Dependence on basic 2FA approaches, such as codes sent by SMS or email, should be eliminated in workflows granting system access to customers because the protections originally offered by these approaches are increasingly easy to break. There is an increasing digitalization of the banking experience for consumers, driven forcibly by shelter-in-place and lockdown orders during the pandemic and the closure of branch offices with the further erosion of any remaining face-to-face relationship between bankers and consumers. Developing stronger means of identity assurance is key to ongoing customer interaction and banking experiences.
Finally, identity and authorization must be monitored for hacking attempts, password-spray attacks, credential dumping, and attempts to use stolen credentials. Cloud security solutions offer capabilities for monitoring where authorization requests are coming from, as do identity management solutions.
Tackling Overprivileged Access
Any employee or contractor with access rights to data and systems that exceed what is necessary for their work tasks poses a risk to a financial services organization. This can result in data theft by a malicious employee, accidental oversharing by an employee, or data theft by an external threat actor after compromising an employee’s credentials. One survey found that 37% of companies had detected overprivileged accounts in their environment, and 59% of the companies said privileged account credentials had been successfully phished.
Systems that monitor and analyze the access levels of employees (including managers, executives, IT administrators, and contractors) to identify overprivileged access rights enable early intervention to reset rights to a more appropriate level. Such right-sizing reduces the likelihood that accounts with inappropriately high levels of access exist, reduces access drift when rights are mistakenly extended, and decreases the blast radius in the event of an insider attack or external breach. Systems that tackle overprivileged access use AI and ML models to create a normalized baseline of access rights for employees based on a reference group—for example, a marketing analyst should have the same level of rights as other marketing analysts in the marketing department. Deviations from the norm can be automatically adjusted or permitted to continue based on authorization from the employee’s manager.
For individuals that require high levels of access to systems, Privileged Access Management (PAM) solutions introduce additional safeguards. For example, rather than turning on super-user rights continually on the account, the user requests a time-limited or transaction-limited grant of elevated access which must be approved, is audited, and is automatically revoked when the time has elapsed or the transaction is completed.
Finally, overprivileged access also occurs when connections between apps, such as OAuth tokens used widely in SaaS environments, are granted unwisely or unwittingly to malicious actors. Use solutions to continually assess the intent of OAuth connections, detect hidden threats, and harden security configurations.
Security Awareness Training
Employees in financial services organizations hold the keys to important financial systems. If a threat actor can compromise an employee through a phishing, vishing, smishing or business email compromise attack, then credentials and funds can be stolen. Employees need regular training on the warning signs of cyberthreats, common social engineering tricks, and best-practice security hygiene to reduce the likelihood of a successful attack.
Best-in-class security awareness training programs include assessment methods in addition to training content in order to gauge the efficacy of employees at detecting and mitigating attacks. Employees or groups of employees showing low efficacy despite recent training interventions can be offered additional training, stronger process protections, and better security technologies. If employees refuse to follow security policies, reassess ongoing employment status.
Cybersecurity in Financial Services
As the financial services industry will remain a key target of cybercriminals, they need to find ways to prevent cyberattacks. Today, financial services have to revisit the efficacy of their current cybersecurity protections, invest in new solutions to address existing and emerging threats, and follow best practices. Where do banks and credit unions start? Read our whitepaper here to find out.