By Gerald Beuchelt, CISO, LogMeIn
Cybersecurity is a critical concern within any industry, but especially the financial sector which has long been an attractive target. The appeal of financial gain and wide access to highly personal and valuable customer information has meant that financial services firms are targeted more than any other sector. In fact, UK banking customers lost £358 million to unauthorised fraud in the first half of 2018 and during the second half of the year, the financial industry experienced a 37 percent increase in takeover attacks and a 107 percent increase in attempts to gain control of user accounts during mobile transactions. Added to this direct threat on the financial sector is the seemingly endless news of breaches at trusted brands, including British Airways and Ticketmaster, and we have a culture of fear.
While the attackers’ sophistication and types of threats are ever evolving, some basics of cybersecurity remain unchanged. Mainly, passwords are an easy point of entry for attackers with 81% of data breaches involving weak, reused or stolen credentials. One might think that given the threat on financial institutions, they would be at the forefront of all security practices, including smart passwords. However, a recent study that scored businesses on password practices and multifactor authentication (MFA) adoption found the industry performing below average.
With security practices continuing to plague organisations, what steps can banks and financial institutions take to strengthen defences?
Maintaining system evaluations
At a most basic definition, breaches occur when an organisation’s vulnerabilities are found and exploited by attackers. Banks and other financial institutions must be continually evaluating their systems for possible weaknesses, especially as attackers’ techniques constantly change. Complacency is an organisation’s greatest enemy. Simply because a system was secure last year, last month or even last week, does not mean it will be sufficient against future threats.
Whilst risk assessments of critical systems should be a regular occurrence within financial institutions, organisations should also ensure they assess secondary systems containing non-critical assets. Employee-private activities and accounts, such as personal emails or Facebook, are still potential gateways to an internal network, so authentication policies should be a main focus of these assessments. As part of these evaluations, it’s important to consider what information employees have access to. They should only have the data needed to carry out their job and no more. Limiting access where possible helps reduce the potential vulnerabilities.
Financial institutions can also seriously benefit from leveraging advanced offensive security, such as penetration testing and “red team” exercises to improve visibility and security awareness across the organisation. Red team testing comprehensively exposes physical, hardware, software and human vulnerabilities before they become entry points for hackers or provide opportunities for bad actors and malicious insiders to compromise systems.
Putting the focus on passwords
Going back to the above point on understanding vulnerabilities, while there are endless new technologies to combat cybersecurity risk, including advanced AI and biometrics, sometimes the simple solution is the most valuable. Case in point, ground-breaking technology can’t help a weak password culture. The basics of password policies and authentication are critical to enterprise security.
As such, password management should be a top priority. This should include education for all staff on safe password practices, how to create a strong password, and the importance of using unique credentials across all accounts. To encourage adoption, organisations can implement password management tools or at the very least, direct employees towards the solutions. These tools will help remove the reluctance towards keeping track of multiple, complex passwords.
Going further in password security, multifactor authentication (MFA) is one of the most effective ways to add another layer of security to password protected accounts. With MFA, the hacker has to provide an additional factor (a one-time code generated by a hardware token, fingerprint, etc.), even if they do obtain the password. The recent Timehop breach, which affected nearly its entire customer base of 21 million users, occurred because the company hadn’t protected access to its cloud network with MFA. Again, one might expect the financial sector to have already adopted this practice, however a recent report found that only 16% of banking/financial institutions had adopted MFA, compared to 31% of technology businesses.
Embed security culture through training
Organisations can invest in all of the right security technology and develop all of the needed policies, but they’ll be useless if employees aren’t trained on them or don’t understand the importance of adhering to them.
Firstly, employees need to understand the severity of the threats and the prowess of attackers. Secondly, guidelines should be distributed with well-illustrated security policies and education on how to follow said policies. Finally, regular training sessions should be conducted to keep staff up-to-date on new threats and ensure proper security practices are embedded in company culture.
Given what’s at risk, banks and financial organisations simply cannot allow security to be an afterthought. Banking is going through a period of huge change, with Open Banking and PSD2 being some of the biggest shake ups to the industry in years, which brings new opportunities for innovation – as well as threats. Organisations cannot risk taking for granted their security and misreading the importance of basic security practices and employee adoption.