By Ben Bulpett, Identity Platform Director, EMEA, SailPoint
Banking is no longer limited to four walls of a building. In the UK, three-quarters (73%) of consumers now use digital banking channels on a weekly basis, as people grow increasingly accustomed to their ease and convenience. But this isn’t without some downsides. Mobile functionality, blockchain integration and emergence of banking-as-a-service have led to a growing number of cyber threats for organisations, but also a growing burden of compliance requirements. GDPR is reported to have generated €182 million in fines in 2020 alone – on top of evolving FCA regulations.
However, meeting compliance requirements doesn’t have to be a cumbersome drain on time. With the right technology in place, it can mean competitive advantage – streamlining operations, driving efficiency, and closing security gaps. Key to this is the use of identity security which can automate processes and permissions in line with changing job roles and responsibilities.
Financial services has one of the highest rates of insider data breaches, costing $14.5 million last year alone. Whether it’s a disgruntled employee acting with malicious intent, or an employee accidentally clicking on an unsuspecting link, the level of access that staff have to sensitive information within a business makes them a potential vulnerability.
This threat is made worse given the banking sector is particularly prone to complex corporate structures and departmental siloes – all of which hinder an organisation’s visibility into different roles, responsibilities, and data access. Combined with the industry’s continued reliance on spreadsheets and manual processes for tracking data access and user identities, and you have the perfect recipe for inaccuracies and inconsistencies.
Along with creating an auditing and reporting nightmare, this creates gaps in the system prime for exploitation by threat actors who are keen to get their hands on the industry’s lucrative assets.
Separation of duties
Control over access is also critical given the importance of separation of duties in banking and financial services to reduce the risk of error and fraud. No single individual can control more than one part of a transaction. For example, an employee can’t both create and pay invoices. Preventing access to one or more of these activities is crucial to preventing the misappropriation of funds.
Separation of responsibilities is a well-entrenched concept, but in reality it can prove challenging. Banks typically define what roles are forbidden to overlap, but with the growing number of apps and systems, administration can grow complex and error prone. Not to mention staff moving from role to role through promotions and lateral transfers, which can result in ‘over-permissioning’ or ‘entitlement creep’. Add to the mix all the different logins for various licenses and subscriptions that different employees have access to during their time in an organisation, and the situation can quickly spiral out of control, increasingly the vulnerability of systems to exploitation.
Identity is the new perimeter
Getting access requirements right must be a top priority for organisations. Doing so not only means protecting against cyber threats, but meeting compliance requirements and streamlining operations. To achieve this, financial institutions must have the right technology in place that provides them with visibility over who has access to what information and when.
Using identity security powered by AI and machine learning, processes can be automated and access granted on a need-to-know only basis according to the roles and responsibilities of individuals – no more, no less. An automated system can not only find and disable accounts of ex-employees, it can also rectify access for existing users that is no longer appropriate, depending on movements within an organisation. Critically, it means being able to uncover and mitigate against potential threats fast – such as identifying and putting a stop to out of the ordinary, suspicious behaviour, for example, an unauthorised user attempting to access sensitive files.
This also reduces the burden of repetitive manual tasks, freeing up IT teams to focus on high-value activities rather than sorting password resets or additional data access, and subsequently provides a cost-effective solution. Automation ensures the accuracy and completeness of data sets so critical for keeping on top of compliance.
Staying ahead of the game
Meeting compliance requirements doesn’t have to be a headache for organisations. Through identity security, keeping on top of this can mean competitive advantage in more ways than one – protecting the enterprise perimeter, streamlining operations and ensuring all data and users are properly accounted for.