By Ben Bulpett, EMEA Identity Platform Director, SailPoint
Most people are now accustomed to shopping over the internet, with 2021 seeing an increase of 14.3% in online sales compared to the year previous. However, this brings its own set of challenges. Most notably, cyber risk. More online purchases means more sharing of online credentials, and greater risk of fraudulent activity. In fact, the first six months of last year saw thefts of £754 million by hackers, highlighting the headache we must avoid.
Methods used by cyber criminals to infiltrate and exploit the rise in online retail continue to grow more sophisticated. In a recent survey, almost one-third of UK respondents said they had received emails and messages impersonating retailers over the past year. Meanwhile according to Which?, ‘smishing’ increased by 700% in the first six months of 2021. This was largely driven by an increase of text-based scams since the pandemic, as cyber criminals capitalised on the rise in home deliveries and businesses adopting SMS-notifications to contact customers.
With most credit card transactions at some point going across the banking network, and with the potential financial impact of customer fraud, banks need to stay alert when it comes to who is accessing their systems and data. This isn’t limited to just outsider threats – despite these often dominating the headlines. Concerningly, the banking industry retains the dubious reputation of having the highest rates of insider data breaches across any sector. These are not always carried out with malicious intent; accidental breaches can cause major issues for customers and providers alike. Running through so many of these breaches are issues with identity access and security.
Cyber criminals typically choose their targets based on maximum impact and reward. Financial institutions and their vast amounts of highly valuable data, aided by their digital transformation efforts, make for a perfect match. So, as external threats and attacks launched on unsuspecting customers continue to evolve, banks and financial institutions must ensure their lines of defence remain water-tight. AI and machine learning makes it possible to learn about and analyse potential cyber-threats in real time. By doing so businesses can ensure appropriate identity security measures are in place, which can not only detect unusual behaviour and reduce the chances of a breach occurring, but also increase the speed and accuracy of their cyber security response.
Mitigating against the internal threat
Whilst defending shoppers against cyber criminals should remain a top priority, managing against internal threats mustn’t be ignored. When shopping online, it is crucial for banks to ensure shoppers’ identities and their devices are verified. But they mustn’t take their foot off the gas when it comes to protecting against internal data leaks. This means ensuring that the employees tasked with handling data and those who have access to it are appropriately screened, audited and continually trained on best practice.
This starts with ensuring that data is only accessible to those who need to use it. Users with incorrect access privileges are one of the most significant areas of identity fraud. This includes ex-employees who remain able to access systems due to poor identity and access management practices. Where malicious insiders are provided with access to the data they exploit, such seemingly ‘legitimate’ activity is much harder to detect than that of the brute-force hack.
There are also legacy issues that can lead to innocent leaks. This is where financial institutions still in the digital transformation process retain pockets of poor practice – something which continues to plague an industry typically seen as lagging behind others with technology adoption. Complex organisational structures mean many are still in a hybrid state where spreadsheets and other manual processes continue to sit alongside more sophisticated processes. This provides ample opportunity for unprotected documents that contain sensitive or PII data to be shared incorrectly or misdirected.
Without a complete view of all data access across an organisation, there is no way to uncover such hidden risk. This has been made harder during the pandemic where remote working, furlough, and unprecedented hiring have rapidly changed the employee mix and provided additional access points. With the government ready to issue Covid-prevention measures in reaction to new variants, this landscape is ever changing, but systems and processes are not adapting at the same rate.
A crystal clear view of data
Despite such challenges, preventative steps can be taken to mitigate insider threats. For example, IT teams can use automated access and geolocation alerts to spot abnormal behaviours. Made possible through AI and ML-driven security measures, this can be the basis of an agile identity security foundation that learns and adapt as business needs change.
Gaining a full view of customer data is hard when so much of this data is unstructured. We are not dealing with simple transactional data anymore. Indeed, some challenger banks, in particular, are increasingly using biometric authentication such as voice, fingerprint, or video (notwithstanding the recent wave of concern around deep fake technologies) within multi-factor authentication, giving rise to the need to protect extremely sensitive personal data, beyond the financial. This unstructured data is only set to grow as banks build on the digital customer experience, so it is crucial that financial institutions recognise and prioritise these risks in the same way as meeting their constantly evolving regulatory demands.
Identity security is a cybersecurity tactic that delivers a holistic view of data access in an organisation, with a pure view of all identities, their permissions, and actions. This provides greater visibility over each application, data repository, cloud service, and internal platform, reducing the risk of password duplication, permissions creep, and over-provisioning. This means organisations will have crystal clear visibility over where different data resides, and who from their workforce has access to what.
Ensuring a cyber secure 2022
The risks consumers are exposed to online have never been greater – as highlighted by the National Cyber Security Centre receiving over 10 million reported scams as of January this year. It is crucial financial institutions play their part to protect people from scams. But in dealing with these threats, banks cannot afford to lose sight of ongoing risks posed by the insider threat. Identity security, and knowing who has access to what and when, must be a key priority if banks are to successfully crack down on potential breaches or hacks.
Experts predict that by 2025, cybercrime will be costing the world more than $10.5 trillion annually – a huge figure that financial institutions can’t afford to let cyber criminals get away with. Any criminal activity that results in customers losing funds or having sensitive data comprised is clearly of the utmost concern to banks, both in terms of regulatory fines incurred as well as major reputational damage. But a mistake that stems from poor internal controls and identity security is almost unforgivable. Financial institutions must stay alert and responsive to new scams and external attacks – and doing so mustn’t facilitate a blind spot with their own internal processes. Firms must also be aware of any threats lurking in the corner. This must be a key consideration for all financial institutions moving forward.