By Ben Bulpett, EMEA Identity Platform Director, SailPoint
The digital customer experience has become a key differentiator for banks, particularly for big players seeking to stay relevant against their nimbler counterparts. This has become even more important during COVID-19, when institutions have been expected to provide clear and transparent services to support and protect customers as they navigate the pandemic’s many challenges.
An example of this is the use of selfies as a form of identity verification, an approach which the industry is widely adopting for both ease and convenience. Customers can now send a selfie to verify their identity after rules were recently relaxed by the Financial Conduct Authority to help staff working from home during lockdown. As well as selfies, banks can also send codes to a customer’s address to verify their identity. Indeed, Monzo has offered identification by selfie for some time – requesting a selfie video, taken from a smartphone, as part of the customer application process.
However, this form of verification raises security concerns that must not be ignored, especially given how much of a target banks are for criminals seeking to get their hands on lucrative assets. Personal information, selfies, videos, audios and email files add to the millions of sensitive financial and personally identifiable information which financial institutions are processing each and every day. Such data is unstructured – and it is here organisations lack real visibility into where the data lives and who owns it.
As the rate of adoption of new technologies within the financial services industry increases, so too does the amount of unstructured data being stored. This is resulting in serious security vulnerabilities, giving ample opportunity for hackers to gain access to sensitive information without being detected. Financial institutions must find ways to effectively mitigate this risk.
The rise and risk of unstructured data
Banks and other organisations are spending record figures on their cybersecurity, but it is a wasted effort unless the more pressing threats aren’t being properly taken care off. These threats are evolving in new and sophisticated ways – last year, fake audio and video content ranked in the top 20 ways criminals use AI. It is this unstructured data that needs securing and protecting.
The FBI’s cyber division only this year has announced the use of AI and deepfake technology and services as a critical emerging threat, stating that “malicious actors almost certainly will leverage synthetic content for cyber and foreign influence operations in the next 12-18 months”. The quality of synthesised voices and videos through deepfake technology is improving daily, and while the addition of selfies for verification is becoming more widely adopted, banks are already adopting voice recognition for transfers and online banking. It is here that criminals have been able to access voice samples, merge these samples to create a fake voice, then choose the optimum time to exploit. We now have audios, online selfie videos, social media and email files adding to the amount of unstructured data and other sensitive information that can be exploited by hackers. This is enhancing the threat surface for criminals to take advantage of within the financial services industry.
Spotting the vulnerabilities
Unstructured data is believed to make up 80% and more of enterprise data, and is growing at the rate of 55-65% per year. Securing this unstructured data is relatively new territory for organisations. Our recent research, where 16% of respondents came from financial services, found three quarters (76%) had encountered challenges with protecting unstructured data. This included unauthorised access, data loss and compliance fines. What’s more, 40% of companies surveyed admitted that they do not know where their unstructured data is located. Almost every company surveyed reporting difficulties in managing access to unstructured data, citing not just lack of visibility, but also too much data and a lack of single access solution for multiple repositories.
Organisations must maximise visibility into where vulnerabilities lie and prepare for the malicious attacks that come with the adoption of new technologies, as well as the increasing sophistication of hackers. Priority must be placed on securing user access across both structured and unstructured data. Our research found this is not currently the case. Although three quarters (74%) of companies said they have access level control, almost half (43%) cannot track the content that is being accessed. One-third of companies lack real-time alerts when unauthorised access occurs within unstructured data, and a quarter of companies fail to perform regular reviews of user access privileges. This calls into question how effective their governance can be, when they know little about who is accessing their data. Without this visibility of who has access to what, and when, hackers could be operating unnoticed.
Securing with identity
To mitigate this threat, identity security must be extended at the implementation stage to manage data access. By doing so, this ensures security and compliance – automatically – while updating the IT team of where potential vulnerabilities lie through real-time alerts. This security practice enables them to be far better equipped to both monitor for or respond to a breach.
Recently we worked with South African financial institution Nedbank, replacing disparate legacy systems with an identity platform which regularly automates access reviews. By providing a clear picture of where different types of data resides, and who from their workforce has to what and when, this technology is helping data owners to manage secure access to their data. This has enabled the protection of unstructured data on file shares and other sites across the organisation. With safe and secure access provided to over 33,000 people, Nedbank is now far better equipped to monitor for or respond to a breach.
The future relies on visibility
The financial services industry has seen dramatic changes over the past few years, with consumers demanding better services and seamless experiences. But while banks are embracing new technologies to meet these expectations, they mustn’t overlook the security implications of being able to collect, store and analyse more and different types of data.
The amount of unstructured data about customers will continue to increase as banks build on the digital customer experience. It is now more crucial than ever before for financial institutions to recognise and deal with the risks associated with this, prioritising security initiatives in the same way as meeting constantly evolving regulatory demands. A large number of companies have already suffered data breaches and this is only set to grow as cybercrime grows more sophisticated. As the volume of sensitive financial and personally identifiable information increases, so too does the urgency to ensure the protection of data. Financial institutions must align their security practices to the trends predicted, having visibility and governance across all potential access points in order to mitigate and prevent future risk.