By Rob Otto, Field CTO EMEA at Ping Identity
The pandemic has caused major upheavals in the way we work, pushing many companies to move away from office culture and embrace more flexible ways of working. This transition is still in the experimental stage, as companies try to find and test new post-pandemic work models for their businesses and employees.
When workers began accessing corporate applications and resources on personal devices via home Wi-Fi, excessive unpatched vulnerabilities were created and the door was opened to criminal actors. Home-based workers, for example, are prime targets for phishing and malware attacks trying to steal personal information or gain access to corporate accounts.
The banking sector has been disproportionately affected, with ransomware attacks up 1,318% year-over-year in the first half of 2021. In fact, according to IBM, 23% of all cyberattacks are directed against financial institutions. Businesses around the world are under pressure to secure their cyber infrastructure. Responsible leadership is an essential part of any path to transformation, especially that towards cyber resilience. To avoid being a victim and motivate others to follow, leaders must make the effort to take the lead and support cybersecurity practices.
So how can financial institutions effectively manage long-term cybersecurity threats?
Identification is the key
When the sea change to remote working happened in early 2020, business leaders and IT teams focused on getting their workforces up and running immediately, with security taking a back seat.
However, everyone in business must be proactive in order to prevent fraudsters from using stolen identities and credentials. Knowledge of cybersecurity and information systems is essential as it serves as the basis for avoiding a cyber breach or attack. Employees should be educated (and educated) in cybersecurity, because a security vulnerability cannot be addressed or reported if it is not identified.
Choosing the right degree of security is essential for a business, and the following are some of the most important.
The first phase of the process is identification, in which a user submits information about themselves when creating an account. A genuine user will provide accurate information, but a fraudster may provide fraudulent or stolen information.
Secondly, verification, which obliges the user to demonstrate that the information he has provided is correct, is crucial. Since stolen identities can be used to open accounts, this step prevents fraudsters who cannot prove their identity from creating fake accounts.
To finish, authentication, which requires users to prove their identity, is necessary. Methods used for verification, such as fingerprint scanning and facial recognition, are also used for authentication. If the user logs in at an unusual time, place, or other situation, adaptive authentication will ask for more information to make sure they are who they say they are.
Companies must build a bridge that connects all ecosystems, allowing them to succeed while ensuring that only the right people have access.
Another tool in the arsenal of financial institutions is multi-factor authentication (MFA). MFA, at its most fundamental level, requires confirmation that users are who they say they are. Before access is granted, users must present verification from two or more authentication factors.
A hacker or unauthorized user may be able to obtain or purchase a password on the dark web, but their chances of gaining access to a second authentication factor are low and will require a lot more work. Therefore, MFA prevents criminals from entering your systems and obtaining your data.
Since most organizations lack the time and resources to eliminate the need for usernames and passwords to authenticate users, additional means of validating a user’s identity are required. In multi-factor authentication, users must present proof of their identity from two or more authentication factors before they can access their account.
A final area that financial institutions need to ensure they are properly protected is their application programming interfaces (APIS). The number of APIs being developed in financial services has exploded in recent years, propelled by digital transformation and the critical role APIs play in mobile applications and the IoT. Whether an application is for customers, workers, partners, or anyone else, the client side communicates with the server side through an API.
As far as APIs are concerned, they are often extensively documented or easily reverse-engineered because they are frequently accessed through public networks, making them attractive targets for criminal actors. An attack may include circumventing the client-side application in order to impair the operation of an application for other users or compromise sensitive information. API security is about protecting this layer of the application and talks about what could happen if the wrong person tries to hack the API directly.
Due to the crucial role they play in digital transformation and the access to sensitive internal data and systems they provide, they need a dedicated security and compliance strategy. As digital transformation programs accelerate the introduction of new APIs, it is important that organizations review new APIs for appropriate security measures.
Secure for the future
Cyberattacks on financial institutions continue to be a major source of revenue for cybercriminals. Despite the fact that financial institutions have strengthened their cybersecurity measures, the changing and growing strategies of cybercriminals are making it harder for them to stay safe. To be successful, all leaders must ensure that their organizations have a strong safety culture. The need to keep the team informed of potential threats and train them on how to respond in a crisis is now more critical than ever.
Using sophisticated login methods, such as multi-factor authentication, can help protect against social engineering attacks aimed at customers. Even if the scammers manage to get the login credentials of the consumers in such a case, they will not be able to access the financial company’s website. Multi-factor authentication can also help protect against insider attacks by fraudsters trying to access sensitive data.
More importantly, educating consumers and staff about social engineering can help mitigate the impacts of this type of aggression on both parties. Financial institutions can reduce the risk of email hacking by providing customer training materials in the form of newsletters and detailed staff training.