Ben Bulpett, EMEA Identity Platform Director, SailPoint
The nature of the financial services industry is evolving rapidly. Accelerated by the impact of COVID, the digital customer experience has become a key differentiator for banks, particularly as big players seek to stay relevant against more nimble challenger counterparts. One method in particular is the use of selfies for identity verification. Monzo has offered this for some time, requesting a selfie video, taken from a smartphone, as part of the customer application process. Now, the industry is more widely adopting the approach for ease and convenience – just last month, the Financial Conduct Authority began allowing selfies as a valid form of identity verification.
But this raises cyber security concerns that mustn’t be ignored – especially given how much of a target banks are for criminals seeking to get their hands on lucrative assets. Selfies, videos, audios, even email files, add to the millions of sensitive financial and personally identifiable information which financial institutions are processing each day. Such data is unstructured – where organisations lack real visibility into where the data lives, and who owns it. All of this leads to security vulnerabilities, paving the way for hackers to get their hands on sensitive information without being detected.
So, how can banks effectively mitigate against these risks?
Into the unknown
Securing unstructured data is relatively new territory for organisations. Our recent research, where 16% of the respondents came from financial services, found three quarters (76%) had encountered challenges with protecting unstructured data. This included unauthorised access, data loss and compliance fines. What’s more, almost every company surveyed reported difficulties in managing access to unstructured data, citing not just lack of visibility, but also too much data and a lack of single access solution for multiple repositories. 40% admitted to not knowing where the unstructured data was stored.
Banks cannot afford to be caught out by unstructured data. Companies may be spending record sums on cybersecurity to protect the digital transformation that has accelerated so rapidly over the past year – but it’s a wasted effort if the most pressing threats like unstructured data aren’t properly attended to. And these threats are evolving in new and sophisticated ways – last year, fake audio and video content ranked in the top 20 ways criminals use AI.
Securing unstructured data with identity
Organisations must maximise visibility into where vulnerabilities lie. Crucial to this is prioritising user access rights across all data – structured and unstructured. Our research found this is currently not the case, with one-third of companies lacking real-time alerts when unauthorised access occurs within unstructured data, and a quarter of companies failing to perform regular reviews of user access privileges. Without visibility over who has access to what, and when, hackers could be operating unnoticed.
To combat this threat, identity security must be extended at the implementation stage to manage data access. This security practice ensures security and compliance – automatically – while feeding real-time alerts to the IT team where potential vulnerabilities lie – making them far better equipped to monitor for or respond to a breach.
We recently worked with South African financial institution Nedbank to protect unstructured data on file shares and other sites across the organisation. This meant replacing disparate legacy systems with an identity platform which regularly automates access reviews. This is helping data owners to manage secure access to their data – providing a clear picture of where different types of data resides, and who from their workforce has access to what. With safe and secure access provided to over 33,000 people, Nedbank is now far better equipped to monitor for or respond to a breach.
Visibility across all access points
Unstructured data about customers will continue to be created as banks build on the digital customer experience. But it is crucial financial institutions recognise and deal with the risks, prioritising this in the same way as meeting constantly evolving regulatory demands. To ensure protection of data, banks must have visibility and governance across all potential access points.
