Connect with us

Interviews

How to cut the cybersecurity risk of M&A

Published

on

By Chad McDonald, CISO at Radiant Logic

 

In 2021, merger & acquisition (M&A) activity grew by almost a quarter, with a record-breaking 62,000 deals announced globally. Merging companies is a difficult and complex task, with figures showing that between 70% and 90% of all mergers fail.

When an organisation undergoes a M&A, they not only face economic risk. The external cybersecurity threat level ramps up dramatically, as well as the risk posed by insiders.

Many of the challenges experienced during M&A can be linked to the failure to manage identity. To understand the threat, Radiant Logic surveyed 300 tech executives and found that out of the 27% of respondents who experienced a merger & acquisition in the last year, 44% said it took between 7 and 12 months to enable application access across the integrating entities, and 35% took 13 and 18 months.

So, what can be done to secure identities during M&As?

Chad McDonald

What are the security risks organisations are exposed to when completing M&As?

The merging of two or more companies creates a serious cybersecurity challenge. When organisations undergo M&A, all parties involved must be blended into one new company with the minimum of disruption and downtime. In most cases, access to CRM systems, ERP systems, human resources and proprietary applications are necessary at a minimum to allow the newly merged organisation to achieve a reasonable level of productivity.  At the foundation of all of this lies identity.  Complexity is created at every stage of a M&A, creating gaps and holes for threat actors to exploit. Risk is inevitable.

The M&A process involves the incorporation of vast data estates and disparate policies, infrastructure and applications. Departments must be brought together and synergised so they can communicate with each other and ultimately work together effectively. It is a time of considerable upheaval, which creates risk.

When staff leave the company or switch departments, best practices dictate that their accounts and privileged access will be deleted from the central system of record or locked from use. Because most organisations suffer from some level of identity sprawl, those accounts may remain in periphery systems or within several different communication channels, from emails to other highly critical systems.

These stale and over-privileged accounts are a treasure trove for attackers. Duplicate identities pose a similar risk. When an organisation has large numbers of ghost accounts that have not been accounted for and shut down, it has effectively painted a target on its back.

The ghost identities are a threat to all organisations and often go unnoticed. During a M&A, they will remain undetected for longer, so will pose a greater risk. It has been reported that 47% of ex-employees still have access to business data months after leaving an organisation. When companies merge, the number of stale accounts grows exponentially. Threat actors can use these identity credentials to gain privileged access to restricted areas of the network – where they can cause severe damage.

Why has identity management proved to be a challenge during M&As?

The simple answer is that managing identities is difficult during calm times, particularly due to the challenge over stale and over-privileged accounts. It is time-consuming to find, modify or change user access data. Time-stretched security staff simply do not have the bandwidth to hunt down stale accounts, so the problem compounds over time. The lack of control over the provisioning and de-provisioning of user access also increases the potential risk of suffering a cyberattack.

Managing identities often relies on tedious, manual work. Our research found that 52% of all tech executives find the manual provisioning and de-provisioning of user access to be the most stressful challenge they face in identity and access management (IAM).

During times of normal business operation, it is easy to let small problems snowball into larger ones. During a M&A, the risk becomes even more pronounced and the means to tackle it often dwindle as hard-pressed security staff rush to deal with other problems. But failing to tackle identity can quickly lead to a crisis.

How can security leaders tackle this M&A identity crisis?

To manage the complexity of identities in M&A, CISOs and security admins need to develop a clear understanding of which accounts are genuine and belong to current staff members, and which outdated and must be deleted. This is not a straightforward process, which is one reason we have observed a gap of 12 months or more between the date of a merger and the day when the parties manage to integrate their systems.

The first step is removing ghost or duplicate identities and gaining visibility into all live users. Mapping the web of identities should then be carried out in collaboration with HR and department heads in order to produce a correct headcount. Security leaders must then focus on implementing an IAM framework capable of dealing with the complexity and data volume of M&As.

Radiant Logic’s research found that 67% of organisations have a modern access control and governance solution, but many apps and users are left out. The majority of the current IAM solutions work at the application layer, focusing on unifying applications and systems instead of bringing identity data together. This is particularly problematic when integrating cross-organisational systems because many applications have different data needs, and are often highly-tailored to the distinct requirements of an organisation or department.

How can a single source of identity data help organisations complete M&As?

The most effective solution to the problem of identity in M&A lies in building a unified single source for all identities using an Identity Data Fabric. This approach unifies all identity data across the organisational network, first collecting identities on-premise and in the cloud before mapping similar identities to an abstraction layer, and then blending them into a global user profile to ensure all identities are unique, complete and accurate.

The Identity Data Fabric operates at the data layer rather than an application layer, so will not interfere with the operations of existing applications, instead offering a more effective way of accessing, understanding and managing identity data across the organisations involved in M&A.

Implementing an Identity Data Fabric framework gives security teams total visibility over the entire network, enabling them to identify the access levels associated with each unique user across systems and applications both in the cloud or on-premise. Taking control of identity data will remove some of the turbulence from M&A. Identity Data Fabric can stop identity integration from becoming a crisis, and allow the newly-joined business to focus on what it does best.

Interviews

Matt Cox, Managing Director and General Manager, EMEA, FICO, answers questions on fraud from Finance Derivative

Published

on

By

What are the biggest fraud concerns for FICO’s customers?

Scams are definitely high on the list. There is a continued surge in Authorised Push Payment (APP) scams, advanced social engineering, and pandemic-related fraud.

The level of sophistication present in scams seems to grow at a daily rate and that is always one of our biggest concerns – staying ahead of the criminals. A coordinated approach to managing the authentication of customers will be a strong starting point for any organization, so that they can adapt and adjust as the market changes. To address current fraud concerns, banks need to take this into consideration. There are specific machine learning models designed to detect scam-related activity, and banks should explore those.

How have scams changed since the pandemic started?

Investment and crypto scams saw a big spike and there was a swift rise in vaccine-related scams with an emergence of a black market for the sale of fake vaccine passports. There is certainly a good level of public awareness of scams, but according to our consumer fraud survey, only 6% of customers said they were most concerned about being tricked into sending payments to a fraudster — as compared with 26% who were most concerned with having their stolen identity used to open an account, which is much less likely. This relaxed attitude in combination with increasingly realistic and creative social engineering and impersonation schemes, is part of the reason why fraudsters continue to succeed in scamming customers.

Authorised push payment fraud is one of the biggest concerns in the digital payments industry. According to UK Finance, APP fraud has, for the first time, surpassed card fraud with £355 million in losses attributed to APP fraud in the first half of 2021.

What is the challenge for banks right now in dealing with APP scams?

APP scams present a unique challenge as they involve tricking the victim into sending money to the fraudster. Despite measures like Confirmation of Payee (CoP) being put in place to stop these fraudulent transactions, the victim will have the final say and can override warnings put in their way. A layered approach is needed to prevent it, multiple tiers of armor are always most effective.

Some improvements in payment technology are actually making it easier for criminals to commit APP fraud. As more consumers and businesses adopt simple ways to send money in real time the pool of potential victims increases, a trend accelerated by the COVID crisis pushing more people to use online banking. Real-time payments also lower the risk for fraudsters, as money is transferred instantly, fraudsters can move payments through multiple accounts in a process of layering to launder the proceeds of the fraud and make tracing them more difficult.

Criminals are devious and clever, and victims cannot simply be written off as gullible exceptions. As real-time payment schemes can be used to transfer large sums of money, there is a need to employ layered fraud protection across all products and channels used to manage real-time payments.

Maintaining good customer experience by not impacting too many genuine transactions is a growing concern. As banks get better at detecting scams, there is still a very high false positive rate with many genuine customers needing to be disrupted in order to find a single fraud. This is where advanced analytics and particularly a consortium approach are critical aids.

What has your research told you about how different generations think about fraud and scams and the actions they take to avoid them?

We frequently survey consumers across the world to get a sense of their attitudes towards fraud and the security measures implemented to catch it. The results are always interesting and often flag the differences in how age groups approach financial security.

For example, in our most recent survey of 1,000 UK consumers, 55% said they would switch banks if theirs was reported to be involved in a money laundering scandal. The younger age groups would be most eager to swap their financial service provider after a money laundering scandal: 64% of 18 to 24 year-olds would switch, as would 68% of 25 to 34 year-olds.

Those in the Millennials generation – aged 25-34 – appear to be the least impressed with banks’ current approaches to fraud. When asked about account takeover, 19% thought banks were not fair with customers in terms of how they resolved this. And when considering cases of customers being tricked into sending money to fraudsters, 21% of them thought measures were not fair.

How much of an issue is social engineering?

Social engineering is a vital component of a fraudster’s playbook. It is not a new approach for them but is one that can cause devasting results. Fraudsters buy compromised data (credentials, ID documents, personally identifiable information or payment details) and ultimately, they use it to manipulate victims and commit fraud. Sometimes, fraudsters don’t have all of the pieces of the puzzle together, so they often further manipulate systems and customers in order to get the full suite of assets they need to steal.

The complexity of scams and social engineering means that financial institutions have to take a layered approach to prevention and detection. For example, checking device characteristics is useful, but when combined with Confirmation of Payee, transactions analytics, customer profiling and instant messaging services for verification, this is where the layers play extremely well together. When and how fraud prevention solutions are deployed must be balanced with other factors such as customer experience and operational costs. Being dynamic and flexible is key to both creating the necessary balance and evolving at least as fast as the fraudsters can.

Identity authentication isn’t as strong in a scam event as it is in other fraud types. Nearly all fraud events start with a data compromise and with scams it’s no exception. Identifying compromised and vulnerable customers is still very inconsistent across banks, so there is a big opportunity to be more proactive in stopping the scam before it is initiated.

Many banks have incorporated consumer protection into their marketing plans but I would like to see more do it across the industry.

What are the latest scams you are seeing emerging?

Before Open Banking, criminals applied for low-risk accounts using a fake identity in order to start building up their credit file. Over time, they would move into commerce and then onto higher-value targets, hitting them hard.

We believe this approach is finding its way into the Open Banking ecosystem as a faster route to higher-value credit. Having secured low-risk bank accounts and passed the Know Your Customer requirements, criminals are attempting to access new services through Open Banking third-party providers, who offer loan approvals and various other financial and investment services.

We’ve also seen a steady rise in fake videos and audio with targeted content that manipulates and gains access to personal and finance data. As the technology becomes more sophisticated, it’s becoming the new favorite tool in financial crime. For instance, bank manager in the United Arab Emirates fell victim to a threat actor’s scam, when hackers used AI voice cloning to trick the bank manager into transferring $35 million.

We believe this will become a big challenge for banks in Europe and across the globe as they find themselves increasingly targeted in this way. As those deep fake technologies develop, we will see more innovation and use of a wider variety of biometric technology thrown into the mix.

Continue Reading

Interviews

Why is your financial response plan static against dynamic risk?

Published

on

By

By Kev Breen, Director of Cyber Threat Research, Immersive Labs

 

When it comes to cyber security, there is a grave misconception that financial services are the most secure industry. This perception comes from the massive security budgets that financial organisations tend to have. In fact, the combined BFSI industry leads the line in cybersecurity spending, holding 18.7% of the global security market share.

However, larger budgets don’t always mean better security. This is evident from the number of losses financial organisations suffer each year from successful attacks. In the banking sector alone, the annual cost of cyber-attacks reached $18.3 million per company last year.

Effective security often boils down to strategic elements such as how well organisations are managing risks, what response plans are in place, and how well the workforce is capable of tackling dynamic threats.

We talk to Kev Breen, Director of Cyber Threat Research from Immersive Labs in order to understand the critical issues of human cyber capabilities and threat response plans in today’s financial services industry.

 

Why does the financial sector continue to be a frequent target of cyber-attacks?

The critical and sensitive nature of this industry makes financial organisations a more lucrative target for threat actors. Ultimately, it’s where the money is. Organisations like commercial banks, investment firms, accounting firms, insurance companies, and brokerage firms hold a lot of sensitive data – not just from individual users, but also from businesses and governments. These companies are a gold mine for attackers, in terms of data.

Also, targeting financial organisations allows threat actors to cause mass-scale disruption. For example, if a banking system is hit by a ransomware or Distributed Denial of Service (DdoS) attack, it will hinder its ability to effectively serve the customers until services are restored – leading to significant financial disruption. These are the key reasons why financial organisations continue to be frequently targeted despite investing heavily in cyber security.

 

What are the shortcomings of current financial response plans that are leading to this influx of successful attacks?

An effective threat response plan is critical for any organisation. When faced with sophisticated attacks like ransomware, your response plan determines how efficiently the workforce manages the security incident. However, the issue is that most financial response plans are static. They look good on paper but have little effect when the situation comes to be.

Also, organisations often don’t test these plans against real-world scenarios. They are established like a theoretical strategy, without any practical assessment or evidence to support its effectiveness in the face of a real security incident.

For example, in a traditional response plan, potential risks are identified, proposed response plans are outlined and then filed away for use when the incident occurs. However, sophisticated risks like ransomware are dynamic. They don’t always follow the same pattern or same variables. Also, they don’t always target the same files. So, if the response plan is not tried and tested against different scenarios, you can’t ensure that it will hold up when threats break.

Moreover, ransomware attackers are now applying a double extortion method. They don’t just encrypt and lock away your sensitive data but also exfiltrate it – threatening companies to pay up immediately or see it get leaked on public domains.

Another critical issue is that most companies develop their threat response plan with only the IT and security teams in mind. However, threat actors can target any department across your workforce, whether it’s the sales team, marketing team, or general admins. Threats like ransomware need a collective response. Every employee has a role to play.

If the response plan or training programs are just catering to the security teams, other employees won’t have the required knowledge or information to fulfil their responsibilities during an incident.

Therefore, in such an unpredictable threat landscape, businesses can’t rely on a static response plan. Chances are that their pre-determined plans won’t fit the variables of the attack or demand during the crisis. These implications were also evident in our latest research findings.

We found that financial organisations performed second worst in crisis simulation exercises out of 10 industries. In fact, out of the top ten worst decisions during a crisis, five came from financial services organisations. So, it’s safe to assume that most financial organisations lack the human-cyber capabilities to make adaptive and agile decisions when faced with dynamic threats like ransomware.

 

Why does it take so long for financial organisations to develop the necessary skill to defend against cyber-attacks?

Our research found that financial services organisations need an average of 97 days to develop the skills necessary to defend against critical cyber risks. National cyber security bodies recommend that businesses should not take more than 48 hours in patching vulnerabilities and implementing their response plan after the initial detection. Clearly, there is a major gap in human cyber capabilities for such organisations.

The reason for this gap comes down to the lack of cognitive agility among the workforce. Cognitive agility is the ability to adapt and shift our thought processes when faced with critical scenarios. Organisations need a workforce that can make agile and conscious decisions quickly when faced with diverse threat scenarios.

Cognitive agility inevitably increases the human-cyber capabilities of the entire workforce. Employees can consider the different aspects of an attack and make better decisions, instead of following a scripted response plan that wasn’t developed with a consideration of dynamic risks.

 

What are the proactive steps financial services organisations can take to develop cognitive agility amongst their workforce?

To build cognitive agility among the workforce, financial organisations need to prioritise a cadence of exercising. Simply launching training programs isn’t enough, they need to focus on scenario-driven simulations and test exercises. The aim is to build an entire workforce that can function as adaptable incident responders, who can think on their feet, and effectively react to the situation in from of them.

That’s why scenario-driven exercises are critical. You’re not teaching people to respond to a specific crisis, but rather helping them develop critical thinking and decision-making skills.

It’s also important to consider how you are distributing such exercises across the entire organisation. Financial companies tend to have a very diverse workforce, with multiple different departments and multiple roles. Employees of each department have different skills and knowledge levels. Some might already have a great knowledge of the security domain, while some might be very new. So, making everyone go through the same level of exercises won’t get you the desired benefits.

This is where Cyber Workforce Resilience becomes significantly useful. It’s a robust model that allows companies to benchmark their current human-cyber capabilities, measure the knowledge, skills, and judgement of the current workforce, and prioritise exercises where they’re needed. Cyber Workforce Resilience helps to map human capability within the workforce and generate data/insights to produce a real-time picture of the organisation’s cyber resilience.

Benchmarking current knowledge, mapping out human abilities, and regularly exercising capabilities based on different scenarios will help build a resilient and agile crisis response team, who are always ready to take effective decisions – regardless of how dynamic the risks are.

Continue Reading

Magazine

Trending

Business9 hours ago

Solving the Future of Decarbonisation in Real-Time

Jamil  Ahmed, Distinguished Engineer at Solace   The energy sector has faced many disruptions and challenges in recent years, from...

Banking16 hours ago

Resilient technology is the most important factor for successful online banking services

By James McCarthy, Director of Solutions Engineering, NS1   More than 90 percent of people in the UK use online...

Technology16 hours ago

Why anti-spoofing fingerprint technology is essential for the continued growth of digital payments

Anthony Eaton, CTO, IDEX Biometrics   The digital payments revolution is being driven by consumer demand for ever increasing convenience....

Finance16 hours ago

Why Financial Services must ‘Change its Change’ to deliver results

By Hervé Mazenod, Managing Director, Financial Services Sector at Webhelp  You can almost hear the collective sigh of relief from financial...

News16 hours ago

Real-time payments are here to stay and with good reason 

Real-time Payment (RtP) models are here to stay for the foreseeable future alongside traditional payment schemes. But as businesses increasingly...

Business16 hours ago

Criminal Minds: Account Opening Fraud Tactics put to the Test

By Raj Dasgupta, Director, Global Advisory, BioCatch   The last two years have created a perfect storm for account opening...

Business4 days ago

Know Your Business (KYB): Exceeding KYC

Victor Fredung, CEO at Shufti Pro   Money laundering costs the UK more than £100 billion pounds a year, according...

Finance1 week ago

Mini-Budget 2022:

Tax giveaway is a boost for business, but will it drive growth or fuel inflation?   Chancellor Kwasi Kwarteng has...

Finance1 week ago

A zero trust environment is critical for financial services

Boris Bialek, Managing Director of Industry Solutions at MongoDB Not long ago security professionals were still focused on protecting their...

Banking1 week ago

Digital Banking – a hedge against uncertainty?

Ankit Shah, Head of Digital Banking, Apex Group   The story of the 2020’s thus far is one of crisis....

News2 weeks ago

Union Bank of India goes live with RuPay Credit Card on UPI with Kiya.ai as a technology partner

Nitesh Ranjan, ED Union Bank of India with Rajesh Mirjankar, Managing Director & CEO, Kiya.ai at the launch   Kiya.ai,...

Finance2 weeks ago

Anyone Can Become an R&D Tax Expert with the Right Foundations

Ian Cashin is a Customer Success Manager at Fintech company and R&D tax software provider WhisperClaims   For accounting firms,...

Business2 weeks ago

Addressing the ongoing global pilot shortage issue

By Bhanu Choudhrie, Founder of Alpha Aviation   The Covid-19 pandemic brought the aviation industry to a halt, causing vast...

Business2 weeks ago

How exporters can mitigate risks and operate smoothly in stormy, post-Brexit waters

By Morgan Terigi is Co-Founder and CEO of Incomlend   The past few years have presented a series of hurdles...

Business2 weeks ago

From employees to customers, workforce management can benefit the entire banking ecosystem

Michael Cupps, SVP of Marketing of ActiveOps explores the significant impact workforce management can have on the employees and customers...

Business2 weeks ago

Redefining the human touch with digital transformation

Simon Kearsley, CEO of bluQube   It may not be a new phrase, but digital transformation is still inducing anxiety...

Finance2 weeks ago

CFOs – the forgotten ally in the fight against ransomware

Justin Vaughan-Brown, VP Market Insight at Deep Instinct   Ransomware attacks have nearly doubled in the past couple of years....

Technology2 weeks ago

7 cost benefits of cloud accounting software

By Paul Sparkes, Commercial Director of iplicit, an award-winning accounting software developer   Is your accounting software having a laugh...

Business2 weeks ago

How does Identity Access & Privileged Access Management help in PCI DSS Compliance?

Narendra Sahoo is a director of VISTA InfoSec. Introduction The Payment Card Industry Data Security Standard also commonly referred to...

Finance2 weeks ago

Listed private debt deserves a closer look from investors

By Michel Degosciu, Managing Partner, LPX AG Over the past few years, the private debt asset class is attracting serious...

Trending