Gerald Beuchelt, CISO, LogMeIn
Thinking as a consumer, would you rather your social media account gets hacked, or your bank? While neither is preferred, most consumers would likely choose the social media account. Banks and other financial institutions hold secret some of the most personal and valuable customer information. Consumers have to deal with side effects when any of their businesses are breached, but with banking, the consequences can be much more tangible. In the first half of 2018, UK banking customers lost £358 million to unauthorised fraud. This is exactly why financial institutions have long been a highly sought-after target for hackers.
So much so that financial firms are targeted more than any other sector. Given this aggressive threat, even more responsibility falls on our financial institutions to protect their customers. There is endless technology being developed for this purpose and while it should not be overlooked, some of the most common vulnerabilities often stem from a much simpler issue.
Passwords. An easy entry point for hackers that continues to be the source of attacks with 81% of data breaches involving weak, reused or stolen credentials. Even though passwords compose the very basics of cybersecurity, they are a real problem for organisations, including those in the financial sector. A recent study that scored businesses on password practices and multifactor authentication (MFA) adoption found the financial industry performing below average.
As financial institutions address all aspects of cybersecurity, passwords deserve immediate attention to ensure they’re not an easy target. Best practices on password security will address the technology and the employee culture.
Reviewing the regularity of risk assessments
At a most basic definition, breaches occur when an organisation’s vulnerabilities are found and exploited by attackers. Banks and other financial institutions must be continually evaluating their systems for possible weaknesses, especially as attackers’ techniques constantly change. Complacency is an organisation’s greatest enemy. Simply because a system was secure last year, last month or even last week, does not mean it will be sufficient against future threats.
Whilst risk assessments of critical systems should be a regular occurrence within financial institutions, organisations should also ensure they assess secondary systems containing non-critical assets. Employee-private activities and accounts, such as personal emails or Facebook, are still potential gateways to an internal network, so authentication policies should be a main focus of these assessments. As part of these evaluations, it’s important to consider what information employees have access to. They should only have the data needed to carry out their job and no more. Limiting access where possible helps reduce the potential vulnerabilities.
Financial institutions can also seriously benefit from leveraging advanced offensive security, such as penetration testing and “red team” exercises to improve visibility and security awareness across the organisation. Red team testing comprehensively exposes physical, hardware, software and human vulnerabilities before they become entry points for hackers or provide opportunities for bad actors and malicious insiders to compromise systems.
The danger in “Password1”
Going back to the above point on understanding vulnerabilities, while there are endless new technologies to combat cybersecurity risk, including advanced AI and biometrics, sometimes the simple solution is the most valuable. Case in point, ground-breaking technology can’t help a weak password culture. The basics of password policies and authentication are critical to enterprise security.
As such, password management should be a top priority. This should include education for all staff on safe password practices, how to create a strong password, and the importance of using unique credentials across all accounts. To encourage adoption, organisations can implement password management tools or at the very least, direct employees towards the solutions. These tools will help remove the reluctance towards keeping track of multiple, complex passwords.
Going further in password security, multifactor authentication (MFA) is one of the most effective ways to add another layer of security to password protected accounts. With MFA, the hacker has to provide an additional factor (a one-time code generated by a hardware token, fingerprint, etc.), even if they do obtain the password. The recent Timehop breach, which affected nearly its entire customer base of 21 million users, occurred because the company hadn’t protected access to its cloud network with MFA. Again, one might expect the financial sector to have already adopted this practice, however a recent report found that only 16% of banking/financial institutions had adopted MFA, compared to 31% of technology businesses.
It’s about the employees
As with most business practices, they’re completely useless if not adopted. Business leaders can have all of the right intentions in implementing processes, but in reality, it’s the employees that are going to be responsible for acting on them.
That is especially true with cybersecurity. If employees aren’t properly and thoroughly educated on the threat and best practices, then any cybersecurity measures won’t be fully effective.
Firstly, employees need to understand the severity of the threats and the sophistication of attackers. Secondly, guidelines should be distributed with well-illustrated security policies and education on how to follow said policies. Finally, regular training sessions should be conducted to keep staff up-to-date on new threats and ensure proper security practices are embedded in company culture.
The current threat landscape leaves no room for error or laziness. The leaders of our financial institutions need to imagine they have a target on their back. They also need to fully realise the damage that can be done for their customers in the event of a breach. With this mindset, they then need to put as much attention possible on the organisation’s security policies. Underestimating the risk or over-assuming employees’ prowess on best practices is going to create vulnerabilities that cannot be permitted.
