Banking and financial firms are among the most heavily regulated industries, and not without reason: they manage large volumes of sensitive customer information, and the consequences of a data breach can be dire.

However, not all financial institutions have a mature cybersecurity landscape. A 2019 CyberArk report indicates that globally, 29 per cent of financial services firms still keep and manage sensitive passwords in a spreadsheet or Word document on a company laptop.

Why do finance firms need to mount a proactive digital defence, and how can they effectively, cost-efficiently protect privileged information?

Securing workstations amidst Covid-19

For hackers, every single workstation can be a potential opening into an organisation. This can be exploited by hackers.

Workstations have built-in administrator accounts which internal IT teams can use to fix local issues. This often serves little practical purpose, as employees typically do not require this level of access into an organisation’s system to fulfil their day-to-day duties. However, it grants hackers a much wider attack surface to take advantage of.

Workstation users may unwittingly download potentially malicious applications and software or unknowingly click on phishing links. This creates an easy entry point into the system for hackers, who can then jump laterally from workstation to workstation until they arrive at critical data.

The problem of unsecured devices is compounded by Covid-19 work-from-home measures, which have at times forced employees to use their own devices for work. In Singapore, for instance, 70 to 90 per cent of bank staff have been working from home since April.

This raises the problem of “hostile home networks”. When employees use their personal networks, multiple family members have access to the same network and could click on harmful links and content. This could expose the employee’s device to malware, which may then make its way into the organisation’s enterprise.

Furthermore, even where banks have well-established IT systems that securely allow for remote work, there has been a sudden surge in the number of staff needing remote access. This can pose a challenge to firms, at least initially, as some employees may not have the hardware or software necessary to access their firms’ VPN. IT teams may temporarily loosen some controls to accommodate this, opening security gaps in the network.

With less oversight than ever over unsecured devices, it will be even harder for companies to secure vulnerabilities in their networks moving forward. And with many banks considering a longer-term shift towards letting staff work from home even after Covid-19, this problem isn’t going away anytime soon.

Innovation opens up vulnerabilities

Financial services need to consistently upgrade their digital offerings in order to differentiate themselves and remain competitive. However, modifying or developing new applications can inadvertently cause security lapses that hackers are all too ready to take advantage of. This is especially so when new innovations are built upon outdated systems that are unable to interact effectively with new updates.

A high-profile Uber breach in 2016, for example, occurred when the company’s developers were working on a private cache on software development platform GitHub. Intruders found the private data of a staggering 57 million Uber customers in this code, and Uber was fined a hefty US$148 million. If a similar breach were to occur in financial service organisations, the consequences — in terms of both lost privacy and broken customer trust — would be unthinkable.

As financial organisations generate ever-larger volumes of data, many have turned to cloud computing to efficiently manage this information. As firms embrace new technology, an increasing number of services are outsourced or based on the cloud. As firms have less and less direct insight into their data, it is crucial for firms to completely secure privileged access to their networks.

Unfortunately, financial service companies seem to be lagging in this aspect. Approximately 34 per cent of financial services companies worldwide do not have an organisational standard for the tools and methods they use to manage digital authentication credentials, CyberArk’s 2019 Global Advanced Threat Landscape reported. In a sector where 62 per cent of breaches involve stolen or compromised credentials, firms will have to step up their security measures in the near future to prevent risks. After all, hackers only need to be right once.

Human error

No matter the robustness of security systems, human action — whether maliciously-intentioned or not — often presents a weak link. Firms have to take proactive steps to prevent this. Human error accounts for 17 per cent of all data breaches, representing a 50 per cent jump from 2019, Verizon’s 2020 Data Breach Investigations Report revealed.

Firms need to make sure that employees can only access files, data and sensitive applications to the extent that is strictly necessary for them to do their jobs. This access should only be granted within the timeframe that they need it, and ex-employees should have their identities blocked from systems altogether.

Hackers have also become better at exploiting human weaknesses. “Cyber attackers are the ultimate psychologists,” said Nir Chako, Security Research Team Leader for CyberArk Labs.

Cybercriminals successfully used social engineering techniques against Twitter, resulting in one of its worst hacks in history. In July this year, attackers manipulated a small group of Twitter employees and used their credentials to gain access to critical systems.

The solution: Managing access

To counter external and internal threats, financial services organisations need an effective privileged access management system.

Privileged access management allows security teams to monitor accounts with administrative access to critical information. To maximise effectiveness, access management solutions should be integrated and cohesive, rather than a collection of separate solutions that target different business functions in a company.

CyberArk’s Privileged Access Management Solution can be extended to accommodate new applications and privileged credentials, be it on-premise, on mobile, or in the cloud. This allows firms to race ahead with developing cutting-edge innovations, without being held back by security concerns.

Automated security solutions can be helpful as well. IT departments will have more bandwidth to focus on digital innovations that improve customer experiences and strengthen customer loyalty. By monitoring sessions in real-time, CyberArk’s solutions rapidly detect abnormal activity and terminate sessions where applicable to disrupt potential malware attacks.

Cyber threats are growing in every industry, and protecting sensitive information is set to get even harder as we tackle the pandemic. Amidst this uncertain environment, it is more important than ever for financial services organisations to invest in robust security solutions to keep customers safe.

Watch this interactive demo to understand the foundational elements within the CyberArk Privileged Access Management solution.

Image by Jason Baker – CC BY 2.0.