The Covid-19 pandemic has pushed banks and customers towards rapid digitalisation. 70 per cent of Singaporeans said they have been frequently banking online since the pandemic began, and 80 per cent believed they would continue to do so after, a SingSaver study found.
With its potential for personalised services and sheer convenience, digitalisation was simply a matter of time. Yet online banking leaves customers more vulnerable to identity theft and data breaches.
What are the threats, and how can banks protect themselves amid the rapid digitalisation? Mike Kiser, Senior Identity Strategist at SailPoint, explains.
Digital banking, diffuse threats
“As in all security models, everything hinges on knowing and proving the identity of the person,” Kiser remarks.
Identity theft is a real possibility when in-person contact is removed from the picture. Without human-performed authentication processes, it can be difficult for banks to immediately transition to comparably robust online systems.
User activity has also become increasingly diverse. “Users of digital banks are not sitting at their desk at home conducting transactions,” Kisner says.
They access online services on laptops, on tablets, or on mobile — often with a variety of login options, ranging from a simple PIN to biometrics and multi-factor authentication. The result: threats can come from more directions.
Banks’ infrastructure are also more distributed than ever, with many embracing hybrid cloud for its flexibility. But this also creates far more vulnerable entry points between a company’s private networks and the external environment.
Identity governance is well-equipped to handle these challenges, Kisner says. Instead of assuming all users follow a default behaviour, this security model assigns access to different users according to their role in the organisation. It links people, applications, and devices, allowing organisations to quickly flag and address violations should users overstep their boundaries.
Intuitive is effective
Ease-of-use is “the most important factor” to ensure customers stay safe, Kisner says. “If a security facility or function is not intuitive, it is doomed to failure.”
Banks need to make simple features the cornerstone of their security posture. Facial recognition or fingerprint verification are excellent examples, Kisner elaborates.
Easy-to-operate systems ensure that even the less cyber-savvy employees are protected, and allows IT professionals to focus on value-adding.
SailPoint makes it easy for governments to secure access to sensitive systems. Users are granted and revoked access to different networks and services from a single centralised system.
ABN AMRO, the Netherlands’ third-largest bank, had 4,000 departments with different identity access policies. IT used to manually approve new access via email. SailPoint streamlined access for over 30,000 users to over 200 applications, allowing the bank to save time while remaining secure and compliant.
Zero trust: a must-have strategy
To secure digitalisation, banks must also adopt a Zero Trust strategy. This approach shifts away from a perimeter-based security approach, to treat all users as possible threats.
Kisner outlines four key steps towards Zero Trust.
First, banks must always verify customers’ and employees’ identities. This should happen at “every step in the process”, so access does not fall into the wrong hands.
Second, banks should ensure that users are granted just enough access to do their jobs. Individuals with higher credit scores may have access to more offerings, or the bank’s executive board could see financial data that is hidden from others, for instance.
Next, access should be time-limited. Ideally, users should only receive access “in the moment that they need it”.
Lastly, monitoring identities must be a continuous process. Systems must be “constantly evaluated” so they remain secure even as identities and environments change. Some automation is needed to achieve this efficiently as banks’ needs grow.
As digitalisation sweeps across the banking industry, banks face mounting security threats. An intuitive identity governance system can go a long way in keeping customers’ data safe.