Risk management and finance – Q&A with HID Global
Edwardcher Monreal, Security and Technology Evangelist, IAM Consumer Authentication Solutions at HID Global, provides a great insight into risk management and finance.
1. In what ways does the financial sector differ from others when it comes to cyber-attacks? What do we have to be mindful of, above other industries?
First and foremost, it must be acknowledged that FinTech and financial services providers such as banks tend to handle a higher volume of sensitive information than many other sectors. This also makes them highly valuable targets for cyber criminals. It is imperative for such organizations to consider the full lifecycle of customer data and information transfer process to properly evaluate the possible vulnerabilities that exist at every single stage of the information’s journey and lifecycle.
Real-time payments fraud is also a top-level concern. Structures such as the New Payments Platform Australia (NPPA) is set up to guide organisations and reduce risk of financial fraud activity by streamlining payment protection and including behavioural biometrics and threat detection when initiated through NPP Payment Gateways.
Therefore, safely verifying customers and employee’s identity each time they access sensitive information is crucial.
Passwords have been the authentication method of choice – at least in some capacity – for years but are highly vulnerable to identity theft and can be an easy way to allow data leaks. Moving to secure password-less authentication solutions that utilize encrypted communication channels with protected data at rest anywhere stored in the cloud, provide a fast, highly secure way to grant access or enable transactions.
Digital access control – that is, providing secure access to digital machines, cloud-based files and so forth – should be considered in the same way as securing a physical premises. A single credential needs to identify and set levels of access for individuals in the company based on their seniority and role. It will then place restrictions on certain virtual areas of the company such as databases and cloud storage facilities. If somebody tries to access these virtual ‘areas’ without the proper level of approvals or with the wrong credentials, not only are they locked out of that system or database, but an audit of their visit will be recorded.
Of all industries, finance is the second-most targeted in Australia, behind only healthcare.
2. To what extent are identity breaches responsible for attacks in our region?
Identity breaches are the single biggest factor leading to cyber-attacks in Australia. The Office of the Australian Information Commissioner (OAIC) states that: “Contact information, identity information and financial details continue to be the most common types of personal information involved in data breaches.”
Notably, the second highest factor in data breaches is human error, coming in behind malicious attacks as the reason behind criminals breaching a network or organisation. That suggests that to some extent, employees or other users are being careless with their credentials. It is therefore imperative to remove the opportunity for human error from the equation as much as possible.
3. Are most identity thefts and related attacks from malicious insiders, compromised insiders, external forces, or simply human error/carelessness?
While most attacks are from cyber criminals and malicious attack, many also come from human error and simple carelessness. This may involve factors such as responding to a phishing email, using a weak password, accidentally leaving a password lying around in plain view and so on.
Malicious insiders do form a certain element of risk too however, whether that is due to being compromised by a third party, personal circumstances such as debt or, in some cases, simple vindictiveness against a company.
4. Please state the highest priority measures an organisation can take to ensure safety of passwords, identities and other access control methods.
Secure identities are essential these days for an organisation, especially those in the finance space. This can take several forms, but an end-to-end solution is critical to ensure that no ‘gaps’ have been left, or risk vectors overlooked. Organisations should consider the follow factors:
- Adaptive multi-factor authentication (MFA) ensures that only necessary users gain access to critical networks, applications and data—with the highest level of convenience possible.
- Secure physical and logical access management that supports Zero Trust security initiatives at all levels, including who is accessing what areas within your workspace.
- Identity management and credentialing ensure that users and devices are securely issued with high assurance factors and that their identity lifecycle is managed properly.
- Risk based analytics, and reporting tie complex data together through AI-powered intelligence, allowing for rapid decision-making as well as meeting compliance requirements on time which help mitigate fraud.
5. Is there a difference in practices between a large, established financial organisation and a fintech in start-up/development mode? Please define.
In many cases there are, but this does not need to be the case. With financial regulations being so tight and broad in scope at the same time, security needs to be at the forefront of every fintech’s considerations. Many identification and access management solutions exist and are a good fit for all sizes and forms of organizations.
It is also true that large incumbent organisations are often hampered by ‘technical debt’ to some extent and will have legacy systems that do not necessarily work well together. In these cases, a smart open platform solution can act as an ‘umbrella’ solution and tie all loose threads together, making disparate secure identity solutions operate under the one system.
Fintech and younger finance companies have the advantage in many cases – the ability to look at their security holistically and start from the ground up. For these, a secure identity and access management solution should form the very basis of their security mission and look to tie physical security to logical security right across the organisation from the very start.
6. Have hybrid workplace conditions for fintech’s and banks changed the threat levels for cyber-attacks?
Yes, certainly. Employees are no longer working solely in offices, surrounded by high level security, firewalls and access control. Files are accessed through cloud-based services, and employees are constantly communicating through digital mediums.
For these reasons it is more important than ever to verify an employee’s identity in a secure and seamless fashion.