With the recent explosion of data breaches in financial services, it is becoming clear that the perimeter-based security approach is not working.
The premier financial services industry has always been a focus of cybercriminals because of the types of data it collects. In 2019, there were 1,509 cyberattacks against the financial sector, with 448 confirmed data breaches, according to Verizon's 2020 Data Breach Investigations Report. The industry was ranked second overall in the number of breaches, with only healthcare having more.
External attackers intent on stealing financial data carried out two-thirds of those attacks. Web application attacks were top targets, and credential-stealing was the principal method of the attacks. Not surprisingly, phishing was the primary way cybercriminals stole credentials. Employee errors were also a significant source of data breaches in the financial sector. More than 20 percent of these errors resulted from failing to secure a cloud storage bucket or misconfiguring a firewall.
Incidents at the hands of malicious insiders cost financial services companies the most to resolve, with an average of $243,101 per event in 2018, according to the Accenture Cost of Cybercrime Study in Financial Services: 2019 Report. It took more than 55 days to resolve a malicious insider attack.
Phishing was also expensive, costing financial services firms $156,690 per event and taking close to 25 days to resolve. For financial services firms, the average cost of cybercrime was $18.5 million in 2018, compared to the average cost of cybercrime across industries of $13 million.
This data highlights the fact that the perimeter-based security model, which has been used by premier financial services firms for decades, is costing these firms lots of money. "The perimeter-based model of security [has] categorically failed ... [Yet] we still have organizations that are running roughshod into this thing about building up really high walls and keeping the bad guys out." said Chase Cunningham, vice president and principal analyst at Forrester Research and Zero Trust evangelist.
"We can't continue to propagate that misery and think we're actually going to fix the problem. So it's one of these deals where no one did anything ‘wrong’. But [we] set ourselves up for failure. And if we don't change the approach, all we get is more failure," he explained.
Cunningham backs the Zero Trust model as the best alternative to the security perimeter approach. With Zero Trust, you are “essentially eliminating lateral movement and overly subscribed admin creds and all the things that ... you shouldn't have in architecture and focusing on getting it to zero ... And then being able to architect around that.”
The proliferation of data breaches in financial services companies not only results in costs from reimbursing customers and re-establishing consumer trust but also could result in premier financial institutions running afoul of US federal regulations.
Financial institutions handle vast amounts of sensitive nonpublic personal information (NPI). Under the Gramm-Leach-Bliley Act (GLBA), financial institutions are required to keep customer NPI secure and ensure their affiliates and service providers safeguard customer NPI. If financial institutions fail to protect NPI, they can face Federal Trade Commission (FTC) fines and other regulatory actions. Earlier this year, the FTC fined California mortgage broker Mortgage Solutions FCS $120,000 for violation of GLBA and the Fair Credit Reporting Act (FCRA).
Among other violations, FTC said that Mortgage Solutions failed to develop and implement an information security program. The commission explained that the GLBA Safeguard Rule requires financial institutions to implement a comprehensive information security program with reasonable administrative, technical, and physical safeguards. Also, financial institutions must regularly test and monitor the effectiveness of that program.
To ensure the effectiveness of their data security program, financial institutions should conduct audits of their data security safeguards. They should verify that only the right people have the proper access to NPI and have visibility into the current access granted to employees and third parties.
To comply with GLBA and other federal regulations, financial institutions need to understand their actual security posture, not their "perceived security posture." Otherwise, if they rely on their perceived security posture, these institutions could be in for a world of hurt when data breaches occur.
Identity Governance Administration (IGA) and Financial Data Security
Financial services institutions can improve their actual security posture and create robust data protection programs by modernizing their identity governance and administration (IGA) programs with automation and analytics. IGA manages identity and access lifecycles across multiple systems. It automates the provisioning of accounts, fulfills access requests, provides visibility into actual versus perceived access conditions, and governs user access and access certification processes.
Premier financial services firms that want to maintain control over digital identities linked with accounts held in repositories throughout the organizations require solutions that feature ease of use, mobility, business agility, and lower total ownership cost. The lack of a modern IGA program is often at the root cause of financial breaches. The DBIR report found that phishing and credential theft are the main ways that external actors get access to sensitive financial data.
A modern IGA program ensures that mistakes or intentional mischief by internal actors do not lead to data breaches. Mistakes are more common when a company uses ad hoc manual processes to grant and revoke user access permissions. As employees use multiple tools to access resources from alternative locations, institutions need risk-based policies that trigger notifications and improve visibility.
One thing is constant for financial institutions: the need to conduct annual audits. Audits require institutions to provide documentation, respond to requests for information, and meet with auditors, all of which cost time and money. The average audit fee totaled $283 per hour in 2019, up from $216 per hour in 2009. Financial organizations that fail audits need to develop a remediation plan, which can take a year or more to create and implement using legacy tools.
A modern IGA program can help ease the auditing and remediation process. It can provide easy access to auditing and compliance data. The process is automated and can roll up to other log management systems so the institution can correlate security events better.
Steps to Modernize IGA
For premier financial services companies, modernizing their IGA is a gradual, multi-step process, which can be pictured as an onion. Companies should start with a use case and then add layers of policy and integration. They should build high-level populations of people with access and then slowly fine-tune the process.
Another way of explaining IGA modernization is the KISS method: keep it simple, stupid. Most programs work best if they are kept simple. Simplicity should be the goal of modernizing IGA. If we take lifecycle management as an example, the process can be broken down into six phases. Each phase should be implemented deliberately before moving onto the next.
- Phase 1: Get business systems integrated; ensure data is clean and flowing correctly among the systems.
- Phase 2: Provision universal day one entitlements, the access common to all users. This includes access to Active Directory, email, company-wide groups, distribution lists, and other applications that all users need.
- Phase 3: Implement role-based access. The company divides up access based on user roles and gives specific users expanded access based on their responsibilities. This should be done gradually, starting with three or four roles. When users move within the company, they have their old access deprovisioned and their new access provisioned.
- Phase 4: Layer in access reviews. The company reviews user access and ring-fences users based on the access they need, such as managers and application owners.
- Phase 5: Implement separation of duties. This phase involves ensuring that specific duties are conducted by different employees—such as custody of assets, authorization of asset use, and recordkeeping of assets—to prevent theft and fraud.
- Phase 6: Put in place continuous improvement. The company matures the processes implemented in the previous steps. This phase also entails getting feedback from the business regarding whether the program is doing what it is supposed to do. Companies should set up an identity governance committee to get stakeholders talking and align the program with change management.
While these phases are just for lifecycle management, the phased approach should be used for the entire IGA modernization.
Premier financial services companies should think holistically about IGA. Identity Solutions can help with the process by bringing IT, security, business, and leadership to the table. This is key to success because leadership buy-in is often challenging to obtain due to the level of organizational change involved.
Identity Solutions ensures a frictionless user experience. We work with stakeholders and vendors to remove complexity and improve productivity. We offer a robust user access request process to ensure that only authorized users can access what they need to do their jobs. We also ensure that the company has visibility into what users are doing on the network. We provide users the path of least resistance. We show them how to employ the access request process to get what they need if they do not have it already. This minimizes productivity issues and the incentive for users to go around IT to get what they want.