How can identity security help solve the compliance conundrum?
In the UK, three-quarters (73%) of consumers now use digital banking channels on a weekly basis, as people grow increasingly accustomed to their ease and convenience.
This means that banking is becoming less about securing buildings and protecting cash and more about not leaving the door open for cybercrime.
However, criminals now have more touch points than ever to infiltrate a banking system.
Mobile functionality, blockchain integration and the emergence of banking-as-a-service have led to a growing number of cyber threats for organisations, but also more compliance requirements.
In fact, GDPR generated €182 million in fines in 2020 alone – in addition to evolving FCA regulations.
Compliance doesn’t have to be a huge burden, though, and can actually give organisations a competitive advantage if approached in the right way.
Someone on the inside
Financial services are a major target for malicious attackers seeking to get hold of money and sensitive information.
But a large part of this actually comes from within organisations – between 2018 and 2020, the average annual cost of insider breaches in financial services increased by 20.3% to $14.5 million, making it the worst affected industry.
Whether it’s a disgruntled employee out to cause trouble, or an employee accidentally clicking on a phishing link, the level of access employees have to sensitive business data makes them a potential vulnerability which can open the doors to being breached.
Complex corporate structures and departmental silos make the situation more difficult. Many organisations don’t know where the real vulnerabilities lie in their systems.
With complicated structures, this is a barrier to visibility into different roles and responsibilities, and who has access to what. Spreadsheets and manual processes that track data and user identities are often the source of inaccuracies and inconsistencies.
Not only is this a major headache when it comes to auditing and reporting, it also creates security gaps in the system which can be exploited.
Shared responsibility
Separation of duties is an important concept in banking and financial services to reduce risk of error and fraud, and access is critical here.
An individual can’t control more than one part of a transaction – for example, both creating and paying invoices. Organisations must limit access accordingly to prevent the misappropriation of funds.
However, putting separation of duties into practice can prove challenging. Although banks define what roles can and can’t overlap, the number of apps and systems increasingly being used can muddy the waters, and administration can grow complex and error prone.
‘Over-permissioning’ or ‘entitlement creep’ can also set in when staff move about, pursuing different roles and responsibilities – which is often the case through lateral transfers and promotions. Not to mention all the different logins for various licenses and subscriptions that employees have access to during their time in an organisation.
All of this can mean organisations lose control over who is permitted to access what – a vulnerability that could be exploited if it’s not dealt with quick enough.
Giving the right access, at the right time
Financial institutions must have the right technology in place to protect their organisations from breaches. This means getting access right.
By having visibility over who can access what information, and when, organisations can identify potential vulnerabilities in systems. This allows them to meet compliance requirements head on, but also streamline operations.
Technology like identity security, which is powered by AI and machine learning, can achieve this. Processes can be automated and access granted on a need-to-know only basis, which sits in line with the roles and responsibilities of individuals.
An identity solution can, for example, find and disable accounts of ex-employees, but also continuously refresh access rights for those across the entire organisation, always accounting for different movements.
An automated identity policy means accuracy and completeness of data sets, which is crucial for keeping up with compliance. It can also free the IT team up to focus on higher level tasks, rather than issues like sorting password resets, or additional data access.
Critically, it also means being able to spot and take action early against suspicious behaviour, reducing the chances of a breach from occurring and keeping organisations protected.
Getting ahead of the curve
Protecting the enterprise perimeter, streamlining operations and ensuring all data and users are properly accounted for highlights that identity security is a huge opportunity for banks, and offers a chance for them to get ahead of compliance requirements.
Customers using banks want to know that they are safe, following procedures and, most importantly, that their money is safe.
About the author
Ben Bulpett is identity platform director, EMEA at SailPoint.
Prior to SailPoint, he was the platform account director at Oracle.