finance
monthly
Personal Finance. Money. Investing.
Contribute
Newsletter
Corporate

The task of ensuring the safety of inmates, staff, and society at large while maintaining order within the confines of correctional facilities is an intricate and multifaceted challenge. The complex world of prison security uncovers a host of challenges that correctional institutions face. 

Overcrowding and Resource Constraints

One of the most pressing challenges in the realm of prison security is the issue of overcrowding. Prisons, often operating beyond their intended capacities, strain both physical infrastructure and personnel resources. The U.S. federal prison security levels, ranging from minimum to maximum, are determined based on factors such as the inmate's criminal history and the potential risk they pose to society. Overcrowding leads to a host of security concerns, such as increased tensions among inmates, reduced supervision, and difficulties in separating violent offenders. We will examine the consequences of overcrowding and how it impacts the security measures that institutions can implement.

Contraband and Smuggling

Contraband, including drugs, weapons, and cell phones, poses a constant threat to prison security. Despite stringent measures in place to prevent smuggling, contraband continues to infiltrate correctional facilities.

Gang Activity and Violence

Gang activity within prisons is a persistent challenge that jeopardizes the safety of both inmates and staff. Inmates affiliated with gangs often engage in violence, extortion, and drug trade, further complicating security efforts. One of the key strategies used to address gang activity and violence within U.S. federal prison security levels is the practice of gang segregation. Inmates affiliated with different gangs are often housed separately to minimize the potential for conflict. 

However, this approach has its limitations, as it can reinforce gang identities and loyalties, leading to continued violence and animosity. In recent years, there has been a shift towards more comprehensive programs aimed at gang disengagement and reintegration.

Technological Advancements and Privacy Concerns

Surveillance cameras, biometric access control, and data analytics have been deployed to monitor inmates and detect security breaches. However, this integration of technology raises critical privacy concerns. 

Guarding Against External Intrusions

The pursuit of escape is a constant challenge within the realm of external threats and prison security. Inmates often employ ingenious methods to breach perimeter defences, exploiting any vulnerabilities they can find. From crafting makeshift tools to bypassing electronic security systems, their resourcefulness knows few bounds. In some cases, prisoners even attempt coordinated efforts to overpower guards during transportation, emphasizing the need for continuous vigilance.

To counter these external threats, prison authorities have implemented a combination of physical barriers and technology. High fences topped with razor wire, surveillance cameras, motion sensors, and drone detection systems form part of the arsenal to thwart escape attempts. However, achieving the right balance between security measures and respecting the human rights of inmates is an ongoing challenge. The need to ensure secure confinement must be weighed against the principles of humane treatment and rehabilitation.

Long-Term Security through Reintegration

Ultimately, the most effective form of prison security lies in reducing recidivism rates. The successful reintegration of inmates into society not only benefits the individuals but also contributes to public safety. Correctional facilities offer various educational and vocational programs to equip inmates with skills that can enhance their employability upon release. These programs aim to reduce recidivism by providing inmates with opportunities for personal growth and self-improvement.

From external threats to the delicate balance between technology and privacy, and the overarching goal of rehabilitation, addressing these complexities is crucial for the safety of inmates, staff, and the broader community. Effective prison security necessitates a combination of robust policies, well-trained personnel, innovative technologies, and a commitment to rehabilitation. By addressing the multifarious issues in prison security, society can aspire to a fairer and more secure correctional system, one that upholds justice while fostering rehabilitation and reducing recidivism. 

 

Numerous finance apps on the market provide a wide range of facilities. Here is a comprehensive guide on the different types of financial apps and how to choose the right one for you.

Main Types Of Financial Apps

Based on the services provided, financial apps can be categorised into different types. Payment gateways are generally used by e-commerce websites to facilitate easy payment for goods using debit or credit cards via payment gateways. For instance, Venmo and PayPal are a few apps that use corresponding gateways on e-commerce websites. 

Budgeting apps are designed to help with savings and expense tracking. They are usually associated with a person’s bank account, and the bank shares the user’s transactions with the app, which then creates a statistical report of all spending. Financial forecasting apps use high-end technologies and artificial intelligence to predict and analyse the risks or profits of making an investment. Banks and financial companies usually use these apps. 

Then there are online banking apps that are most commonly used by the general public. Banks have individual apps for their brand that facilitate customers to track their spending, create an account, and make payments. Bookkeeping apps are widely used by large-scale organisations to keep records of their finances. Peer-to-peer payment apps have become very popular in the past few years. These apps are used to send, receive, and borrow money from your peers. Lastly, there are tax management apps that help you with calculating taxes and filling out tax forms.

Focus On Your Monetary Goals

Using the right finance apps will help you achieve your monetary goals faster. The right apps will assist you with tracking your progress and figuring out areas for improvement. Different types of apps are better suited for achieving different goals. For instance, if you plan to get out of debt after a hefty purchase, then apps like Acorns allow you to set up saving and budgeting goals. If you want to monitor your spending and expenses, apps like YNAB are your best option since they have tracking and budgeting features. So, keeping your goals in mind while choosing an app is essential.

Review The Features And Pricing

The wide range of applications offered by finance apps is obviously not free; they come at a price. You need to weigh out the advantages of the features against their price to pick the best app for you. If you’re on a tight budget, then free apps are a better option. If you’re looking for premium services that help develop goal-oriented monetary plans, then the services provided by apps like Greenlight are perfect for you. 

Sending and receiving money is also another crucial aspect of money management. Check whether the app you choose facilitates the transfer of money between two different apps. Apps such as CashApp and Netsend have these features. Sending money from Netspend to Cash App is a simple and straightforward process. So, you should consider all possible features when picking an app for long-term use. Compare the services and prices of different apps and choose the one that is worth the investment.

Check Reviews

You can’t get a thorough idea of the pros and cons of an app just based on its description. So, the best way to understand if an app works for you is by reading its reviews. Looking through scores and reviews on app stores will give you a general idea of an app’s benefits and drawbacks. Feedback will let you know whether an app is worth using or not. It’ll give you insight into other users’ experiences with the app. You’ll save a lot of time and money by carefully going through reviews. After all, you don’t want to begin using an app only to find out later that it doesn’t meet your requirements.

Security

The foremost aspect you should be looking into before using an app is to check its privacy policies and data protection systems. Your banking information is very sensitive and can pose a lot of trouble if it gets into the wrong hands.  You want to choose an app that has been consistent with keeping users’ personal information safe and secure.

Understanding your financial goals and needs will help you make a better decision when it comes to choosing a financial app. There are a number of options to choose from. So, peruse through them all and you will certainly find one that works for you.

You can submit a loan request to online lending platforms if you need cash fast. You may not get no-credit-check loans with guaranteed approval, but lenders will still be able to approve your loan fast and fund it at their earliest convenience. 

This article will discuss emergency funds—what they are, the benefits of having one, and how to build your own quickly.

What Is An Emergency Fund? 

An emergency fund is a savings account you set aside for unexpected expenses, such as medical bills, car repairs, and job loss. An emergency fund ensures you have the money you need when something goes wrong.

4 Benefits Of An Emergency Fund

If you want to know the reasons why you should set up an emergency fund, here are some.

1. Peace Of Mind

This is perhaps the primary benefit of having an emergency fund. Knowing that money is set aside for emergencies can help reduce stress and anxiety. 

2. Avoid Debt

Your emergency fund will cover unexpected expenses without putting them on a credit card, saving you a lot of money in interest payments.

3. Help With Financial Goals

If you know that you have money set aside for emergencies, you can focus on other financial goals like building your retirement portfolio or a downpayment on a house. 

4. Provide Security

Finally, an emergency fund can give you security in case of job loss. If you lose your job, you will still have money to cover your living expenses.

How Much Should My Emergency Fund Be? 

You must contemplate several factors, such as your income, job security, and the number of dependents you have. An acceptable standard is having three to six months of living expenses to cover your bills even during unemployment or another financial setback.

Where Do I Keep My Emergency Fund? 

It should be kept in a savings account, separate from your checking account. This will help you avoid spending it on non-essential items. Many banks offer high-yield savings accounts that offer higher interest rates than checking accounts to help you earn more money on your savings.

Easy Steps To Building An Emergency Fund 

Now that you're knowledgeable about emergency funds, it's time to start building your own. Here's how to get started:

1. Set a goal

Decide how much you want to save. The standard is three to six months of living expenses.

2. Create a budget

Track your monthly expenses and make adjustments as needed. This will help you free up some extra cash for your emergency fund.

3. Set up automatic transfers

Automatically transferring your savings to your account will help you reach your goal faster. 

4. Start small

If you have trouble saving, start with a smaller goal. Once you reach it, you can increase the amount you're transferring each month.

5. Keep your funds safe

You should place your emergency fund in a savings account to keep it safe and accessible when you need it.

Conclusion 

You need to have an emergency fund if you want financial security. It can help reduce stress and anxiety, avoid debt, and help you reach your financial goals. If you haven't built an emergency fund yet, now is a good time to start. Keep your fund in a safe place, such as a savings account, so it will be there when you need it.

About the author: John is a financial analyst but also a man of different interests. He enjoys writing about money and giving financial tips, but he can also dive into relationships, sports, gaming, and other topics. Lives in New York with his wife and a cat.

In times of increasing economic uncertainty, it’s more important than ever that your money is kept as safe as possible – whether from market tribulation or potential scammers. Here, we will explore some of the best approaches you can take to keep your well-earned cash safe and intact.

1. Banking Wisely

Step one in your quest for safer saving is to choose the repositories for your money wisely. Opening a savings account for your money can be a hugely useful way to hold and accumulate wealth, especially where higher interest rates are concerned. It is also the case that savings accounts often enjoy a higher level of protection, keeping your money safer from would-be fraudsters or cyber-criminals.

It is important that you do so with a reputable bank, though; choose a bank or building society with a high customer satisfaction rating, and ideally with a good word-of-mouth reputation. This way, you can be sure to receive quality customer service and rest assured that your savings are in the right hands.

2. Banking Safely

While choosing where you bank your money can be vital for security and peace of mind, it is just as important that you monitor your banking carefully. You should make sure to log in to your digital banking platforms on a regular basis, and to check over your bank statements to see if there are any irregularities. If there are any transactions you do not recognise, you should consult your bank immediately.

The same goes for your credit rating, which can have a profound impact on your future eligibility for loans or mortgages; scammers frequently commit identity fraud and open lines of credit in others’ names, having an adverse effect on their credit score without them knowing. Just as you check your transaction history regularly, you should also perform a regular credit check to make sure there’s nothing unexpected waiting for you.

3. General Safety Tips

Lastly, there are some general behavioural approaches you can adopt in order to ensure the safety of your money in the long run. The most important of these is the close guarding of all your banking details. You should never give out your PIN to anyone; you will not be asked to hand over or recite your PIN by any banking advisor or employee, and anyone who does ask for your PIN likely has ulterior motives.

Likewise with your account number, sort code and debit or credit card details, which you should keep close to your chest where possible. Do not write any security information on paper, and do not fill out any forms or respond to any emails regarding your banking security without verifying that they are genuinely from your lender or banking provider.

[ymal]

Current financial transaction methods have their limitations, exemplified by the typical £100 contactless transaction limit to prevent extensive fraud, and even risks, such as ATM skimming for PIN thefts.  

Cyberattacks went up 600% due to the COVID-19 pandemic and financial institutions and their customers were undoubtedly priority targets for identity theft, the most common type of financial fraud. 

With 67% of financial institutions reporting an increase in cyberattacks for 2021 and 79% of financial CISOs stating that threat actors are deploying more sophisticated attacks, the race is on for businesses to stay ahead of hackers and invest in technologies to safeguard both internal and customer data privacy.   

In a digital society, where elevated customer experiences are the new normal, people expect their payments to not only be safe but also easy and convenient.

When linked to biometric data, transactions, as well as other pain points for financial services such as lengthy onboarding and account verification, become swift, comprehensive, and exponentially more secure.   

A journey in trust  

Biometric technology’s first forays into the identity verification scene were not without their own set of security and privacy challenges. Back then, some of these technologies proved to be easily hackable, especially facial recognition which could be duped by deep-fakes, 3D printed reconstructions and even photographs of users. Strides made in “liveness” AI algorithms alone now paint a vastly different picture for the security and reliability of biometric authentication, providing 100% secure authentication.   

Beyond this, developments in the space are opening up new and innovative avenues for the most common applications of biometric authentication, one of the largest being finance as we have seen from Mastercard’s recent “smile to pay” biometric payments enablement.   

Fully automated identity verification engines have been advanced in the most crucial areas for financial institutions: privacy, to remain compliant with rapidly evolving government regulations; customer experience, to rapidly enrol customers, and security; to reduce fraud and avoid financial losses.   

At the core of an iconic digital identity verification solution, is the capacity to “orchestrate” multiple dynamic data sets to not only detect and deter fraud, but also to deliver a customer experience, which reduces online friction, converts more applicants to customers, and increases retention rates.  

This also extends beyond initially considered use cases to a growing variety of industries, further validating the increasing trust being instilled in these systems. Face ID is no longer just for iPhones but is being implemented in hospitality for hotel check-in, customised personal experiences and room service payments, all without the need for a physical card.  

Why passwords are more problematic than protective  

It is not entirely unreasonable for organisations to have a fear of the unknown when comes to implementing biometric authentication, and for their customers who are expected to use it. However, where digital identity authentication has been subject to suspicion of data theft and privacy breaches, we must also acknowledge the gravity of the risks associated with passwords and PINs.  

In 2021, 92% of LinkedIn’s users’ data was exposed and sold on the dark web in a breach widely reported as a result of weak passwords, with over 700,000 profiles found to be unlocked with a painfully simple “123456”.   

As we move at a rapidly escalating rate towards a cashless and contactless society, passwords and PINs are not only leaving individual security in the hands of human error but are nearing obsoletion. A worrying 59% of IT security respondents report that their organisation relies on human memory to manage passwords. When left to individuals to create and remember dozens, if not hundreds, of passwords, the likelihood of resorting to easily remembered but weak passwords skyrockets – along with their susceptibility to brute-force cracking by hackers.   

Keeping track of changing passcodes, PINs, and security questions is time-consuming, less secure, and less convenient than in-depth biometric identity verification and authentication. Particularly social engineering scams, a key driver of fraud losses, rely on victims handing over personal details and passwords. This is circumvented when that information is replaced with biometric authentication. 

We do see a convergence between the two where apps use biometrics to unlock a secure password store within the device. However, this typically does not offer added security but serves the purpose of convenience. When the security burden is placed on passwords in our modern cyber-sophisticated age, users are left highly vulnerable to breaches and data theft.   

Identity verification solutions need to balance risk with modern digital consumer needs and expectations. Biometrics as the primary or sole means of verification takes the onus of authentication away from the user, whilst maintaining the elevated levels of security that people and organisations expect from financial transactions.  

One identity everywhere  

As financial fraud becomes more pervasive and elaborate, and people become more focused on ensuring their privacy, creating a world of trust is pivotal, not only for identity verification, but also for the future of payments. The positive impact that AI and biometrics can have will be substantially limited if there is a lack of trust in how the technology is used. Users need to be sure that privacy is a top priority, and that their data is safe from theft or exploitation.   

With AI technology, we can create a smooth, secure, and privacy-enabled identity verification process in which people themselves will be the only documentation needed to verify their identity, an approach central to Incode’s “One Identity Everywhere” future. As consumers, retailers and institutions alike adjust to constant digital innovation, the gold standard in the future of payments will be both frictionless and secure, and where data privacy is absolute. 

About the author: Ricardo Amper is CEO & Founder of Incode.  

[ymal]

A new bar called AI Bar has a system that registers customers’ faces. It then lets the barman know which customer is next in line. You can use your fingerprint to unlock your phone. And many high-security offices now use a person’s body movements to determine their identity.

These systems have become so refined that critical identity verification moments don’t even get registered by the user's awareness. When you register yourself for a service, your face and eyes are matched with other data points you supply. Government-issued IDs like driving licenses and passports are matched with the biometric data that you have submitted.  If the match is successful, the system knows the customer is who they say they are. This entire seamless process can take as little as 8 seconds. Read on to find out more about the level of security biometrics offers.

What Exactly Is Biometrics?

Biometrics are slowly replacing traditional passwords and access keys everywhere. Biometrics can identify the unique physical qualities of a person. Facial features, the iris, fingerprints, and the retina are all such physical attributes. The Somali Army and Indian doctors have already adopted this technology at a state level. You have a piece of this technology in your pocket. Your smartphone can use biometrics to authenticate you into your bank account.

There are biometric technologies that can even peek underneath your skin. It can recognise the pattern of veins in your palm. When blood is deprived of oxygen in veins, it absorbs more infrared light than other tissues surrounding it. That is how your vein pattern can be recorded. New cutting-edge technology being developed allows a system to recognise a person based on their heartbeat. And you can even be recognised by your brainwaves.

So Is This A Goodbye To Passwords?

Fingerprints vs Passwords

Using biometrics is certainly more convenient. You simply touch a scanner with your finger, and you are in. It is a lot easier than typing in a password letter by letter. Passwords can also be weak, and they can be prone to hacking. They also happen to be out of date. However, password-protected systems are far easier to implement than biometrics. 

Facial Recognition vs Passwords

It all boils down to economics. The more data points that a system can log from your face, the more accurate your biometric profile will be. The level of security of the system will completely depend on its implementation. Thus, with more sensors, the system becomes more secure.

Iris Scanning vs Passwords

All these systems, whether fingerprints, facial recognition, or iris scanning, are similar. They all check for a single unique feature in a person. On the other hand, a password needs to be in your memory. You can’t just make a note of it and keep it somewhere because someone might find it. Furthermore, anyone who has your password can assume your identity. Thus, the future lies in multi-factor authentication. The most widely adopted systems will be those that users find the easiest to work with.

How Safe Is Your Biometric Data?

The responsibility of keeping your data secure rests with the company. In the ideal scenario, all biometric data is kept on the user’s device and not in the cloud. It makes things a lot harder to hack into. This practice is, however, not always followed.

A team of Israeli researchers hacked into a system with the biometrics of over 1 million individuals. They could gain access to 23 GB of data with 27 million unique data points. This set of data contained fingerprints, facial profiles, etc.

But password-based systems are also prone to hacking. Passwords can be stolen, and someone can watch you enter them, which isn’t possible with biometrics. Unfortunately, hackers have been quite successful in beating biometric systems. And unlike passwords, you can’t change your biometrics once they are compromised. Under lab conditions, hacking biometrics is possible.

An iPhone fingerprint scanner can be fooled by a fingerprint impression from a piece of glass. A Samsung phone's iris scanner can be fooled by using a contact lens. A computer club in Germany could bypass a palm vein scanner using a wax hand. A Chinese group was able to beat Apple’s face ID using a pair of regular glasses and tape.

As you can see, biometrics are not perfect yet. However, it all depends on the number of sensors in use and the economics. The more elaborate a system becomes, the more secure it becomes.

Today, it’s almost taken for granted. According to a recent report by Leading Edge, 61% of business professionals identified hybrid working as critical to business success. And even in the financial sector, which is known for legacy systems and being slow to change, the idea of returning to pre-pandemic ways of working seems almost impossible, despite calls to return to desks.

A BBC survey found that 70% of people predict that workers would “never return to offices at the same rate”, with the majority stating that they’d prefer to work from home either all or some of the time. And for financial companies, the evidence that a ‘one size fits all’ approach is not equipped to deal with this growing need, is mounting. But while the workforce may have changed, many offices are still designed for their old ways of working, so it is up to businesses to keep up with changing employee expectations.  

The move to mobility

Laptops have unsurprisingly been the main device to work and collaborate for most employees in the move to mobility. Indeed, in the UK alone, laptop penetration rose from 47% in 2009 to 76% in 2021. In the world of hybrid working, with meetings being controlled via these portable devices, businesses will need to invest in solutions that allow for seamless connectivity between office and home, while simultaneously mitigating the security risks that come with it. The finance industry will need to ensure offices are well equipped for hybrid meetings implementing new software alongside updated Audio-Visual equipment to make collaboration easy and smooth.

Indeed, in the UK alone, laptop penetration rose from 47% in 2009 to 76% in 2021.

But what about security?

The other headache facing IT leaders are the security risks of a hybrid approach. While these risks are true for any sector, the confidential and highly sensitive data-driven nature of financial work makes security absolutely paramount. Early in the pandemic, we saw multiple viral videos of conferencing platforms being hijacked by pranksters – and amusing as this is, it is only the tip of the iceberg. According to Deloitte, cyber-attacks are becoming increasingly sophisticated, with those using unseen malware methods rising from 20% to 35% since the outbreak of the pandemic led to a change in working practices.

This is why a recent study by Gartner found that worldwide spending on information security and risk management technology and services was predicted to grow 12.4% in 2021 to $150.4 billion. And it is necessary too: a 2021 study by Skybox Security, found that 42% of UK financial services and law firms believe their cyber threat visibility and detection systems are inadequately equipped to manage remote employees. Legacy technology and broken processes tend to be the reasons given, but after a year of remote working, the call to modernise is becoming more urgent than ever. Leaders must prepare for the financial industry’s new normal.

The cost of security breaches that come from hybrid working

No matter whether the issues stem from a cyber security breach or a phishing attack, the impact can be far-reaching. And as financial organisations are often the most common targets for cyber attacks, the need to be hypervigilant is understandable. In the UK and Europe, as more people go cashless, PII (personal identifiable information) can be redirected via physical credit scanners or online payment forms and used for malicious activity. Banks that are taken hostage may have to pay hundreds of thousands of pounds to recover lost data, risking the trust of their customers and other financial institutions. They could also face fines and sanctions for breaching data protection laws, as well as having a negative impact on staff morale.

The rise of cyber and phishing attacks caused by mobility and human error

The sharp rise in the number of employees carrying their laptops from home to the office and wherever else they choose to work has seen a dramatic increase in cyber and phishing attacks over the last two years, with human error an increasing cause of data breaches.

Findings from Sophos revealed that even though the number of ransomware attacks has actually decreased over the past year, the average recovery cost has more than doubled to $1.85 million. The mobility of hybrid workers has prompted cyber criminals to shift their attention “from larger scale, generic, automated attacks to more targeted attacks that include human hands-on-keyboard hacking.”

Ransomware is not the only threat, of course. Today, there is a wide range of attack methods that need to be considered and resisted. SonicWall’s Cyber Threat Report recently recorded 56.9 million IoT attacks, 5.6 billion malware attacks, and 4.8 trillion intrusion attempts. This helps to explain why, according to Dynabook, over one-third of Europe’s IT leaders pinpointed network or device security as the most difficult element of their IT infrastructure to manage during the pandemic.

Securing the mobile workforce

So how can organisations secure the data of their increasingly mobile workforce? It begins with protecting the front-line by equipping employees with robust devices that meet the high level of security required today. Biometric tools including two-factor authentication offer a strong first line of defence, for example, combining fingerprint and iris detection to restrict entry to a device.

Yet it’s also important to ensure devices feature deeper in-built security measures from a software and firmware perspective too, such as Trusted Platform Module 2.0 for enhanced encryption. Meanwhile, for IT teams, remote access control is essential so that strict permissions can be put in place, enabling them to manage which employees have access to certain files. From a policy perspective, we’re seeing more organisations take a zero-trust approach too – something which is particularly important in today’s hybrid environment to manage not just employees but partner organisations as well.

Business benefits of mobile secure client solutions for a mobile workforce

Beyond in-built security, mobile secure client solutions can also help to eliminate a significant cause for concern in terms of the device threat by adding boot-level security – something which is particularly important as we see the rise of hybrid working models.

In addition, by removing data from the device, storing it centrally and then making it accessible via a Virtual Desktop Infrastructure (VDI), such solutions provide the perfect balance of ultra-secure and ultra-productive mobile working. Employees can get on with their work, wherever they choose to be, knowing that the risk of data breaches through malware or lost and stolen devices has been nullified. With cybersecurity rated as the 2nd highest source of risk in Gartner’s 2021 Board of Directors Survey, we can expect to see these mobile secure client solutions rise in popularity.

One thing is certain – this is a problem that will not be going away any time soon. With technologies advancing rapidly and hybrid working increasingly looking like the permanent norm, the threat of security breaches will continue to grow. IT leaders must embrace new solutions now to protect against this ever-increasing threat.

Finance Monthly hears from Nic Sarginson, Principal Solutions Engineer at Yubico, on emerging trends in data security that may soon be coming to financial services.

This past year has prompted a rise in take-up of digital banking services. As people stayed at home they went online to work, shop, stay in touch and manage their money. While this shift to online banking presents an opportunity to service providers with a digital-first approach, it also presents a target for cybercriminals intent on profiting from data breaches and account takeovers. Banks and their customers are adapting to a new, remote, relationship; as they do, the strength of online security protection will become a greater talking point and, for some institutions, even a source of competitive advantage.

According to some reports, as many as six million people in the UK made the switch to digital banking in March/April last year. Customers setting up their accounts will have created a password/PIN to use with a user ID to gain access. This form of authentication will be familiar from other log-in services; what may be less so is the additional strong customer authentication (SCA) check, such as a one-time passcode generated by a card reader or sent as a text to a registered mobile phone.

Password weaknesses

This second line of defence is incredibly important for financial services, as passwords are notoriously weak at preventing bank account takeovers. Reused passwords render multiple accounts vulnerable should a data breach put this information into the hands of cybercriminals. Passwords can also be guessed with a range of common word and number combinations in use, and bank details are some of the most coveted data breach spoils.

Additional ID checks therefore boost security, but not all forms of stronger authentication are completely resistant to security threats. Mobile-based one-time codes that are so popular with banks, for example, can be vulnerable to SIM-swap and modern man-in-the-middle (MitM) and phishing attacks.

According to some reports, as many as six million people in the UK made the switch to digital banking in March/April last year.

During a MiTM attack the innocent party believes they are communicating with a legitimate organisation, such as their bank, but in reality information is being intercepted and relayed by a malicious third party. It isn’t easy to recognise this type of attack, even for the cyber savvy, as attackers create personalised and convincing communications to trick their targets. Routes in can include unprotected Wi-Fi and manipulated URLs.

In the more widely known phishing attack, people are tricked into parting with personal information such as login details. Phished credentials are then used to gain access to the user’s account and may be tried against other services as part of a multiple account takeover.

Managing the customer experience

For financial services, the strongest possible authentication to protect data and accounts does not always marry with the best customer experience. Each additional check can add time and frustration to the log-in experience, preventing customers from accessing their accounts whenever they want to – if, for example, they are in a mobile-restricted location.

Strong authentication therefore must meet the dual requirement of protecting account details and financial and personal information, while also providing a convenient, preferably frictionless, user experience. Added to that is another consideration - how simple it is to integrate additional authentication into back-end systems for both the existing product portfolio and future innovations. With the rate at which financial services are digitising, and payments moving cashless, this is a challenge most banks will find concerning. The finance industry is also faced with the critical need to ensure compliance with various industry regulations including GDPR, PCI DSS and PSD2 mandates that govern access to sensitive data.

Protecting corporate infrastructure

Financial institutions must also protect access to their own systems and applications. Here, the challenge is exacerbated by the fact that most banking infrastructures are a mix of legacy on-premise systems, and private or public cloud-hosted services. They must all be protected against unauthorised access, a challenge that has been heightened by the rapid transition to large-scale homeworking of the past year.

[ymal]

Finance teams and employees working from unfamiliar locations expand the potential attack surface with home networks and personal devices suddenly a part of a bank’s corporate IT estate. Seamless, convenient and high-assurance multi-factor authentication (MFA) must be in place to protect data and corporate assets so that employees can securely access systems remotely without introducing new risks and vulnerabilities.

Financial services are starting to embrace hardware-based tools such as security keys as a route to strong authentication, which protects business and customer data without inconveniencing increasingly impatient financial customers. When it comes to their financial data, users appreciate authentication devices being something they have, as opposed to something they know, to protect against phishing attacks. For customers, they provide protection for accounts, while in the corporate setting they can secure access to systems and applications. Whether tasked with upgrading a bank’s legacy infrastructure, or a new generation of fintech developers operating solely in the cloud, such an approach can offer seamless integration with operating systems, and conformance with global authentication standards.

If the finance industry is to effectively protect customers and customer data while providing the user experience that today’s consumers expect, they must look beyond basic protection methods to provide strong yet frictionless authentication. It’s shocking that social media accounts are often more secure than bank accounts as of today. Since consumers are increasingly exposed to better protection elsewhere, they'll soon be demanding the same security assurances for their bank account.

Philippe Alcoy, Security Technologies for NETSCOUT, describes the cybersecurity threat facing the financial services sector, the damage it has done and how it can best be safeguarded against.

In 2020, for the first time in history, the annual number of Distributed Denial-of-Service (DDoS) attacks exceeded 10 million. These attacks took place at greater frequency, speed, and strength, enabling attackers to knock out their targets faster than ever before. Now, NETSCOUT is seeing threat actors re-targeting companies who were previously able to prevent being attacked, focusing particularly on the finance industry.

Before looking at DDoS attacks in relation to the financial sector, it is important to understand what a DDoS attack is. DDoS attacks can be described as malicious attempts to make online services unavailable, which is achieved by overwhelming the service with traffic from multiple systems. The industries targeted by these attacks are wide-ranging, from telecommunications and eCommerce to finance and healthcare.

In 2020, the financial sector emerged as a prime target for cybercriminals. NETSCOUT observed that there were more DDoS attacks against the finance industry in the month of June than there were from January to May 2020. In fact, from June to August 2020, there were more attacks against the industry in this period than were seen in total between April 2016 and May 2020. There was also an increase in the speed of attacks that were taking place against the financial sector, with the total throughput of attacks increasing by roughly 4.5 times worldwide.

DDoS extortion campaign

This campaign of DDoS attacks targeting the finance industry was taking place worldwide, with banks, exchanges and other financial services organisations all being hit. But there was something unusual about these DDoS attacks: they were part of an extortion campaign. This involves extortionists demanding a payment via Bitcoin within a specified amount of time prior to or following a demonstration DDoS attack. In most scenarios, when the demands of the attackers aren’t met, the ensuing attack that was threatened does not end up taking place.

In 2020, for the first time in history, the annual number of Distributed Denial-of-Service (DDoS) attacks exceeded 10 million.

More recently however, NETSCOUT has discovered that the same attackers are returning to previous targets. The organisations that were successfully able to mitigate the first DDoS extortion attack are now being retargeted in follow-on attacks, months after the original attacks took place.

The impact of the campaign

The financial sector is a prime focus for this DDoS extortion series and the more recent retargeting campaign because they are perceived to have access to large amounts of money, as well as vast swathes of private data, making them an obvious target for those behind the campaign.

It should be noted that the attackers claim to be part of well-known attack groups, such as ‘Lazarus Group’, ‘Fancy Bear’, and ‘Armada Collective’ to try and boost their credibility and scare their targets into paying up. As such, NETSCOUT has given the attackers the nickname ‘Lazarus Bear Armada’ (LBA).

Unlike other threat actors, these LBA attackers have carried out extensive research into identifying the appropriate email inboxes that are regularly checked and used, to make sure their threats are read by the right people. The increased accuracy of the extortion emails has the potential to cause serious damage to those in the financial sector. It has the capability to disrupt a large number of services used by finance organisations, from online banking platforms and website access to internal systems that help the organisations to operate and fulfil the needs of customers.

A DDoS extortion campaign can lead to institutions losing a large amount of money, even without a ransom being paid, because the initial demonstration DDoS attack results in downtime for part of the company.

An indirect consequence of a DDoS extortion attack is the reputational damage that it can cause. For example, when financial organisations are hit by a DDoS attack, customers may be unable to access their money and financial information, and may feel put off or let down by the organisation not having the appropriate DDoS countermeasures in place.

[ymal]

In order to mitigate the risk posed by DDoS extortion campaigns, financial services organisations must have a solid plan of action in place. It is vital that when organisations are attacked, they know who to contact and notify. This should include key stakeholders, security providers and local regulators. Financial institutions should also learn from previous DDoS extortion campaigns that targeted the industry. For example, there are clear similarities between the DD4BC series of attacks that took place from 2014-2016, and the current extortion campaign, with both targeting the financial sector.

While a DDoS extortion attack can be devastating for those organisations in the financial services sector, providing they have the right protection and plan of action in place, the damage caused by the attack can be kept to a minimum.

Tenable's Adam Palmer, Chief Cybersecurity Strategist, and John Salomon, FS-ISAC Director, Continental EU, Middle East, & Africa, explain the benefits of CFOs and other executives involving cybersecurity in their roles.

A commissioned study conducted by Forrester Consulting, on behalf of Tenable, found that currently only four in ten UK business leaders can confidently answer the question, “How secure are we?” There is a disconnect between business leaders, financial teams and security leaders in how they manage and communicate cyber risk. As such, cybersecurity needs to evolve as a part of the business strategy.

The Cybersecurity “Communication Gap”

Most mature businesses understand how to perform a basic assessment of the wide range of risks that impact their organisation. Cyber risk is often the exception. Cyber risk management is well established. However, business leaders, such as CFOs, don’t usually “speak” security, and techies don’t often know how to quantitatively measure, or explain, the degree of exposure to cybersecurity threats in a business context. As a result, the link between cybersecurity and the business can be lost in translation. Security is often seen solely as a cost to the business, rather than a means of preventing losses, or even a driver for increased revenue and overall success. Aligning the security programme to financial objectives improves understanding of value and drives support for corporate policies that support effective cyber risk management.

Cybersecurity Awareness – a Two-Way Street

Responsibility for ensuring effective cybersecurity risk management does not belong entirely to the CISO. Success depends on the rest of the organisation making an effort to also understand cybersecurity risk. This is not to say that a CFO must be a cybersecurity expert, as the onus is on the CISO to “speak the language of business.” Rather that financial leaders should at least have a fundamental grasp of cybersecurity. Using car ownership as an analogy, a driver does not have to know how to assemble an internal combustion engine. It is reasonable, though, to expect a competent driver to understand how to change a flat tire, check the oil level, and most crucially, when to listen to a professional mechanic.

Responsibility for ensuring effective cybersecurity risk management does not belong entirely to the CISO.

Most importantly, the infosec organisation must not be seen as a necessary evil. Rather than treating the CISO and their team as expensive alarmists, a CFO must make an effort to comprehend some of the basic concepts of cybersecurity, and the ramifications to the organisation’s finances of not having a capable, empowered security organisation. Furthermore, the cybersecurity organisation can only do its job effectively if their security risk assessment activities are backed by unambiguous, strong policies.

Seeking Clear Answers from the Security Team

The CISO must distil the highly complex topic of cybersecurity into concise, relevant messages without “dumbing it down” for business and finance leaders. While the CISO should present a measurable view of the organisation’s cyber risk exposure using internal and external comparative benchmarks, the CFO should ensure they understand the basics around:

  1. Where are we exposed?
  2. Where should we prioritise based on risk?
  3. How are we reducing our exposure over time?

Describing the target state of the security programme should be based on an understanding of risk, not blindly applying capability maturity levels. Organisations need the ability to identify and quantify their level of risk and exposure. This should be done in collaboration with the C-Suite. Cross-functional collaboration will turn the organisation’s security strategy into a “living” strategy, and ensures business alignment on priorities, costs, and needs.

Is compliance the end goal?

Many organisations will look to regulatory standards to determine their cybersecurity goals or “target state.” While there is value in meeting these baseline requirements, checking a box doesn’t necessarily equate to appropriate secure practices or addressing financial risk. Minimum, compliance-based security is not adequate security. Instead, organisations should work to really understand their critical assets, identify the vulnerabilities that affect them and create a security programme that addresses this.

By adopting a quantifiable approach to security that benchmarks internally and externally, and is aligned to business and finance objectives, it becomes much easier to define a target risk state and measure overall effectiveness. This also allows a firm to get a head start on meeting their regulatory requirements and improving communication with regulators.

CFOs need to work with CISOs in order to gain an understanding of their company’s security risk including the financial costs associated with it - both from a risk perspective, but also where technology investment might be needed. While finance can’t be expected to understand the technology or how it works, it is important to understand why it matters, including the role each new investment plays in closing the cyber exposure gap. To provide the level of detail needed to determine and reduce risks, the CISO needs to be able to determine, understand and report the following information to senior management:

[ymal]

Stronger together 

Historically, cybersecurity initiatives are seldom aligned with business and finance objectives, but that must change.

Security leaders are challenged to prioritise where they focus effort — not just when it comes to vulnerabilities, but their entire cybersecurity strategy in general. By placing cyber risk management as part of an overall risk framework, business and financial executives can more easily assess whether best practices are being implemented effectively.

To do this, the CFO must work with the CISO to align cost, performance, and risk reduction objectives with business needs. This means providing a holistic understanding and assessment of the entire attack surface, with good visibility into the security of the most business-critical assets. The CFO should seek defined metrics and benchmarking processes, tied to business performance and process improvement from the CISO. Adopting this transparent, quantifiable approach will help the business understand cyber risk clearly, predict new threats, and act effectively.

The result is business-aligned security leaders that ensure their strategies are in lockstep with financial priorities. This collaboration with the CFO not only develops effective strategies and communicable metrics, but actually works to support organisational goals.

Amid a hostile takeover bid by rival GardaWorld, British security firm G4S has asked its investors to reject the Canadian company’s offer, which was sent to shareholders on Saturday.

"The board recommends that shareholders reject the offer and take absolutely no action," G4S said in a statement, adding that the timing of the offer was “highly opportunistic.”

GardaWorld’s 190-pence-per-share offer remains unchanged from when it first approached G4S in September. The company accused G4S directors of refusing to engage after their dismissal of the $3.9 billion offer, then issued the offer directly to G4S’s shareholders.

At the same time, an official offer document released by GardaWorld on Saturday revealed that it stands to make up to £312 million in fees if it successfully gains shareholders’ support for its takeover bid.

G4S revealed last week that it had also been approached with a takeover offer from US firm Allied Universal Security Services. The company has not yet made a formal offer.

G4S employs a workforce of around 530,000 across 85 countries. Its personnel guard prisons, embassies, justice services, stadiums and sport and music events, and were contracted to provide security for the 2012 London Olympics.

[ymal]

Following the initial September takeover bid from GardaWorld, in which private equity firm BC Partners owns a 51% stake, G4S’s share price has surged by 38%.

Martin Landless, Vice President for Europe at LogRhythm, explains how financial services can keep pace with outside threats.

It is more than possible to remain at the forefront of the digitalisation of the industry and to keep secure, but to do so relies upon focusing on a confluence of people, process and technology. Through this holistic focus, a culture of cybersecurity can be created that protects the important institutions through which it is fostered.

Simply put, cybersecurity is now an integral element of financial services. After all, assets and interactions have moved online. However, in the face of a cyberattack, a company can be subject to a costly halting of operations, a colossal hit to consumer confidence and a General Data Protection Regulation (GDPR) fine from which it might never recover. This is especially true throughout the COVID-19 pandemic, where, according to the National Cyber Security Centre (NCSC), cyberattacks are reaching fever pitch.

A mature security organisation

By their very nature given the sensitivity of the data they manage, financial services organisations must have a mature security operation in place to deal with the threat actors they attract. The maturity of a security operation can be measured by two important variables: mean time to detect (MTTD) threats and MTTR (mean time to respond) to them.

Reducing MTTD and MTTR is crucial and can be achieved through technological solutions which allow for the automation of workflows; this frees up the vital time of security teams to focus their attention where it is most needed. This is especially important in an industry facing a stark skills shortage, with the UK Government finding that 48% of businesses have a cybersecurity skills gap in 2020. Visibility is another salient variable, as cybersecurity teams must be able to immediately see shifts in behaviour in the network to recognise imminent threats as they arise.

Simply put, cybersecurity is now an integral element of financial services.

However, although technological innovation in the security response is a foundation of an effective culture of cybersecurity, this alone will not guarantee safety from attack.

Communication with the board

It is upon the CISO and their security teams to make sure cybersecurity takes important precedence in the minds of all who work at an organisation – after all, it takes one employee falling victim to a phishing email to compromise a business. At the board level, CISOs must ensure that executives understand the challenges security teams encounter as an organisation navigates business dynamics.

As with all things, communication is vital in this pursuit. An aspect of this is in quantifying to the board the benefits and return on investment an effective security posture can entail. One method that a CISO can use to create a high trust environment is through partnering a member of the board with the security team.

This partner can articulate perspective to the team from a purely business standpoint, allowing the team to produce intelligence to the overall board that exhibits the business value of the security operation centre’s (SOC’s) methods and goals. This collaborative approach will encourage the understanding security teams have for business goals and the board’s understanding of security necessity.

Security through business growth

One common event that may be viewed in a different manner by the board and security teams is when an organisation encounters business growth. Although such growth may represent that a business is in robust health, it also facilitates multiple avenues through which a company can come under cyberattack.

[ymal]

For a start, cybercriminals keep close watch of business news and will be aware of a company’s raised profile. In the event of new staff, through partnerships or increased employment, security teams must make sure each new employee is vetted and safely added to the system. In the case of acquisitions, security teams too must effectively monitor new structures that are added to the network, and third-party connections with whom they are not yet familiar. Indeed, a Gartner study earlier this year identified third-party cybersecurity risk as a key concern for half of legal and compliance leaders.

Key to this issue is the question of security budgets, and it is here board-level support is important. Traditional security budgets are often determined in advance and follow two common pricing models used by security vendors. These are the user-based model and capacity-based model; in the face of growth, both are fixed, and may leave security teams making difficult decisions as to where they safeguard their organisations.

Executives should instead employ a subscription-based model that offers the guarantee of scalable security at a determined rate; this will greatly alleviate the stress felt by security teams in what often should be an exciting time for an entire organisation.

Changing security budgets to better facilitate the work of SOCs represents a culture of cybersecurity being put into practice. Technological solutions are provided based on an understanding between security teams and the board on what is needed, allowing for better performance in MTTR and MTTD.

The future lies in cybersecurity

As Covid-19 has forced unprecedented circumstances and a wave of cybercrime upon security teams, it is as incumbent as ever for a culture of cybersecurity to be fostered within financial services organisations. Simply refusing increased digitalisation as a means for security will see companies become obsolete in important areas such as customer experience, where their competitors will be innovating. Instead, a holistic approach encompassing people, process and technology will be vital to forging a secure path forward in the financial services industry.

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free monthly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every month.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram