Why the Financial Services Industry Needs Identity Intelligence
Our identities are increasingly intertwined with the digital world as technology becomes more pervasive. For all the good this digital revolution has brought, interacting with different sites and services has produced a certain level of risk as well.
It is no secret that cybercrime continues to rise, due to a large extent from data breaches that have exposed our digital identity information, says Monica Pal, CEO of 4iQ.
Last year, 4iQ discovered 14.9 billion raw identity records that were stolen from companies and circulated across the web. The rate of identity breaches alarmingly increased by 424% since 2017, totalling 12,499 breaches. It’s no surprise that the likes of Google and Facebook made all the headlines—these tech giants have millions of consumers who were affected. However, one narrative that does not get enough attention, yet is vitally important, is that the businesses employing these consumers also suffer huge consequences due to the massive expansions in their risk profiles. Certain stakeholders (employees, customers, etc.) with poor cyber hygiene, or who have had their data exfiltrated in the past, are just as, if not more, threatening to an organisation than a cybercriminal with harmful intentions. The financial services industry arguably faces the most danger.
More than 25% of all malware attacks target the financial services industry – this is more than any other field, and to make matters worse, attacks are continuing to rise. The number of compromised credit cards increased by 212% in 2019 compared with the prior year, while credential leaks rose by 129% and instances of malicious apps increased by 102%.
Trojans are being used to attack financial services companies. ATM malware is being used to steal credit and debit card information. This issue isn’t exclusive to the United States, as we just saw a ransomware attack wreak havoc on Mexico’s major financial institutions. In February, a UK-based bank became the first public victim of SMS verification code interception. What’s more, cybercriminals can still leverage older methods such as DDoS attacks and phishing against the least prepared companies.
More than 25% of all malware attacks target the financial services industry – this is more than any other field, and to make matters worse, attacks are continuing to rise.
The increasing digitisation of financial services, via cashless payments with cards and mobile apps, has led to greater overall digital capital flow, and as more capital circulates in the digital marketplace, companies increasingly become more vulnerable to cyberattacks. Simultaneously, automation of cybercrime is more common. Crawlers can continuously and automatically sift through large amounts of data and search for vulnerabilities and exposed networks, sometimes even without user input, helping malicious actors acquire their targets more rapidly. And as these processes become more automated, the ease with which it is done lowers the threshold of expertise required for operation, widening the opportunities to include bad actors with less technical expertise.
Aside from a reputational impact, data breaches incur high financial costs as well. Equifax’s infamous breach cost the company more than $600 million. JP Morgan Chase said it would spend $250 million annually to improve its digital security following its 2014 data breach. Estimates are that cybersecurity costs companies within the financial services industry, on average, about $2,300 per employee, while some firms pay up to $3,000. These numbers have tripled within the last three to four years – showing that companies are spending more on cyber and digital protection than ever before.
Yet, despite companies investing more to secure infrastructures, protect critical business data and assure customer privacy, cybercriminals remain undeterred and have responded to more sophisticated protections by rapidly evolving their method of attacks. What few companies consider, however, is the cumulative effects of other companies’ breaches which have already happened. An employee’s or partner’s personal information exfiltrated in one breach is often used subsequently to gain unauthorised access to another infrastructure, whether through password re-use or social engineering attacks. This is akin to locking the front door, turning on the alarm, yet leaving the garage open, and can be devastating to enterprise-level targets which stand to lose a trove of company IP, inside information about mergers and acquisitions, and more.
What few companies consider, however, is the cumulative effects of other companies’ breaches which have already happened.
Cybercriminals, clearly, possess a myriad of ways to outsmart and outpace normal security measures, so there needs to be an overhaul in this industry, placing more of an emphasis on thinking proactively and aggressively, unmasking bad actors’ identities and anticipating how our data could be at risk. Today, most leading companies understand the importance of executing traditional financial and criminal background checks for their employees. Too few leaders understand how to do this for the hygiene of employees’ digital footprints.
More and more, financial services companies are incorporating identity intelligence into their digital security. This involves tools and practices that are focused on scouring the Deep Dark Web for known exfiltration of identity-related data, from usernames and passwords to social security numbers and addresses. Identity intelligence helps large banks, credit card issuers and insurers understand and reduce what we call the “employee attack surface”, which is created by prior breaches.
These tools and practices can help companies avoid problems caused by:
Password Reuse: Criminals use credentials from prior breaches to access accounts on otherwise secure banking and credit card sites. A July study commissioned by 4iQ showed that nearly half of the consumers surveyed admitted to reusing passwords across multiple websites. Many financial services websites force regular resets – but some don’t, which is a glaring problem with a simple solution.
Weakest Link in the Chain: As we’ve seen in the news recently, third-party vendors play a key role in a company’s security. All players in the supply chain must be doing their very best to mitigate their risk profiles, and scarily enough, your company’s efforts can be all for nought if a “trusted” partner is not doing its part.
Employee Training (or lack thereof): Whether it’s a lack of training, willful negligence, or a bit of both, a company can invest millions of dollars on improving security measures only for an employee, no matter how high or low-level they may be, to make a costly mistake.
As cybercriminals have more tools at their disposal than ever before, technical threat intelligence about a company’s IT infrastructure is simply not enough. Organisations must adopt a more proactive, agile and strategic approach, beyond just playing “whack-a-mole” in response to an attack. Identity intelligence equips incident response and forensic professionals with the information they need to accurately anticipate attacks and catch warning signs even earlier, thereby avoiding a devastating attack for their company.