Op-Ed: Shoring up defences – How to protect the financial sector with stronger identity security measures

In fact, no matter their maturity, there are hidden challenges and risks everywhere. From the difficulties associated with navigating complex networks and systems to the complexity of securing both human and non-human digital identities, the risk is high, and there is constant pressure to ensure resilience against increasingly sophisticated cyber criminals causing persistent digital identity-related breaches, often through third parties.

The financial services industry deals with large amounts of sensitive data and personally identifiable information, making it a prime target for attackers. According to the OAIC’s latest Notifiable Data Breach Report, the financial services industry is the second-most breached sector (recording 68 breaches), after the health sector (with 71 breaches), the top target. Drilling down into the OAIC report, a third of all cyber incidents derive from stolen or compromised credentials falling into the wrong hands.

While a growing number of financial firms are prioritising identity security, attacks remain dangerously commonplace, with 93 per cent of respondents reporting they’ve experienced a breach within the past two years — the most common impact of which was widespread ransomware/malware infection (41 per cent), according to SailPoint’s recently released State of Identity Security 2023 report.

Certainly, these sobering findings speak volumes — and, in turn, have a role to play in contributing to the national narrative that tells a story of widespread security vulnerabilities negatively affecting the financial services industry.

Data breaches in financial services are so debilitating, and the increased sophistication of the attacks launched is so damaging that the federal government has already taken action. Given the sector’s importance to the functioning of the economy, the government has jumped into the ring launching a government-led cyber “war games” initiative that involves a series of exercises to determine how the industry would respond to a debilitating cyber attack.

In today’s uncertain economic climate, the impact of a data breach on financial institutions is greater compared to other sectors. This is primarily due to the resulting consumer sentiments that follow such incidents. A notable example is the collapse of SVB and the Republic Bank, where customers rapidly withdrew their funds. This mass withdrawal was largely influenced by the ripple effects of rising interest rates.

Considering the sensitivity of consumers in this context, any perceived risk or vulnerability to cyber attacks can have severe consequences for a financial organisation. It can damage the organisation’s reputation, brand, revenues, and the trust it has established with its customers. Thus, the potential fallout from a data breach in the financial sector is significant and requires careful attention.

Financial services in the crosshair

VIEW ALL

Financial firms have become more enticing for cyber criminals with the mass shift to digitisation, and there is more to be done to manage access to sensitive data and improve financial services’ breach detection as identity-related security breaches are inevitable. The fact that over half (56 per cent) of the surveyed financial services firms have fully implemented an identity security solution is a step in the right direction, but it’s clear that there is still room for improvement.

It’s vital that financial institutions work towards risk reduction. IT and security teams need to have the right processes and support to ensure this is successful. While identity security is “very high” on the agenda within financial services, there are many hurdles to jump, according to 91 per cent of respondents, who’ve experienced the following challenges: most notably flexibility in integration (38 per cent); high configurability (35 per cent); or being too complicated to implement (32 per cent).

These numbers aren’t surprising given the many different applications within the finance environment, both internally and externally facing. And there’s lots to contend with. Tightening regulations by the Australian Prudential Regulation Authority (APRA), the sector’s regulator, are also contributing to the cost pressures faced by financial services organisations. Compliance with these regulations necessitates investments in people, technology, and processes. The high costs are driven by the need to protect customer data, meet regulatory standards, and maintain trust with customers.

In addition to security, operational and compliance challenges, legacy systems are still a massive stumbling block. A number of the biggest financial institutions still operate on legacy technology and rely on manual processes to track data access and user identities, opening doors to inaccuracies.

Steps to secure the financial fort

Indeed, these challenges and grim numbers paint a clear picture — strong identity security is a necessity.

Today, banking and other financial transactions are no longer contained within the four walls of a building. Third-party partners, mobile functionality, blockchain integration, and the emergence of banking-as-a-service (BaaS) have led to increased risk, as well as cyber threats — and a critical need to close the security gaps on cyber security controls. Implementing a strong identity security solution has never been more important, greatly reducing the potential damage an attack can incur.

There are essential steps that banks and financial service firms can take to protect their sensitive data and shore up defences on the identity security front:

• Select a cloud-native, multi-tenant, single codebase, SaaS-based identity security solution backed by the right level of intelligence and identity information to ensure users only receive the access required to do their job.
• Ensure the solution gives users, including employees and third-party identities, the right access to the right applications, systems, and data at the right time — matching the scale, velocity and environmental needs of today’s cloud-oriented banks and financial institutions.
• Look for an advanced identity security solution that incorporates artificial intelligence and machine learning to have intelligence, automation, and integration to gain full visibility; insight into user behaviour; spot excessive privileges; and manage and govern user access.
• Seek an identity solution that delivers a simpler audit process through automation and maintains compliance with regulatory requirements.
• Leverage advanced analytics and outlier detection to detect and remediate risky, anomalous identity access and respond to threats in real time.
• Implement a solution that learns and evolves with the business, providing the ability to upgrade and innovate security processes with minimal disruption.

Ultimately, a strong identity security posture is critical for the financial services sector to not only safeguard sensitive data and prevent cyber threats but also to protect its reputation.

Nam Lam is country manager, ANZ, at SailPoint.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.