Financial Services is an industry that has been most affected by cyberattacks, phishing scams, and all types of online frauds. This is why the financial sector grew to become one of the best-protected industries on the market.
While cybersecurity improves, the cybercriminals direct their attacks on the areas that are easier to break. People.
Social engineering means tricking people into performing some actions or sharing information. Social engineering has become one of the most popular buzzwords in cybersecurity.
A well-engineered attack usually involves a bait or a threat, usually with a call to action and a forced urgency. In fact, receiving such a call or an email should always trigger a light bulb. A warning that something may be wrong. Such attacks usually result in passing some classified info to an attacker.
Attacks on C-level executives (whaling attacks), are more difficult to prepare and often takes months to plan and execute.
Attacks on lower-level employees can also damage the business. That’s why they are still way more popular and effective.
In financial institutions, people working in sales usually access sensitive data every day. An insurance agent, a home broker, and financial advisor, they all work with sensitive data such as sales levels and commissions. They also frequently perform sensitive operations on customer profiles.
The Pareto principle works great here. 20% of the information that a user has access to can cause 80% of problems caused by leaks and thefts.
The vast majority of companies grant access to either all data or no data. There are no easily applicable mechanisms that help supervise access to sensitive information.
Thus there are many ways in which things can go wrong.
Let’s assume now that Anna works in a bank as a sales rep. She’s not able to accomplish her sales goals to get commission so she’s finding a way around it. She decides to share her account with another sales agent that has the same problem. Now Anna can win the commission for her and then, under the table, split it with another agent.
Some of the performed actions can be dangerous, some can be illegal and some simply worth tracking. The more you know the more conscious security decisions you can make. Regardless of the scenario financial institutions don’t have solutions that can be quickly introduced to fix such risks.
The annoying thing about data security was always the need to balance data protection and user comfort.
In our opinion, the two biggest challenges that security teams in financial institutions face are:
1. How to increase the level of security without making a user's life too hard?
People always look for ways to make their lives easier. So if they can skip a security procedure that makes them lose too much precious time - they surely will.
2. How to increase the level of security without breaking the bank?
The data security budget usually rises after something happens. A bad breach, phishing theft, data loss. That’s usually the moment when CEOs decide to invest some money in data protection space.
So what’s the remedy?
We call it “microauthorizations”.
Microauthorizations from Secfense make the user experience almost untouched. At the same time, user security level increases substantially.
Microauthorizations are meant to easily add extra authorization steps in the application. Wherever it's necessary, without touching the application code.
With microauthorizations, it is possible to:
It really can be that simple.
To learn more about microauthorizations check this short showcase
You can also watch a complete 2FA deployment performed on Amazon.com and executed in minutes.
Most two-factor authentication methods rely on a secondary code to verify user identity. 2FA increases the security level but not all the methods are equally effective. Some advanced attacks (e.g. Modlishka or Evilginx2) can break through older 2FA methods.
To compare, the FIDO2 authentication standard introduces a physical device to the process. The employee needs to authenticate with the physical object. Such setup is the strongest authentication method and has not yet been compromised.
None of Google’s 89,000 employees have fallen for a phishing scam since the company implemented U2F (ancestor of FIDO2) in 2017.
The biggest reason why FIDO2 is not yet a golden security standard is a cost factor. Implementing FIDO2 represented a long and difficult coding process. The maintenance costs and vendor lock-in were a good enough reason to let go of the idea of introducing FIDO2.
Now it is possible to deploy FIDO2 in a matter of minutes at the fraction of the previous cost. And, financial institutions don’t have to share any data with third-parties anymore. It is possible to add FIDO2 on top of the existing infrastructure.
With no developers, no contractors, no third-party code involved and thus no vendor-lock. The protection lays on an extra security layer that enables strong authentication on any app without touching its code.