Combating new-age breaches requires a reset in trust
The Capital One breach that affected the personal information of more than 100 million people underscores the sobering truth: People are more concerned than ever about identity theft and payment fraud—and they have every right to be. This puts the ball squarely in the court of financial services institutions.
To address the threats that lead to identity theft and payment fraud and allay consumer security concerns, banks and other financial institutions need to take decisive action.
Implementing least privilege access is critical, as it limits the number of employees with access to sensitive data. However, there is always the chance that privileged employees will either become bad actors who use their access to confidential data for their own gain, or that they will succumb to a hacking attempt and thereby open the door to an external bad actor.
The only effective way to strictly enforce least privilege access is with Zero Trust. The Zero Trust model was initially proposed by Forrester as an architecture to make security ubiquitous throughout the network and not just at the perimeter. With Zero Trust, trust is never assumed for any entity—users, devices, applications and packets—regardless of who, what and where the entity is relative to the corporate network. By practicing “trust no one; verify everything,” all resources are secured and access control is limited and strictly enforced.
One of the characteristics of a Zero Trust environment is that cryptographic segmentation is employed to support security and compliance. By establishing Zero Trust boundaries that compartmentalize different segments of the network, financial institutions can protect critical resources to reduce the exposure of critical or vulnerable systems, and prevent lateral movement of attackers throughout the network.
While it is discouraging that the top 25 passwords of 2018 included “12345,” “password,” “qwerty,” and “abc123,” many consumers are fully cognizant of the importance of security and are open to new technologies in order to guarantee it. For example, the Unisys Security Index reports that 30% of Americans are willing to accept facial recognition software to verify identity when making an online transaction with their bank and 17% of Americans are willing to accept facial recognition software to verify identity when making a purchase at a store/retailer.
Large firms in various industries are moving in this direction. For instance, Bret Arsenault, the top cybersecurity executive at Microsoft, reports that the company is striving for a “passwordless future.” Already, 90% of Microsoft’s employees can log in without a password, and the company is seeking to move consumers away from password dependency.
Facial recognition, fingerprints, behavioral characteristics and other biometrics are appealing to consumers because they tend not to impact the speed and convenience that consumers have come to expect. For instance, it can be irritating to a consumer to be asked a security question before they can access their account, but if the financial institution uses swipe patterns as a biometric, the consumer may not even be aware that identity authentication has taken place. Security becomes seamless.
Artificial intelligence (AI) and machine learning (ML) play a key role in both Zero Trust security and biometric technologies for identity authentication, but their capabilities also extend well beyond those areas. These advanced technologies enable financial institutions to detect and respond to anomalous activity more quickly than is possible for people.
People can easily miss seeing a problem, particularly in its early stages. That same problem can be instantly identified in its nascent form through AI and ML, dramatically reducing the mean time to detect. In like manner, the mean time to respond—which may be hours, days or even weeks when reliant upon people— can be near-real-time when the system can automatically respond to address a breach, attack or other questionable activity.
Consumers are eager for AI and ML to be employed in the area of cybersecurity. The Unisys Security Index shows that 65% of Americans support the use of AI and ML to automatically identify suspicious online activity, including potential cyberthreats.
Consumers expect their banking experiences to be like Amazon and Uber interactions. The way we shop and order a car has forever changed, and consumers want the convenience of Amazon and Uber in every aspect of their lives, including their banking. As banks look to provide this same level of convenience, AI and ML enable them to do so. However, there is a trade-off between privacy concerns and convenience factors. Uber knows your location, and Amazon knows your shopping habits. This same principle applies to banks.
Security within the financial industry must constantly evolve to meet emerging threats and allay consumer concerns. By leveraging the power of a Zero Trust model, biometric technologies and AI/ML, banks and other financial institutions will be able to ensure the most important factor necessary for success: the trust of the consumers who rely on them.