GlobalSign Blog

22 Nov 2016

Strong Authentication is Key for the Financial Industry

Data loss or breach is a nightmare situation for any company, but those in the financial industry may have the most to lose. In addition to tangible costs, such as regulatory fines and legal fees, the effects on reputation can be particularly devastating. According to American Banker, 82% of customers would leave the bank if they have a security breach and 74% selected a bank based on the reputation of the organization. Trust is key in the financial sector; a secure customer is a happy customer.

82% of customers would leave the bank if they have a security breach.

This need for trust and security is a challenge when there are always new technologies being adopted, such as cloud-based services or enterprise mobility. While these can bring significant business benefits, they can also create vulnerabilities or new access points for malicious parties seeking customer or other sensitive financial information. Consider what would happen if a hacker found a vulnerability and accessed the corporate resources from an employee´s mobile device and had access to all major accounts. Well, we do not have to use our imagination to conclude that the results would be catastrophic.

This is where we must consider security and where financial institutions must ask themselves the following questions:

  • How are you ensuring only correct, authorized mobile devices have access to your corporate networks and resources (e.g. Wi-Fi, VPNs, mail servers, file systems)?
  • How are you ensuring that only the correct, authorized people have access to the privileged or sensitive information and resources?

Secure Mobile Access / Preventing Rogue Devices

Enabling a mobile workforce can generate significant productivity benefits - companies earn an extra 240 hours of work per year from mobile employees. But is mobile adoption secure? Based on a recent study by Ponemon - 67% of companies said it's certain or likely that their organization had a data breach as a result of employees using their mobile devices to access the company’s sensitive and confidential information.

So what can an organization do to simultaneously obtain the benefits of enterprise mobility without opening doors for hackers? The solution to this problem is very simple - PKI can be our ally when controlling access to sensitive information and preventing rogue device access. By implementing certificate-based authentication, you are making sure that only those users AND mobile devices with a properly configured digital certificate can access corporate networks and resources.

Some mobile security solutions only address user authentication, but we think it’s critical to authenticate the device itself as well. A 'rogue', unauthorized device is essentially a foot in the door of your corporate network. Once a hacker is able to get a device onto your network, it is much easier to eavesdrop or intercept sensitive traffic, spread malware, or do other nasty things.

Preventing Unauthorized User Access

It is also necessary that financial institutions incorporate security solutions that help employees to authenticate to the different resources of the organization, not just from mobile devices but from desktops as well. We keep seeing examples in the market of why username and password are no longer secure, many of which are because they place a great deal of responsibility in the hands of the user.

Chosen passwords must be sufficiently complex so as not to be easily guessed, but also simple enough to be committed to memory nor stored in any physical location. Increasing complexity and number of logins per user means users often resort to reusing passwords or writing them down. Sharing passwords between personal and business accounts can be particularly dangerous. Consider the recent news that hackers accessed about 500 million Yahoo accounts. Imagine if a couple of your employees were in the list and they were reusing those passwords in your company applications…scary stuff!

Replacing unreliable passwords and preventing unauthorized user access is another opportunity for certificate-based authentication. This way, only users with properly configured certificates will be able to access your corporate resources and information. Even if a user’s username and password were obtained, a hacker still wouldn’t be able to gain access without the certificate. This takes vital importance for financial institutions as they are managing confidential information on a daily basis. And the best part is that you can implement this both in desktops and mobile devices.

Role-Based Access

Another advantage of using certificates as an authentication factor is that organizations can use their Group Policy and permissions to control which users, machines and device can access different resources and networks based on role. For example, the access that a teller needs is different to the tools that an account manager may need.

Another upside to using certificates is that the same solution can be used for all endpoints and users and most popular cloud applications are natively compatible. Common use cases include: Windows Logon; access to corporate email, Wi-Fi networks, VPNs and access to cloud-based services like Google Apps, Salesforce, Office365 and SharePoint.

Organizations often focus on external risks and ignore internal risks. Implementing a two-factor authentication using digital certificates increases security and can help avoid a breach of the important information of the organization.

For more information about using certificate-based authentication to enable a mobile workforce and prevent unauthorized access, check out our recent webinar: Certificate-Based Authentication to Support BYOD and IoT.

 

Share this Post