Through Ben Bulpett, Director of EMEA Identity Platform, SailPoint
The nature of the financial services industry is changing rapidly. Accelerated by the impact of COVID, the digital customer experience has become a key differentiator for banks, especially as large players seek to remain relevant in the face of more agile competitors. One method in particular is the use of selfies for identity verification. Monzo has been offering this for some time, requesting a selfie video, taken from a smartphone, as part of the client application process. Now, the industry is adopting the approach more widely for ease and convenience – last month the Financial Conduct Authority began allowing selfies as a valid form of identity verification.
But it raises cybersecurity issues that shouldn’t be ignored, especially as banks are a target for criminals looking to get their hands on lucrative assets. Selfies, videos, audio files, and even email files add to the millions of sensitive financial and personally identifiable information that financial institutions process every day. Such data is unstructured – where organizations lack real visibility into where the data resides and to whom it belongs. All of this leads to security vulnerabilities, paving the way for hackers to get their hands on sensitive information undetected.
So how can banks effectively mitigate these risks?
Into the unknown
Securing unstructured data is relatively new territory for organizations. Our recent study, where 16% of those surveyed were from financial services, found that three-quarters (76%) had experienced difficulty protecting unstructured data. This included unauthorized access, loss of data, and compliance fines. Additionally, almost all of the companies surveyed reported difficulty managing access to unstructured data, citing not only lack of visibility, but also too much data and the lack of a single access solution for multiple repositories. 40% admitted not knowing where unstructured data was stored.
Banks cannot afford to be trapped by unstructured data. Businesses may be spending record amounts of money on cybersecurity to protect the digital transformation that has accelerated so rapidly over the past year, but it’s a wasted effort if the most pressing threats like unstructured data don’t. are not properly processed. And these threats are evolving in new and sophisticated ways – last year, fake audio and video content ranked among the top 20 ways criminals use AI.
Securing unstructured data with identity
Organizations must maximize the visibility of vulnerabilities. For this, it is essential to prioritize the access rights of users to all data – structured and unstructured. Our research found that this is not currently the case, with a third of companies not having real-time alerts when unauthorized access occurs in unstructured data, and a quarter of companies not having real-time alerts. no regular reviews of user access privileges. Without visibility into who has access to what and when, hackers could operate undetected.
To combat this threat, identity security must be extended at the implementation stage to manage data access. This security practice ensures security and compliance – automatically – while providing real-time alerts to the IT team where potential vulnerabilities are located – making them much better equipped to monitor or respond to a breach.
We recently worked with South African financial institution Nedbank to protect unstructured data on file shares and other sites across the organization. This meant replacing disparate legacy systems with an identity platform that routinely automates access reviews. This helps data owners manage secure access to their data – providing a clear picture of where different types of data are located and who among their staff has access to what. With safe and secure access provided to over 33,000 people, Nedbank is now much better equipped to monitor or respond to a breach.
Visibility on all access points
Unstructured customer data will continue to be created as banks rely on the digital customer experience. But it’s crucial that financial institutions recognize and manage risks, prioritizing them in the same way as meeting evolving regulatory requirements. To ensure data protection, banks must have visibility and governance over all potential access points.