Finance Monthly August 2019 Edition

ast year, 4iQ discovered 14.9 billion raw identity records that were stolen from companies and circulated across the web. The rate of identity breaches alarmingly increased by 424% since 2017, totalling 12,499 breaches. It’s no surprise that the likes of Google and Facebook made all the headlines— these tech giants have millions of consumers who were affected. However, one narrative that does not get enough attention, yet is vitally important, is that the businesses employing these consumers also suffer huge consequences due to the massive expansions in their risk profiles. Certain stakeholders (employees, customers, etc.) with poor cyber hygiene, or who have had their data exfiltrated in the past, are just as, if not more, threatening to an organisation than a cybercriminal with harmful intentions. The financial services industry arguably faces the most danger. More than 25% of all malware attacks target the financial services industry - this is more than any other field, and to make matters worse, attacks are continuing to rise. The number of compromised credit cards increased by 212% in 2019 compared with the prior year, while credential leaks rose by 129% and instances of malicious apps increased by 102%. Trojans are being used to attack financial services companies. ATM malware is being used to steal credit and debit card information. This issue isn’t exclusive to the United States, as we just saw a ransomware attack wreak havoc on Mexico’s major financial institutions. In February, a UK-based bank became the first public victim of SMS verification code interception. What’s more, cybercriminals can still leverage older methods such as DDoS attacks and phishing against the least prepared companies. The increasingdigitisationof financial services, via cashless payments with cards and mobile apps, has led to greater overall digital capital flow, and as more capital circulates in the digital marketplace, companies increasingly become more vulnerable to cyberattacks. Simultaneously, automation of cybercrime is more common. Crawlers can continuously and automatically sift through large amounts of data and search for vulnerabilities and exposed networks, sometimes even without user input, helping malicious actors acquire their targets more rapidly. And as these processes become more automated, the ease with which it is done lowers the threshold of expertise required for operation, widening the opportunities to include bad actors with less technical expertise. Aside from a reputational impact, data breaches incur high financial costs as well. Equifax’s infamous breach cost the company more than $600 million. JP Morgan Chase said it would spend $250 million annually to improve its digital security following its 2014 data breach. Estimates are that cybersecurity costs companies within the financial services industry, on average, about $2,300 per employee, while some firms pay up to $3,000. These numbers have tripled within the last three to four years – showing that companies are spending more on cyber and digital protection than ever before. Yet, despite companies investing more to secure infrastructures, protect critical business data and assure customer privacy, cybercriminals remain undeterred and have responded to more sophisticated protections by rapidly evolving theirmethodof attacks.What few companies consider, however, is the cumulative effects of other companies’ breaches which have already happened. An employee’s or partner’s personal information exfiltrated in one breach is often used subsequently to gain unauthorised access to another infrastructure, whether through password re-use or social engineering attacks. This is akin to locking the front door, turning on the alarm, yet leaving the garage open, and can be devastating to enterprise-level targets which stand to lose a trove of company IP, inside information about mergers and acquisitions, and more. Cybercriminals, clearly, possess a myriad of ways to outsmart and outpace normal security measures, so there needs to be an overhaul in this industry, placing more of an emphasis on thinking proactively and aggressively, unmasking bad actors’ identities and anticipating how our data could be at risk. Today, most leading companies understand the importance of executing traditional financial and criminal background checks for their employees. Too few leaders understand how to do this for the hygiene of employees’ digital footprints. More and more, financial services companies are incorporating identity intelligence into their digital security. This involves tools and practices that are focused on scouring the Deep Dark Web for known exfiltration of identity-related data, from usernames and passwords to social security numbers and addresses. Identity intelligence helps large banks, credit card issuers and insurers understand and reduce what we call the “employee attack surface”, which is created by prior breaches. L 45 www.finance-monthly.com FINANCIAL INNOVATION & FINTECH - IDENTITY INTELLIGENCE