Many banks across the U.S. and Canada are failing to meet their customers’ online identity fraud and digital banking needs, according to a survey from FICO.
Despite COVID-19 quickly turning online banking into an essential service, the survey found that financial institutions across North America are struggling to establish practices that combat online identity fraud and money laundering, without negatively impacting customer experience.
For example, 51 percent of North American banks are still asking customers to prove their identities by visiting branches or posting documents when opening digital accounts. This also applies to 25 percent of mortgages or home loans and 15 percent of credit cards opened digitally.
“The pandemic has forced industries to fully embrace digital. We now are seeing North American banks that relied on face-to-face interactions to prove customers’ identities rethinking how to adapt to the digital first economy,” said Liz Lasher, vice president of portfolio marketing for Fraud at FICO.
“Today’s consumers expect a seamless and secure online experience, and banks need to be equipped to meet those expectations. Engaging valuable new customers, then having them abandon applications when identity proofing becomes expensive and difficult.”
Identity verification process issues
The study found that only up to 16 percent of U.S. and Canadian banks employ the type of fully integrated, real-time digital capture and validation tools required for consumers to securely open a financial account online.
Even when digital methods are used to verify identity, the experience still raises barriers with customers expected to use email or visit an “identity portal” to verify their identities.
Creating a frictionless process is key to meeting consumers current expectation. For example, according to a recent Consumer Digital Banking study, while 75 percent of consumers said they would open a financial account online, 23 percent of prospective customers would abandon the process due to an inconsistent identity verification process.
Lack of automation is a problem for banks too
The lack of automation when verifying customers’ identity isn’t just a pain point for customers – 53 percent of banks reported it problematic for them too.
Regulation intended to prevent criminal activity such as money laundering typically requires banks to review customer identities in a consistent, robust manner and this is harder to achieve for institutions relying on inconsistent manual resources.
Fortunately, 75 percent of banks in the U.S. and Canada reported plans to invest in an identity management platform within the next three years.
By moving to a more integrated and strategic approach to identity proofing and identity authentication, banks will be able to meet customer expectations and deliver consistently positive digital banking experiences across online channels.
The survey, focused on changes in IT spending in the wake of the coronavirus pandemic, reveals that cybersecurity is IT leaders’ top focus for the rest of the year—and half of those surveyed are increasing their budgets to support their goals.
The pandemic has upended most businesses’ 2020 plans, with 70% of CIOs reporting their long-term priorities have shifted since the start of the year. Now, 89% said they’re focused on cybersecurity, while 82% are working on remote enablement.
Their goals reflect these new priorities: 86% said they’re aiming to improve security standards across their environment, while 80% are making their tech stack more flexible for remote and on-premise users. In addition, 75% said they were hoping to keep their IT infrastructure and tool stack up to date.
CIOs expect their budgets to increase in 2020
While budgets are tight for half the respondents, who don’t expect an increase in spending, the other half of CIOs expect their budgets to increase in 2020 to reflect shifts in IT. Some 33% anticipated a 5% increase, 13% foresaw a 5-10% increase, and 9% expected an increase greater than 10%.
To achieve their security and remote enablement goals, 43% of CIOs are investing in IAM, ahead of endpoint security (34%) and security awareness training (17%).
“Prioritizing IAM makes sense. CIOs have been waking up to the fact that most hackers don’t break down the gate—they just unlock it because they already have the keys,” said Kevin Nix, CEO at Hitachi ID.
“Bad actors have been focused on stolen credentials, phishing attacks, and social engineering, especially since the pandemic forced so many employees to work remotely. We’ve seen a new urgency among companies looking for IAM solutions. Last year, businesses might plan to adopt IAM over a year or two. Now they need it next quarter.”
- 67% of CIOs say they’re more willing to invest in emerging technologies
- 88% of respondents at companies with 500-1000 employees were planning to invest in emerging technology, the most of any size category. Just 45% of those at companies with 5,000 to 10,000 employees said the same, the lowest of any category.
- 87% would consider emerging security technology in 2020, while 71% would consider emerging AI and machine learning technology
IAM priorities differ by industry vertical, and a one-size-fits-all approach to IAM doesn’t work when every industry and business within that industry is unique, according to LastPass and Vanson Bourne.
Each industry vertical has unique business needs, and as a result has different areas of focus when it comes to their IAM program.
Finance focused on reducing risk, while integrating IAM infrastructure
Financial service organizations deal with higher stakes than most verticals, which inevitably impacts how they manage employee access and authentication.
35 percent of IT professionals in this industry say hackers have gained access to their organizations in the past, which is not surprising given financial institutions experience the highest cybercrime costs out of all verticals at an average of $18.3 million per year.
According to the report, 70 percent of IT professionals in the finance industry say that reducing risk is a top priority and 65 percent state that integrating security infrastructure is their biggest area for improvement.
IT focused on IAM security benefits and prioritizes MFA
As information technology businesses are close to IAM software and managing customer’s data, it’s clear their relationship with technology impacts their IAM strategy. 77 percent in this industry say securing data is their top priority, while improving identity and access management is less of a focus with 61 percent noting that as a priority.
28 percent of IT and security professionals in this industry said they are planning to invest in multi-factor authentication (MFA) solutions which will help address their security challenges because MFA helps ensure only the right employees are able to access sensitive data.
Media needs a secure, automated way to manage user access
Mass communication companies work with an array of external consultants to execute their programs, which leads to a wide array of users, both internally and externally, accessing business resources which complicates IAM.
34 percent of IT professionals in this industry say managing user access is important to their organization, compared to the overall average of all industries (9 percent). 44 percent say end users are demanding an easier to use solution and 49 percent say automating IAM processes is an area for improvement.
“Finance is focused on reducing risk and integrations, IT is prioritizing the security components of IAM, whereas media is focused on improving employee productivity.,” said John Bennett, General Manager, Identity and Access Management Business Unit at LogMeIn.
“It’s clear that flexibility, breadth of functionality and ease of use are critical so businesses can customize their IAM strategy in alignment with their business objectives. Organizations need to evaluate what their business needs are and build their IAM strategy based on those requirements.”
Here we are: at the beginning of a new year and the start of another decade. In many ways, technology is exceeding what we expected by 2020, and in other ways, well, it is lacking.
Back to the Future made us think we would all be using hoverboards, wearing self-drying and fitting jackets, and getting to and from the grocery store in flying cars by Oct. 21, 2015. Hanna-Barbera promised us a cutting-edge, underwater research lab in its 1972 cartoon, Sealab 2020.
While some of the wildest technology expectations from the big and small screen may not have come to fruition, the last decade of identity and access management development didn’t let us down.
And, I believe identity access management (IAM) cloud capabilities and integrations will continue their rapid spread – as well as their transformation of enterprise technology and the way we do business – in this new decade and beyond.
Here are three IAM predictions for 2020.
1. Single sign-on (SSO) protocols steadily decrease the need for unique accounts and credentials for every resource, so Active Directory (AD) is put on notice.
SAML, OAuth 2.0, OpenID, and other protocols mean people will see a drastic reduction in the number of unique accounts and credentials necessary to log in to certain websites. Do you need to log in to manage a site or do some online shopping? Likely, you can just use your Google or Facebook account to verify your identity.
This trend will continue to dominate throughout business-to-consumer efforts. I believe it will also take hold of business-to-business and internal business operations, thanks to the SSO developments made by Okta, Tools4ever, and other industry leaders.
The rise of SSO and the maturation of cloud platforms, such as G Suite, will likely result in a reduction in Microsoft’s market hold with on-premise AD. As more enterprises transition to hybrid infrastructures to the cloud, flexibility means relying less on systems and applications that pair with AD to authorize user access.
Google Chromebook and other devices prove that the AD divorce is possible. Because of this, expect to see directory battles between Davids and Goliaths like Microsoft.
2. Downstream resources benefit from improved integration.
Along with the increasing use of protocols connecting IT resources, expect downstream systems, applications, and other resources to utilize identity data better. We’ll see how information transferred within the protocols mentioned above can be leveraged.
Provisioning will be far more rapid since transferred identity data will help to create accounts and configure access levels immediately. Continual improving integrations will provide administrators and managers with far more granular control during initial setup, active management, and deactivation.
Also, increasing connectivity allows centralized management at the source of the authoritative identity data and pushed easily from there. At the same time, systems and applications will better incorporate identity data to enforce a given user’s permissions within that resource.
3. Multi-factor authentication (MFA) pervades our login attempts and increases the security of delivery to stay a step ahead.
MFA is already popular among some enterprise technologies and consumer applications handling sensitive, personal data (e.g., financial, healthcare), and will continue to transform authentication attempts. A lot has been said about increased password complexities, but human error is still persistent.
The addition of MFA immediately adds further security to authentication attempts by having the user enter a temporarily valid pin code or verify their identity by other methods.
An area to watch within MFA is the delivery method. For example, SMS notifications were the first stand-out but forced some organizations to weigh added costs that messaging might bring on their mobile phone plans. SMS remains prevalent, but all things adapt, and hackers’ increased ability to hijack these messages have made their delivery less secure.
Universal one-time password (OTP) clients, such as Google Authenticator, have both increased security and made the adoption of MFA policies much easier through time-sensitive pin codes. Universal OTPs also do away with the requirement for every unique resource to support its own MFA method.
PIN codes are now getting replaced by “push notifications,” which send a simple, secure “yes” or “no” verification prompt that allows access. After the client app is downloaded and registering your user account, a single screen tap is all that is needed for additional security to your logins.
Gartner has been praising push notifications as the way of the future for a couple of years. Gartner predicted that 50% of enterprises using mobile authentication would adopt it as their primary verification method by the end of 2019.
The cloud will undoubtedly control IAM’s potential for the foreseeable future.
The majority of companies have experienced a five-fold increase in the number of workforce identities, which are being driven primarily by mobile and cloud technology. Encouragingly, one-hundred percent of IT security stakeholders report that a lack of strong IAM practices introduces security risk, an IDSA survey reveals.
Strong IAM practices
Security leadership also cares “much more” about IAM now than ever before, with importance anticipated to continue to increase over the next five years. Despite growth, and an apparent understanding of risk, only half of IT security professionals state that the security team has any level of ownership for workforce IAM. What’s more, less than one in four IT security professionals say their teams have “excellent” awareness of their company’s identity strategy.
“With the majority of today’s breaches tied to compromised credentials and the number of credentials skyrocketing, IAM is a critical and complex issue that spans many organizational teams, requiring a strategy around people, processes and technology,” said Julie Smith, executive director of the IDSA.
“The findings highlight that addressing identity security through integrated technologies is only one piece of the puzzle. Without collaboration amongst all stakeholders and a clear understanding of responsibilities and handoff points, identity incurs greater risk.”
“As businesses embrace new technologies and expand their workforce, the reality of managing identities is seemingly growing more complex by the day. Awareness of the impact IAM has on security posture has grown as well, as an increasing number of data breaches are tied to stolen identities,” said Den Jones, director of enterprise security for Adobe.
“However, as the data shows, IAM efforts face several organizational challenges as companies grapple with who should take the lead. With the number of identities growing, organizations of all sizes should examine how identity management fits into their security strategy, and eliminate any silos between teams that increase risk or slow the pace of the digital transformation of the business.”
Modern technologies are driving explosive growth of identities
- 52% say that identities have grown more than five-fold in the past 10 years
- The increase in identities is driven primarily by technology changes, such as mobile devices (76%)
- Other identity growth factors include a mix of more employees (57%), connected employees (66%), enterprise connected devices (60%), and cloud applications (59%)
Identities are increasingly important to corporate security
- 100% report a lack of strong IAM practices introduces security risk
- 92% say security leadership cares more about identity management now than in the past
- Security teams are worried about a range of potential identity-related security incidents, including phishing (83%), social engineering (70%), compromised privileged identities (64%), and more
Identity security efforts lack alignment
- While security is involved in IAM activities (99%), only 24% say their security team has “excellent” awareness of IAM
- A wide range of organizational issues prevent security from engaging with workforce IAM, including lack of alignment of goals (33%), reporting structure (30%), history of security not being involved (30%), and resistance from existing teams (24%)
- Budget ownership issues (40%) are cited as the top reason for not spending more on workforce IAM
Incomplete security ownership for identities has consequences
- Only half (53%) report that security has any level of ownership for workforce IAM
- When security teams have ownership of IAM they have better understanding of identities, are more likely to view IAM leadership as a career opportunity, and face fewer barriers to IAM involvement
Growing consumer expectations, the breakdown of traditional “walls” and emerging technologies are making it hard for organizations to devise a successful digital identity management program, according to Deloitte.
More than ever before, identity management is at the center of cybersecurity, regulatory compliance and consumer trust, and many organizations are struggling to define a digital identity management program both internally for the enterprise and externally for consumers.
Deloitte surveyed more than 2,500 professionals across industries and positions.
“In a digital economy, identity is a point of trust, perimeter of security and an index of customer satisfaction,” said David Mapgaonkar, principal, Deloitte & Touche LLP, and cyber technology, media and telecom sector leader.
“Organizations should think about challenges related to both consumer and enterprise identity management to understand what they can do to create better outcomes. But it’s not easy — it requires managing relationships with many stakeholders and alignment on technology and funding.”
Rising global data privacy regulations pose compliance challenges
Identity, data privacy and regulatory compliance are increasingly overlapping. Cybersecurity leaders and executives are burdened with developing a more comprehensive view of their consumers to comply with legal and audit-related mandates such as the GDPR, the CCPA and the recommendations of the NIST Cybersecurity Framework.
This means that technology, cybersecurity, legal and business leaders are all stakeholders in effective identity management, each with their own challenges and ambitions related to user experience, system availability, resilience, risk management and consumer engagement.
Digital identity lags on investment and priority
Cybersecurity teams must deal with legacy IT environments and a resistance to migrate to cloud-first architectures. In the survey, 35.4% of poll respondents recognized upgrading legacy systems as a challenge to organizations employing identity programs.
Nearly 18% of poll respondents selected lack of funding and sponsorship as a challenge. Either way, many organizations haven’t built modern systems that are API-based, orchestrated and enable easy integration with apps. And, investment into new systems and structures can be significant.
Without an organization wide understanding of the identity imperative, sponsorship at an executive level can be hard to attain.
The survey found that 95% of C-suite level executives commit 20% or less of their security budgets to support identity solutions.
Companies are reluctant to outsource identity management
Many cybersecurity leaders are concerned about integration, flexibility and access to specialized support with outsourcing their identity management to third parties. But third-party managed services, either on-premise or in the cloud, can offer the latest skills and capabilities, increase automation and future-proof identity systems.
For example, 14.4% of poll respondents selected lack of talent and a skills deficit as a challenge for identity. With a cyber talent gap only growing, identity-as-a-service (IDaaS) may be a viable option for many organizations to empower innovation efforts and drive digital transformation.
Responsibility and ownership often distributed
Responsibility and ownership are often distributed among multiple executives, teams (marketing, sales, cybersecurity, etc.) and IT systems, making coordination of large-scale projects challenging.
The poll shows that 14.4% of respondents selected lack of executive prioritization and alignment as a challenge to impair identity from impacting digital transformation.
A digital identity management program tends to take time and that can be a challenge for cyber organizations that may need to show immediate progress and broader return on investment. Many stakeholders increase complexity and timelines, and these critical programs are not getting implemented fast or well enough.
“An integrated digital identity program will provide organizations operational efficiencies and improve user experiences by powering digital transformation. In addition to the fact that regardless of what business you are in, we all need to know that what we share is protected, what we access is secure, and who we allow into our systems are supposed to be there,” said Mike Wyatt, principal, Deloitte & Touche LLP and cyber identity solutions leader.
“An integrated approach can help prevent a future digital identity crisis from surfacing by building consumer trust and enabling both privacy and security.”
Digital identity is both a use case for blockchain and an enabler that allows each of the other assets for blockchain integration to exist. Other top use cases for digital identity, for example in government, include land and corporate registrations, voting, supply chain traceability and taxation.
The operating environment for digital identity will likely become increasingly complex — with greater business expectations to meet; new technologies to integrate; multiple data privacy regulations to adhere to; and increasing numbers of people and devices to manage.
Every company will have a different set of digital identity challenges and a unique approach to identity management.
Digital identity management program
A digital identity program should be:
- Safe – To ensure security, privacy and compliance.
- Flexible – To work across multiple platforms (on-premise and cloud); work with people, systems and devices.
- Agile – To quickly adapt to end-user needs, IT requirements and new applications.
- Scalable – To address the shifting requirements of the business — such as adding new users from an acquisition or managing an influx of customers.
- Open – To accommodate many types of users, including employees, consumers, partners and contractors.
- Private – To give users control over their information and an understanding of how it is used and how they can access it.
- Frictionless – To provide a seamless and convenient experience for both users and cybersecurity administrators.
- Resilient – To overcome potential service disruptions, technology failures, or cyber threats — whether on-premise or in the cloud.
In a digital economy, every outcome depends on digital identity as a point of trust, a perimeter of security, an index of relationship management and a means of service personalization. Companies that harness digital identity should be better positioned to reap the benefits of security and long-term customer value.
Many organizations across the globe fall short of effectively managing access for third-party users, exposing them to significant vulnerabilities, breaches and other security risks, One Identity reveals. Most organizations grant third-party users access to their network Based on a Dimensional Research-conducted survey of more than 1,000 IT security professionals, the research evaluates organizations’ approaches to identity and access management (IAM) and privileged access management (PAM), including how they apply to third-party users – from vendors … More
The post Do third-party users follow security best practices and policies? appeared first on Help Net Security.
One Big Reason Not To Go Online Until You Have Read This If You Live In The UK
If you live in the UK and have a computer, tablet or smartphone connected to the internet, then this may be the most important news you read all year.
Earlier this month we saw thousands of people across the UK get their hands on the the latest Online ID protection from SaferWeb, after yet another increase in identity theft and web-history monitoring.
We have however been advised that because of its unexpected popularity, availability is very limited and is now on a first come first serve basis.
Experts Are Now Calling SaferWeb, “A Game Changer For Internet Users”
As part of the special promotion due to end May 27, 2016, a group of Microsoft Gold Engineers teamed up with innovative new software provider SaferWeb, to provide the latest ID Protection thats just gone viral.
If you have a desktop, laptop, tablet or smartphone connected to the internet, your activities could be monitored and private information collected when you’re Internet shopping or banking. Even just browsing online is a risk in 2016.
SaferWeb had a primary objective to eliminate this by boosting security and ensure eavesdroppers cannot make sense of your encrypted communications.
Technical Lead John McBride, from SaferWeb explains; Our main objective for creating the app was pretty simple. We wanted to help users protect their Identity & Internet Connection to eliminate the risk of any online, banking or personal information being stolen, monitored or hacked”
The company SaferWeb seemed to deliver on this objective perfectly. Using their technology will give a private tunnel between you and the internet that’s invisible to hackers or any malware, letting you browse the Internet anonymously and securely. Literally anyone can use it and it only takes 5 minutes to set up.
So how can SaferWeb give this away? Apparently this promotional tactic is common among big companies with large marketing budgets. For instance, Burger King launched a similar campaign in 2013, giving away 20,000 free whoppers on Facebook.”
One user we spoke to said, “I came across SaferWeb and decided to give it a go, it’s less than a cup of coffee anyways. I noticed the difference right away and couldn’t be happier with results. I’ve always been anxious about who watches the sites I use and how safe my information really is and heard countless stories about people having their banking information hacked. This is the perfect solution to eliminate this.
So, how do you Protect Your Online Identity Today?
Here is the simple 3 click step recommended by SmarterWebLife to get yourself instant protection:
Step 1:Click Here to go to SaferWeb, who are market leaders in securing your ID, and internet connection to make it private
Step 2: Click the “Get a Safer Web” button and enter your name, email and choose a password.
Step 3:Select a package: I recommend the “Pro” Plan. (Only £5) and Not only will you be fully protected for life, but you’ll also get discounts on thousands of online purchases,by, accessing local currency rates when connecting your computer to the secure connection
Step 4: Your connection and Online ID are now protected for life One Account for all your devices.. It’s that simple.
SaferWeb Internet Security – Official Website
UPDATE: The promotion is due to end on May 27, 2016 so we urge you to act fast to avoid disappointment.
Using a SaferWeb VPN server also Unblocks Many Sports And movie Channels. You can even book holidays and flights cheaper simply by connecting in a different location to that of your ISP.
By Alexandra Blackshaw | Smarter Web Life