One of the most common threat vectors plaguing financial services institutions is the employee password. How can financial services institutions can better protect employee passwords?
Banks, credit unions, investment companies, and other financial services organizations are facing an ever-growing threat from cybercriminals. In 2019, we have seen many high-profile data breaches hit financial organizations, resulting in financial repercussions and damaged brand reputation.
Beyond the value of financial assets, firms house highly sensitive and identifiable personal information that is extremely valuable to cybercriminals, making them a prime target of attacks. Financial services organizations are also under some of the tightest regulatory requirements and scrutiny from a compliance perspective.
The Problem is Growing
The finance industry is all too familiar with this threat. In April 2019, the CEO of JPMorgan Chase & Co., Jamie Dimon, told shareholders that cybersecurity “may very well be the biggest threat to the US financial system.” Bank of America Corp’s CEO, Brian Moynihan, seems to echo that sentiment when he said that the lender’s cybersecurity unit operates with an unlimited budget.
Financial services organizations have been increasing investment in cybersecurity tools and increasing cybersecurity awareness amongst employees, but attacks on the corporate network and Active Directory are still occurring daily. The most considerable risk continues to be a simple attack vector: compromised passwords.
But how do financial services institutions secure the essential password layer without creating more friction for employees to access their email and corporate infrastructure?
The Importance of Good Password Hygiene in Financial Services
Good password hygiene is essentially following best practices for passwords set out by information security professionals. Almost all financial services and FinTech companies have existing password policies for their employees, but they may not be updating them regularly. It is essential to continually review these policies to ensure they are up to date with current standards. Security and authentication technology are being developed at a rapid rate to keep up with the new methodologies cybercriminals are regularly creating to try to gain access to these systems. Because of this, an outdated password policy can become the weak link that bad actors use to gain entry to protected systems.
Password Reuse and Bad Passwords in the Financial Services Industry
Password reuse is one key area where finance organizations can crackdown. According to a 2019 Online Security Survey by Google, 65% of people “reuse the same password for multiple or all accounts.” Adding to this, a study by Virginia Tech University called The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services, found that 38% of the 28.8 million users studied reused the same password for two different online services, and 21% of people slightly modified an old password when signing up to new services. The IT community has been warning users about the dangers of password reuse for some time now, but it appears the practice is still going strong.
To make the matter worse, many employees reuse passwords across their personal and work accounts, which puts their employer at risk. According to a LogMeIn survey, 62% of employees reuse the same password for work and personal accounts.
The reason people reuse passwords is relatively apparent and is something we have probably all been guilty of at some point. With the increasing amount of online services that we use, remembering a unique password for all of the sites and apps can become a taxing experience. The average amount of passwords users need to recall is estimated to be over 90+ passwords within 5 years. That amount of passwords to remember seemingly only fit for people with superior memory skills. In a work environment, employees want to access their accounts quickly and without any hassle. The complexity of this scenario leads to employees reusing old passwords across their work and personal accounts, or only slightly changing their previous password.
Most default Active Directory settings will require an employee to change their password regularly. It also usually allows a maximum password age of 42 days, but now both NIST and Microsoft are recommending against the forced periodic password reset. Financial organizations should endeavor to educate employees on robust, unique passwords, and screen for compromised credentials instead of impacting all their users.
Requiring employees to have strong pass-phrases that include upper-case and lower-case letters, numbers, and symbols, is a good start. But even a strong password is useless if it is exposed online and the user reuses it across different sites.
Making matters worse, many financial services employees continue to use bad passwords, commonly used passwords or passwords regularly found in cracking dictionaries. While many financial services organizations have robust training on creating strong passwords, only 25.3% of US organizations check employee accounts against common password lists, according to OneLogin. This is a risk because this is one of the most common threat vectors for accessing internal systems. Employees clearly need help in this area.
The Problem of Credential Sharing in Financial Services
Sharing credentials may seem like an obvious issue. After all, you’d find it difficult to find a financial organization that doesn’t prohibit the sharing of passwords between employees. However, having strong cybersecurity is as much about changing policies as it is about changing the culture. According to the Privileged access threat report by BeyondTrust, 69% of organizations in 2019 cited that colleagues telling each other passwords was an issue. What’s even more alarming is that this issue is actually up from 49% in 2018. We can confidently assume that companies have not relaxed their policy on colleagues sharing passwords, and yet, companies are increasingly concerned about this issue.
A 2016 study by password manager LastPass found that 61% of people are more likely to share work passwords than personal passwords. There are several reasons why someone might share their work password, but all are dangerous for the company. 42% of people share work accounts and passwords to collaborate with teammates, and 34% cited the reason as reducing costs, presumably on user-limited software. 38% of respondents said that it was the company’s procedure to share passwords to access certain accounts. Any financial organizations operating such a policy should act to ensure that all employees who need access to an account have their own unique login credentials. Any increase in costs is likely to pale in comparison to the financial repercussions of a data breach.
The culture of credential sharing needs to change to protect company systems. This can be done by educating employees on the dangers of password-sharing and providing alternative methods to access shared accounts. Credential sharing in a company is often a sign that employees trust each other and want to collaborate, which is helpful for workplace morale, but evidence of poor cybersecurity hygiene. Controlling the spread of information can be difficult, and organizations have no way of knowing whether sensitive credentials will get into the wrong hands.
Financial Services Credential Theft- Internal and External
Credential theft remains a significant cause of data breaches and can allow cybercriminals to lock employees out of their accounts and conduct account takeovers. Credentials and passwords are commonly stolen from previous data breaches and leaks, phishing attacks, or credential-stealing malware then used to access sensitive corporate accounts. It is a massive vulnerability for not only financial services organizations, but organizations across all industries. According to Cyren and Osterman Research, 40% of enterprises experienced Office 365 credential theft.
Furthermore, the more senior an employee is in the organization; the higher the danger is with compromised credentials. More senior employees often have privileged access to accounts or have enough influence to incent employees to gain sensitive data. If a hacker can gain access to the account of a CEO or executive, they can impersonate them to gain access to highly sensitive information. In 2017, it was estimated that around 30% of CEOs had their credentials leaked through historic data breaches. This high percentage is primarily due to other companies’ housing data that are popular with professionals. For example, LinkedIn experienced a significant data breach in 2012, and four years later, 117 million LinkedIn user credentials were for sale on the dark web. LinkedIn is a popular site for executive networking and recruiting. The same is true for DropBox, which also experienced a data breach and have many executive end-users.
Third-party contractors also pose a significant risk to the security of financial organizations. With one survey finding that globally, an average of 182 third-party contractors will log into a companies’ systems each week. Third-party contractors add a layer of risk that should be managed carefully since they are essentially the middle ground between internal and external. Data breaches caused by internal users are either due to lax security practices or due to a rogue employee. A breach caused by a purely external source is usually the work of a hacker with malicious intent. Third-party workers or contactors don’t fit into either of these categories. You may trust the company, but you can’t vouch for the employee, and this can lead to substantial risk.
Companies manage contractor access in different ways, for example, through a database, LDAP directory, or more commonly, Active Directory. Problems arise when there is a breakdown in communication between third party contracting companies and the financial organization. If a third-party contract employee is terminated by their employer, there could be delays before your company is informed, thereby delaying the time their access is revoked in your environment. This risk can be mitigated by enacting a policy that forces the third party to authenticate the user on their network first. Because of credential theft, all financial services organizations should be proactively screening all stakeholder passwords
Protecting Employee Passwords in the Financial Services Industry
Financial services organizations need to be vigilant with their password security practices to reduce the risk of data breaches and other cybersecurity attacks. Strong password policies need to go hand-in-hand with an educated workforce and a work culture that is supportive of cybersecurity best practices. A successful cybersecurity attack can result in devastating financial and reputational consequences for financial services companies. The weaker the password security practices are, the more likely a successful attack becomes.
With new regulatory pressures such as the new US NIST password guidelines, GDPR, the US FTC filing cases against companies with insecure environments and the US SEC now requiring companies to disclose information about cybersecurity risks, continuous password monitoring is a security standard, not just a nice-to-have. While updating password policies may require some time and planning, it should be a top priority, because compromising financial systems is a top priority for cybercriminals.