What data do you need to protect? How can you make data security systems easier for your users and harder for hackers to infiltrate?
These are two of the most important questions bank leadership should ask when working with IT teams on enterprise-wide security solutions. According to IBM’s 2022 Cost of a Data Breach report, the average cost of a data breach in the U.S. is $9.4 million, largely due to successful phishing attacks, business email compromise and stolen or compromised credentials.
Users have to create a password for every online account or system access point and it’s cumbersome to keep track of them all. For convenience, they may write the information down on a piece of paper kept in a desk drawer, reuse the same password over and over or store the details in an unencrypted text file on their computer. Any of these scenarios is a security red flag that opens the door to data compromise.
A passwordless future is on the horizon; passwords may be replaced with a combination of biometrics, such as fingerprint or facial scans, and web security protocols like an authenticator app for mobile devices. Until that technology can be introduced to your organization, consider other options.
Password Vault, Manager or Locker encrypts and securely stores usernames and passwords. Users access the “vault” using a master password. The vault generates and stores a long, random, and complex password to log in to a specific account or application which users do not need to remember. The upside is users only need to remember one “master” password so it’s likely to be more complex and harder to guess or steal. Users should secure their vaults with multi-factor authentication (MFA) and passphrases at least 20 characters long. Many vaults alert users to phishing attempts (that try to convince users to reveal credentials) so they avoid clicking on suspicious links or downloading malicious attachments. The downside is that if a cybercriminal gets the master password, for example, if it’s stored on a computer inadequately protected against keyloggers and other malware, they can gain access to multiple accounts, data sources and systems.
Passphrases are longer passwords, usually at least 20 characters, comprised of three to five random words without any special characters, numbers or other complexity, that don’t need to be grammatically correct. An example of a passphrase is “now jump Cat here t0o” It’s unique and easy for the user to remember and more difficult for the attacker to break. In other words, the more entropy – lack of order or predictability – the better.
Multi-factor Authentication (MFA) is a way of confirming someone attempting to login by combining two or more “factors” such as something you have (a hard token or device), something you know (a password), somewhere you are (sitting in your offices), and/or something you are (a fingerprint or retinal scan), according to the Cybersecurity and Infrastructure Security Agency (CISA). While MFA offers a higher level of security, it can still be circumvented by a skilled attacker. For example, despite using MFA with push notifications to an app, Uber experienced a significant phishing attack in November 2022 during which a cybercriminal impersonated an Uber IT professional and contacted an Uber employee telling them to log in to the app. The attacker used “brute force” to repeatedly spam the log in attempts, causing multiple push notifications, and sent a ”message from IT” that there was an ongoing system issue and the user needed to accept the notification. The attacker then added their device to the user’s account, scanned Uber’s intranet and discovered a text file with an administrator account’s username and password. From there, it is believed (though unconfirmed) they were able to compromise many of Uber’s systems.
Takeaway Tips
Work with your in-house or outsourced IT experts to proactively establish protocols that protect the integrity of your data and systems:
- Implement password vaults
- Implement passphrases when a long, random and complex password cannot be generated by a password vault
- Assume phishing attacks will persuade users to divulge information and design and implement controls to prevent them
- Configure MFA to prevent brute force attacks like the Uber experience
- Move away from so-called “Man in the Middle” vulnerabilities by discontinuing the use of one-time passwords and push notifications, and moving toward hardware tokens
- Train, train and train some more, ideally three to four times per year
- Test, test and test some more (organizations that tested their cybersecurity plans saved an average of $2.6 million per data breach compared to those that didn’t test, according to the IBM report)
Contact your Rehmann advisor or email us at [email protected] for a detailed review of your financial institution’s needs. We’ll design a customized suite of managed security, managed IT and cloud and network solutions that ensure compliance and give you the confidence that your organization’s data, and your customer’s confidential information, are protected.