Developing a strategic vision for securing online relationships with customers means making security choices that will address today’s requirements and can adapt to help meet tomorrow’s challenges.
To realize this vision, it is necessary to carefully assess an institution’s online transactions and the level of risk presented by each type of transaction or user group. Financial institutions are advised to carefully examine their current online practices and develop effective risk mitigation strategies for these varied transaction types. In addition, risk assessments should be reviewed whenever new online services are offered — at least every 12 months.
Further, specific attributes of a financial institution’s online services should be examined during the risk-assessment process. Financial institutions need to consider which types of customers they are securing; the capability of their current transaction methods; information sensitivity and existing security; the ease of use and impact on the customer experience; the overall volume of transactions completed; and how mobile devices are interacting with banking environments.
Examples of these considerations include:
- Customer Type: Retail, high-net-worth or commercial clients
- Information Sensitivity: Customer information and privacy regulations
- Ease of Use: Relative importance and impact on customer experience
- Transaction Volume: Number of transactions and impact on security choices
- Mobile Landscape: Types of mobile transactions, devices and services
- Transaction Capability: ACH payments, wire transfers, loan origination, control of account administrative functions, etc.
The risk assessment should also review the possible impacts of a problem for specific services by considering the potential damage to an institution’s brand and reputation, as well as the financial loss or liability of fraud attacks.
The unauthorized release of sensitive information and data, and the ramifications of compliance failure, should be evaluated during the risk-assessment process.
Once completed, a risk assessment will outline the specific services and products that have an increased likelihood of being compromised and will result in a more severe impact if there are fraudulent activities. Potential impacts and particular services can be mapped to specific security levels.
For example, a bank may determine that all services conducted with corporate accounts have a higher potential impact and require strong/step-up authentication, a fraud detection solution or a combination of several solutions as part of a comprehensive layered security approach.
The report may identify circumstances where less security is acceptable (e.g., corporate customers can review transaction histories and account information with single-factor authentication, but will need to use a higher level of security when they want to initiate transactions).
This information was included in Entrust’s recent white paper, “It’s Cyber Warfare: How financial institutions can implement identity-based security to win the war against online attacks,“ which is available compliments of Entrust.