Making Ironclad IT Security Simple for Finance
The finance industry has a rap for moving slowly with respect to technology—and more specifically—IT security. However, because finance companies potentially have billions of dollars in assets under management, they're highly targeted by bad actors.
It’s also important for security technology to be managed in such a way that it doesn't have a large impact on user experience. You don't want “security theater,” where the IT infrastructure seems very obvious and secure to the user, but isn’t really. Hackers can see right through security theater. And security through obscurity is akin to putting keys under your doormat.
When we first begin working with clients, we unfortunately see many poor implementations for modern systems like Single Sign-On or Multi-Factor Authentication. The other thing we often see is weak email security—one of the biggest threats for companies in general, and especially for financial firms.
These are problems we've taken particular interest in solving as a team of technologists, and doing so in a way that isn't obtrusive to the user. In general, you could sum up our entire approach by saying we build guardrails that encourage best practices with respect to security, while also precluding bad behavior. We aim to make it easier to be secure than it is to not be.
Many people view security and user experience as diametrically opposed. It doesn't have to be that way. You just have to think creatively in how you approach security implementation.
A 360-degree approach
At Pliancy, we hit 100% Multi-Factor Authentication (MFA) compliance, which means that every single user employs MFA across all of our clients. In the finance field that's incredibly rare, especially because we also take the extra steps to make it a good experience.
Typically we have clients come to us with 7-10 different systems that they log into on any given day. They have a username and password for each system, all of which they have to remember.
So we set them up with a Single Sign-On: each user signs once into our platform, which is verified with Multi-Factor Authentication. Once they've signed in using just one username and password, they can launch any of their applications with a single click.
It isn’t cumbersome. They don't have to pull out some physical token on a keychain and read off digits, or anything like that. It's just a push on their phone—click yes or no. That allows them access to all their systems for the day; they don't have to worry about it again, and it’s far more secure.
We engineer each client platform to consolidate audit logs and perform anomaly detection. This will flag anything that seems odd by the parameters of each user. For instance, a user suddenly has 15 random login attempts from another country. We’ve designed the system to block those attempts automatically instead of having to look manually for those kinds of discrepancies after the fact.
Security via education
We’re constantly looking for new ways to heighten security behind the scenes that are completely transparent to the user. We’ve done a lot of problem-solving to enhance email security. Email security is notoriously terrible, and notoriously intrusive to the user.
Sure, an overactive filter on your emails to catch phishing attempts or other threats probably does the job. And a lot of companies will try to solve email security with a purely technical approach like this. They install systems that filter email, scan for various things, etc.
But fundamentally, your best approach to solving that problem isn't simply having that technical aspect in place: It’s layering that technical aspect with a user training process.
We’ve found there’s no technological substitute for informed users—those who are trained to identify emails that might be fishy. At the end of the day, the threat landing in your inbox isn’t going to compromise you. The breach happens when a user clicks on it. And that kind of stuff happens all the time.
So the approach we've taken is layering the technical implementation with a strong but unobtrusive educational component. We partner with a vendor that provides training materials, which we tailor to the client and review with them to teach them what looks suspicious, what looks legitimate, and how to tell them apart. We favor interactive training that employees can take at their own leisure.
We also send users test email campaigns that mimic common phishing tactics. Then we monitor the number of people who opened the email, the number of people who click on the links in the email, the number of people who filled data out on the fake page skinned to look like a Microsoft login page (for instance), and so on.
We track patterns and watch how they change over time with the introduction of security concepts through training. This allows us to tailor training to individual users who are struggling with specific security issues. Because nobody wants the mandatory three-hour training when they already understand the content, unless they need it for compliance regulation.
That’s just one example of how we can unobtrusively figure out where we need to focus our efforts to have the highest value. We know when clients are getting really good at identifying threats, because end users will start forwarding those test emails to our consultants and say, “Hey, this looks phishy. Did this not get caught by your system?”
That’s the goal.