Prompt implementation of multi-factor across all access points is a must.
Cloud-based technology and remote work have accelerated the evolution of authentication. Usernames and passwords are simply not enough. Financial institutions should assess all systems and implement multi-factor authentication (MFA) anywhere risk lies.
What is MFA? -- Accessing information with a combination of what you have, know, or are.
The Federal Financial Institutions Examination council (FFIEC) recently issued guidance for effective risk-management practices and principles for access and authentication. The new guidance acknowledges the significant risks and threats in today’s cybersecurity landscape and reinforces the need for financial institutions to better authenticate users (customers, employees and third parties) to protect information systems, accounts, and data.
Multifactor authentication is one of the single best tools available to protect against ransomware, corporate account takeover (CATO) and business email compromise (BEC).
Actions for Your Financial Institution
Online information systems are under constant attack from sophisticated networks of cybercriminals, many of which are backed by other nation states. To protect your customers and their personal information—and ensure the safety and soundness of your institution — we recommend following the guidance released.
Here are 5 steps you can take to get started quickly:
- Perform a thorough risk assessment on your systems. Identify potential entry points for malignant ransomware, particularly those used externally by customers logging into online banking, employees working remotely and in the office, and third-party vendors that have access to your network.
- Restrict access to only those who need it.
- Ensure multi-factor authentication is in place for all users. This can include multiple logins or activation codes sent via app, cell phone, tablet, or another secondary electronic device.
- Communicate to your employees and customers. These extra precautions are to protect customer information, money, and account access as well as the security of the financial institution. The added protections provided far outweigh the few additional seconds taken during the sign-in process.
- Document the risk assessment and each subsequent step taken to ensure security. Examiners and regulators will want to see this documentation—to them, if it isn’t written down, it isn’t real—and they’ll also want to ensure that it has been approved at the board level. They want cybersecurity managed around the boardroom table like any other potential risk.
BankOnIT and MFA
BankOnIT implemented multi-factor authentication on our internal network well before this regulatory release. BankOnIT’s systems and processes have been specifically designed to meet the needs of financial institutions with inclusion of infrastructure and security controls being engineered into the systems we provide our bank network. Such controls are addressed in the internal and external audit process, as well as FFIEC TSP exams.
BankOnIT performs critical activities (such as firewall management & monitoring, patch management, hosting & backups, service & support) with our own 24/7 USA based staff in data centers we own. Our use of third-party vendors is intentionally limited to reduce security risks.
We understand that banking is based on trust—trust customers have that their bank will keep confidential information secure and their money accessible.