With the accumulation of security, fraud, and identity solutions, financial institutions find themselves entangled in a complex array of tools. Phil Allen, VP, EMEA, at Transmit Security, explains how this intricacy obstructs threat response, leads to operational inefficiencies, and poses a risk to undermining customer trust. Consequently, the imperative to streamline and centralise these technologies arises to safeguard security and uphold reputation in an ever-evolving environment.
Security, fraud and identity solutions, tools and vendors pile up. As time passes, more of these pieces of infrastructure can build up in a chaotic and uncontrolled manner that exacerbate the problems they were built to fix.
This is a particular problem for financial institutions. Financial institutions have always been early adopters of these kinds of technologies and are often slow to replace technology with the result that they are often saddled with decades of legacy tools. They’re also a highly regulated industry meaning that they often have to adopt the newest forms of security, fraud and identity technology and keep up to date with standards as quickly as possible.
One of the central reasons for this is that financial institutions sell security, fraud protection and secure identity protection as fundamental qualities. Security tools keep the bank’s computer systems and the assets they manage safe; identity tools help provision and manage the secure identities that provide customers exclusive and secure access to their assets and anti-fraud tools are crucial for making sure the bank and its customers aren’t the victims of criminals. Customers want easy access to their funds and data and expect these institutions to keep them safe. If they don’t, they’ll put their money elsewhere.
Financial institutions are also commonly large and deal with a wide variety of users, customers and staff. As a result they’ll use different tools and solutions in different locations and for the particular needs of individual user groups. One tool might be acquired to fix one particular kind of security problem while others will have been acquired to fulfill one compliance obligation or another and still more might have been obtained via a merger or acquisition.
The effect of sprawl
The resulting bloat in security, fraud and identity tools creates a number of downstream problems. Principally, they stem from the difficulty in managing this diversity of tools and the inconsistent picture they create of the network as well as the inability that many organisations have in controlling their spread.
Managing this glut of products is a difficult job and often leads to more difficulties in coordinating policies and creating consistent workflows. Similarly, responding to threats becomes more difficult as IT professionals now often have to switch between multiple products in order to establish what’s going wrong and how to fix it.
Managing updates and patches becomes difficult because of the sheer number of products that staff have to deal with. Failure to update even one of these products can cause potential security risks. Staff also have to learn to use these products and optimise them, adding more to their workload and further opening the possibility for human error.
This ultimately results in a number of high costs – both hard and soft – including lost revenue as well as other drained resources and energy from staff who have to switch between tools in order to spot and remediate issues.
In practice…
Transmit currently works with a major US bank: This is one of the top 25 financial holding companies in the US with assets of over $200 billion and over 15 million customers. This particular bank was losing tens of millions of dollars every year because of thousands of fraudulent accounts that had been opened at the bank. These resulted in high operational overheads and financial losses due to new account fraud and account takeovers.
Their job was made even more difficult because the bank was using three separate fraud detection tools which could not spot those thousands of fraudulent accounts and did little to stop criminals from opening even more accounts and compromising existing ones. Those tools could only detect around 2,000 illegitimate accounts and forced the bank to find many of these accounts manually. Once they consolidated these tools, the bank managed to plug the drain and stopped the loss of millions of dollars per year and reduced new account fraud by 98%.
Identity sprawl
This is often especially true of identity solutions – which financial institutions fundamentally rely on to keep their customers, employees and infrastructure safe. Again, these institutions consistently use multiple products from different vendors, creating risky inconsistencies which frustrate operations and open vulnerabilities, not to mention the infrastructure and operational overhead that comes with having multiple solutions.
One of the reasons these identity technologies build up is that it is often very difficult in such large institutions to align policies around risk, trust and behavior between different departments in the organisation It often demands the centralisation of numerous kinds of data to create insights that teams can actually measure risk and glean actionable insights from.
Integrating identity solutions from different vendors is often a time consuming, haphazard task which can open up vulnerabilities in the process. Those different solutions will come with different policies and configurations which can result in the artificial partition of identities, thus creating silos and further security risk. Similarly, using multiple CIAM solutions, or even trying to make enterprise IAM solutions fit into a customer environment, will fracture the visibility that financial institutions require over their customers’ identities which hamstring their ability to detect and respond to identity based threats.
Not only do these complications open potential security risks, but fragment user experiences and add a significant amount of operational overhead in the form of time, cost and complexity.
Because of that difficulty, organisations often resort to a one-size-fits-all approach across their entire user base which fails to accommodate the unique user journeys that the diversity of user types will make.
Instead, organisations should look towards solutions that integrate various identity products and make them centrally controllable and visible as well as providing the opportunity to consolidate duplicate or redundant technology From there, the various identities that the organisation possesses can be tracked and managed. Furthermore, a strategy for centralising identity and access management should be tailored to the user and application-specific risk signals that can distinguish between trusted users and suspicious behavior.
The inconsistencies and frustrations that emanate from this kind of sprawl ultimately end up undoing the very point of these tools. This is one of the reasons that many organisations and financial institutions are attempting to consolidate their vendors. A 2022 Gartner survey showed that 75% of organisations are attempting to consolidate their security stack. In the report, John Watts, VP Analyst at Gartner said: “security and risk management leaders are increasingly dissatisfied with the operational inefficiencies and the lack of integration of a heterogenous security stack.”
Financial institutions found their reputations on customer trust that they will safely store their assets and information and provide them access when required. When security, fraud or identity tools get in the way of that trust, the user experience is harmed and customers’ faith in those institutions erode. From that point of view, sprawl isn’t just a parochial technical consideration but a threat to the faith that customers put in that institution.