Why a User Name and Password Just Isn’t Enough

With the recent news flashes about security breaches involving RSA and Sony Playstation, there is concern that the industry is not being proactive enough in addressing the security threats present in the cyber age. Technology is a powerful enabler that needs to be implemented with proper security etiquette for the business requirements. It needs to be fostered and reviewed to address changes so that it can be updated as needed to stay one step ahead of the threats in this fast-paced environment. Security requirements are different in 2011, fraudsters are smarter and security breaches result in higher impact to a company’s’ reputation, and highlight technological strengths as well as weaknesses.

Treasurers and cash managers grapple with how to balance compliance, safety and expediency in conjunction with accuracy. There is a desire in the market for simplicity. Every day treasurers and cash managers are dealing with an increasing number of banking partners, which add another level of complexity, particularly when dealing with the secure delivery of information. The movement from paper to support green initiatives and leverage automation presents even more challenges for financial institutions and corporations to secure information from marketing to personal information and financial transactions. New solutions do exist and key players with top-rated security credentials are popping up with innovative and interesting approaches that could change the face of data security.

Having said that, what steps do financial institutions and corporations need to take to ensure they make the right choices for the safety and security of critical market sensitive information? Security is not easy, but it might not be as daunting as we think with some careful considerations and guidelines.

A Few Things to Consider

As we move further into the electronic age, is there a universal belt and suspenders for companies to remain secure, reliable and trusted to ensure the information doesn’t get tampered with?

Security paradigms introduce a whole new vocabulary, which is why a common language is critical for corporations to evaluate and implement security mechanisms that meet requirements across accounts payable (A/P), accounts receivable (A/R), treasury and trade processes. Not all the same controls are needed for each process, but a common baseline would make it easier to understand and implement a security programme.

It is important to have technology resources that understand the latest security paradigms and can help translate the technical ABC’s into simple business terms. Equally as important, a corporate needs to review current processes in place and define new processes, as necessary, with your banks, application vendors and data processors.

Key considerations for treasurers and cash managers:

  • Ensure communication channels are secure and traceable at the company and individual level.
  • Use standard operating procedures across all offices/branches, bank and vendor relationships.
  • Leverage security authentication services that can be used across banks, applications and transmission protocols (e.g. internet, FTP, email, etc).
  • Use a personal digital identity (PDI) solution that support the latest cryptographic standards.
  • Standardise the communication channels/transmission and PDI technologies to simplify the user experience.
  • Implement training on the security paradigms used to access banks and vendors, as well as how to communicate with external applications and counterparties. Offer on-going education and refresher courses and supplemental material users can reference (e.g. manuals electronically and in paper format).
  • Incorporate password policy as part of a corporate employee handbook.
Authentication

Authentication of a person or a process verifies and validates who you say you are. Are you authentic? User authentication is a critical element in security. Authentication verifies that information is from the stated source. It is important to confirm an identity and manage those identities securely. Common authentication practices ask for users to supply something they have and provide something they know.

Authentication comes in many flavours and continues to increase as security requirements and developments advance. It can be confusing to users when to employ the different authentication options, such as two-factor and tri-factor authentication.

In treasury, security is often defined in the workflow process below, including review of transactions and approvals:

Figure 1. Workflow Process for Security Assessment

Source: SWIFT

 

Organisations are coming to SWIFT for assistance due to the reputation of the SWIFT network and history of security, reliability and trust. For over 35 years, SWIFT has evolved with the industry by offering industrial strength entity level security. Due to the changing market landscape, SWIFT has introduced solutions for identity management at the individual level.

Basic access

Many secure connections between counterparties use a name and password for access controls. The big question now posed is: “Is user name and password enough anymore?” Has the industry become so sophisticated that user name and password isn’t sufficient to secure applications?

Encryption

Encryption is used to protect information, in order that it can’t be deciphered by the wrong counterparty. But in this day and age, this it isn’t enough. Evolving security needs from entity to individual to transaction/activity level, coupled with individual accountability, has made employees more accountable for their actions.

Moving Forward

Data security at all levels – individual, account, transaction, etc – is absolutely critical to a company’s sustainability. A breach in security is a serious issue with severe knock-on implications. New technologies do exist, and new players not traditionally in this space – but with credence for security in the financial networking space – exist as well. It is important for organisations to consult with their banks, standards organisations and their technology partners to keep up with the changes in security, and do an audit of their current processes to see if they can improve their current security procedures.

Technology is changing at a rapid pace, and everyone has to be a step ahead and implement best practices to ensure safety, soundness and reliability. Be ready and be proactive.

13 views

Related reading