The United Kingdom has consistently taken a strong position on cybersecurity, “recognizing the need to drive awareness and responsiveness on a national scale,” according to an update from Hypr, the passwordless service provider.
It reportedly “established the National Cybersecurity Centre in 2016, has among the strictest security and data protection laws, and recently launched its £2.6 billion National Cyber Strategy.”
The tough stance “holds even more true for banking and financial services organizations, with additional requirements imposed by the Bank of England’s Prudential Regulation Authority (PRA) and international bodies, such as PCI-DSS.”
While these regulations are positive steps, “it means compliance ends up driving many security decisions — to the potential detriment of organizations and their customers.”
In a recent Ernst & Young survey, CISOs in the UK “named ensuring compliance as the most stressful element for their role, yet only 36% believe that compliance requirements focus on the right aspects of security.”
In fact, compliance requirements “typically lag far behind current attack landscape risks. Nowhere is this more evident than in authentication security.
HYPR and Vanson Bourne recently conducted a survey “on the authentication practices and security of financial services organizations in the UK as well as the US and Europe.” Results show the repercussions “of over-relying on regulations to drive cybersecurity infrastructure decisions.”
Overall, UK financial services organisations “report significantly fewer cyberattacks than other regions.” A full 18% say “they haven’t faced any cyberattacks in the last 12 months whereas the average rate is 6%.” Moreover, those attacks are “less likely to lead to a breach, at 80% for UK firms versus an average of 90%.”
However, this still “means that a full two-thirds of all UK financial organisations have been breached.” In fact, most have “been breached multiple times, to the tune of 3.1 breaches annually, on average.”
Moreover, the positive comparison “ends when it comes to authentication-related breaches.”
Looking at root causes, 95% of organizations “that were breached named credential misuse or authentication vulnerabilities as a factor in at least one breach.” This data indicates that authentication “remains the biggest point of weakness for financial organizations in the UK; regulations are simply not enough.”
The current authentication practices of financial services organizations in the UK is causing harm “to their business and their customers.”
Authentication-related breaches “cost UK firms an average of $1.71 million annually and led to other significant consequences including loss of business (26%), fines (30%), loss of customer data (26%) and loss of employee data (26%).”
Moreover, despite the negative impact, “only 32% of organisations in the UK changed their authentication practices after a breach.”
Compare this “to the U.S. where 44% took action.”
In other words, 68% of the financial firms that were breached are still vulnerable.
Digging in deeper, we see evidence “of persistent insecure practices when it comes to authentication and a strong suggestion that compliance-driven security may play a role.”
As noted in the update:
“While UK organisations deserve credit for doing a good job on the most egregious bad practices — for example, UK firms are 23% less likely than their global counterparts to authenticate with only a username and password (17% vs. 22%) — these seem to have been replaced by only marginally more secure authentication methods. Fully half of UK financial firms employ insecure 2FA technologies such as SMS and OTPs, compared to 32% globally.”
As mentioned in the report:
“The numbers make sense when you consider that regulations currently on the books mandate MFA, but do not distinguish between phishing-resistant passwordless MFA and legacy methods. If the last few years have taught us anything, it’s that standard MFA authentication methods offer little protection against modern attacks.”
As explained in a blog post, this misalignment clearly “creates a false sense of security for many UK financial organisations as 85% state they believe their authentication approach is secure, despite the large number of breaches.”
These findings reveal “the repercussions of focusing on compliance rather than the critical security risks facing UK financial organizations.” Regulations are not enough “to keep authentication-related breaches in check, directly costing these organizations over $1.7 million a year.”
The report from Hypr concluded:
“All organizations, but the finance industry in particular, need to contend with a dynamic threat landscape and evolving business and operating environments. Industry research indicates that most CISOs and IT leaders would rather build cybersecurity structures for the critical risks that their organizations face, rather than simply to align with compliance requirements. These risks aren’t only security-related. Cybersecurity initiatives need to address the commercial needs of the business and act as strategic enablers, rather than obstacles to change. Ticking off a compliance checkbox on multi- factor authentication won’t cut it.”
The update also pointed out that newer phishing-resistant, passwordless technologies offer a clear path forward “for UK financial firms to remain both secure and competitive.”
The survey found “that the vast majority of Security & IT decision makers at these firms (81%) believe passwordless authentication ensures the highest security.”
Even more, (89%) state “that passwordless authentication improves user experience.”
As covered, HYPR True Passwordless™ MFA “provides phishing-resistant security that financial services organisations require while making the authentication process fast and frictionless for users.”
For more details, check here.