OFFICIAL PUBLICATION OF THE KANSAS BANKERS ASSOCIATION

Pub. 12 2023 Issue 4

Multi-Factor Authentication: How Having a Layered Defense for Your Bank Can Help to Combat Cyber Threats

s a leader and decision-maker at your bank, you know that technology is a double-edged sword. It helps you work effectively, learn more about your customers, and make better decisions. But the online world also has the potential to destroy a business you’ve worked so hard to build.

We live in a digital world — there’s no way to run a business without technology. So, the only option is to protect yourself as best as you can. One of the most effective ways to do this is with multi-factor authentication (MFA).

You’ve probably heard about it before, and if you’re tired of hearing about it, don’t leave just yet! We’re going to debunk the common complaints about MFA and explain why it’s the single most important thing you could do for your bank’s security today.

“But It Adds an Extra Step to All My Applications.”

The biggest complaint with multi-factor authentication is that it bogs people down. You open up your email; you have to put in a code. If you want to access a document in Google Drive; you have to open an app and request a “token” (a number) to key in.

While it may add a few seconds to your day, not implementing MFA could get you in legal trouble. The Federal Trade Commission recently updated the Safeguards Rule, which “requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.” MFA is one of those measures.

In addition, the Federal Deposit Insurance Corporation (FDIC) strongly recommends MFA as well as a Managed Service Provider (MSP) that is experienced with banks and the special security needs that they require. And if that wasn’t enough to convince you, most cyber insurance requires the use of MFA. Luckily, a good MSP knows how to properly implement MFA to make it fast, easy, and secure. To get the security benefits of MFA without excessive inconvenience, there are strategies you can use.

At RESULTS Technology, we recommend using push notifications. This way, you won’t have to wait or search for a code; it simply pops up on your screen with the option of remembering your device for 90-180 days. This takes away the constant code inputting and time drag.

Is It Really That Effective? Yes, But Nothing Is Foolproof!

When MFA was first gaining steam, Microsoft claimed it could stop 99.99% of data breaches. But like most things, especially when it’s concerning cybersecurity for banks, cybercriminals quickly got to work finding ways around it.

So while you can’t have a near-perfect guarantee, MFA is still highly effective. Many bank employees may think that the biggest cybersecurity risk comes from a customer’s account being hacked or from someone accessing the bank’s main data frame. But hackers aren’t interested in those hard-to-reach targets. Instead, they might find an employee’s email login information and, without MFA, make it into their account.

But that’s not their target — your employee’s compromised account is just the Trojan horse. With the credibility of an employee’s account, they’ll send emails to coworkers and customers. Once they have an email address and password, the attacker can eavesdrop on your email accounts. With the credibility of your employee’s account, they can quietly collect private data from your customers or internal staff for months without detection.

Through this process, they can request private information, rewire payments to go into their own account or infect thousands of more computers with a phishing email. The possibilities are endless when it comes to social engineering.

If they’re successful, your bank will risk everything from lost income due to reputational damage — in the age of information, mistakes are amplified, which could put your company at an extreme disadvantage. But with multi-factor authentication as a layer of your cyber defense, you could stop the criminal before they have a chance to wreak havoc.

Do I Need a Paid Service, or Can I Get the Same Security for Free?

If you’re feeling the strain of cyber threats but don’t have the resources to have a cybersecurity provider, most apps and tools have an MFA feature. To improve your security today, you should go through each of your vendors — VPN, Gmail, Outlook, Dropbox, DocuSign — anything you access online, and implement MFA.

You won’t have to spend any money, and your cyber posture will have straightened up immediately. The downside to these free options is that there’s no guarantee of how secure the authentication process is. You won’t be able to track what devices are being used or who has access.

Another downside is that they will all vary in how they’re implemented and used, so you’ll need to remember to audit your MFA security often to ensure it’s always in use. You’ll also have to log in and do the authentication for each app separately, which can be frustrating. Free options work in a cinch but shouldn’t be the extent of your MFA strategy. This is especially the case since not all systems provide a free option.

Instead, try to collaborate with an IT provider that specializes in cybersecurity for banks. They’ll set up a paid version of MFA that coordinates between all your applications and gives you insight into the following:

  • What devices are connected to your accounts?
  • Who is accessing the system?
  • Is there unauthorized access?
  • Where are people logging in?

A paid service will also allow you to remember devices for a few months at a time and set up an automated authentication process, so you don’t have to do any extra steps.

Multi-Factor Authentication Is a Worthy Investment — Make the Most of It.

When it comes to cybersecurity for banks, there’s no silver bullet. You need multiple layers of defense, and MFA should be one of them. It only takes a few seconds to do this extra step — and it could save you from a world of hurt.

These days, you need MFA to protect yourself against rising cybercrime. If you neglect this essential security measure, you’re opening yourself up to the full brunt of reputational damage in the age of social media. In addition, the time you spend verifying your identity is nothing compared to the cost and hassle associated with recovering from a data breach.

Please reach out if you have any questions or need help at (913) 347-6497 or visit www.resultstechnology.com.

Mike Gilmore is the Chief Compliance Officer of RESULTS Technology and a Certified Information Systems Auditor (CISA) with more than 30 years of experience in the banking industry. RESULTS Technology provides IT services to community banks across the Midwest. In his role as CCO, Mike provides compliance and risk assessments, audit and exam support, and policy documentation. He can be reached at
mgilmore@resultstechnology.com.