Identity Theft Red Flags Rule Examination Procedures

The US government audit of a company’s compliance with the Red Flags Rule may be inevitable as the number of identity theft cases increases affecting more people and their credit worthiness. A government audit of a company’s identity theft prevention program as agreed by an inter-agency committee will cover three major aspects of the Red Flags Rule.

This identity theft red flags rule examination procedures checklist can be used by businesses to ensure compliance level with the Red Flags Rule and prepare for a government audit.

These major Red Flags Rule compliance audit areas are as follows:

  1. Identity theft red flags,
  2. Address discrepancies, and
  3. Changes of address.

The above identity theft prevention compliance areas will be audited using 15 identity theft red flags rule examination procedures during a Red Flags Rule compliance audit by a government agency. Whether your company is audited by the FDIC, NCUA, Federal Trade Commission (FTC) or any other regulatory body, the following identity theft compliance audit procedures will be followed by the examiners to assess the completeness and effectiveness of your company’s identity theft prevention program. Therefore, these audit procedures must be considered by all financial institutions and creditors to comply with the identity theft Red Flags Rule regulation, which has been adopted and is currently enforced. Government risk management examiners are also instructed to test institutions for Red Flags Rule compliance as well as address discrepancy and change management during risk management audits.

Specifically, the Red Flags Rule requires the following:

  1. Financial institutions and creditors to implement a written identity theft prevention program,
  2. Institutions to assess the validity of change of address requests, and
  3. Users of consumer reports to verify the identity of the subject of a consumer report in the event of a notice of address discrepancy.

Government Identity Theft Red Flags Rule Examination Procedures

The following list of identity theft compliance audit procedures will be followed by government examiners and can be used by all covered entities to determine their compliance level and preparedness for a government audit:

1. Covered Accounts – Government Red Flags Rule audit examiners will verify that the institution periodically identifies covered accounts it offers or maintains. As part of this initial procedure in the examination, examiners will verify that the institution:

  • included accounts for personal, family and household purposes, that permit multiple payments or transactions;
  • conducted a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution’s previous experiences with identity theft.

2. Other Regulations – Examiners will review examination findings in other areas (e.g. Bank Secrecy Act, Customer Identification Program and Customer Information Security Program) to determine whether there are deficiencies adversely affecting the institution’s ability to comply with the identity theft Red Flags Rules .

3. Management Oversight – Government auditors will review reports, such as audit reports and annual reports prepared by staff for the board of directors (or an appropriate committee thereof or a designated senior management employee) on compliance with the Red Flags Rule. These include reports that address:

  • Effectiveness of the institution’s ID Theft prevention program,
  • Significant ID Theft incidents and management’s response,
  • Oversight of service providers that perform activities related to covered accounts, and
  • Recommendations for material changes to the prevention program.

4. Comprehensive Program – Examiners will verify the institution has developed and implemented a comprehensive written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft. The program must be appropriate to the size and complexity of the institution and the nature and scope of its activities. Examiners also will determine whether the institution uses technology to detect red flags; whether the program is updated periodically; and that the board approved and oversees the program.

5. Trained Staff – Examiners will verify that the institution trains appropriate staff to effectively implement and administer the program.

6. Vendor Management – Examiners will determine whether the institution exercises appropriate and effective oversight of service providers that perform activities related to covered accounts.

When these procedures are complete, examiners will form a conclusion about whether the institution has developed and implemented an effective and comprehensive written program designed to detect, prevent and mitigate identity theft.

Address Discrepancy Audit Procedures

The regulation also requires users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a credit reporting agency. The government identity theft red flags rule examination procedures include five steps to assess address discrepancy compliance:

7. Recognition – Examiners will determine whether the user of consumer reports has policies and procedures to recognize notices of address discrepancies.

8. Reasonable Belief – Examiners will determine whether users have policies and procedures to form a reasonable belief that the consumer report relates to the consumer whose report was requested.

9. Accurate Address – Examiners will determine whether users have policies and procedures to furnish to the nationwide consumer reporting agency a consumer address that the users have reasonably determined is accurate.

10. Timing – Examiners will determine whether the users’ policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to the credit reporting agencies during the reporting period when it establishes a relationship with the consumer.

11. Sampling – If procedural weakness or risks are determined, examiners will obtain a sample of consumer reports requested by the user from a credit reporting agency regarding notices of address discrepancies to determine:

  • how the user established reasonable belief that the reports related to the consumer in question,
  • if the consumer relationship was established,
  • whether the institution furnished a consumer address that was reasonably confirmed, and
  • whether the user furnished the address in the appropriate reporting period.

Change of Address Audit Procedures

The regulation also requires institutions to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. Under these circumstances, the card issuer may not issue an additional or replacement card until the institution:

  • Notifies the cardholder of the address change request and provides the customer a communication means to report unauthorized address changes, 
  • Notifies the customer with a previously agreed upon means of communication, or
  • Assesses the validity of the change of address according to procedures established as part of the ID Theft prevention program.

A government identity theft prevention compliance audit will include four steps to test change of address compliance:

12. Verification – Examiners will determine whether the card issuer has policies and procedures to assess the validity of a change of address.

13. Prevention – Examiners will determine whether policies and procedures prevent card issuers from issuing additional or replacement cards until they notify the cardholder or use other reasonable means to evaluate the validity of the address change.

14. Special Notice – Examiners will determine whether written or electronic notice is sent to cardholders to validate a change of address. This notice must be exclusive from any regular correspondence.

Certified Red Flag Specialist CRFS for identity theft certification and Red Flags Rule compliance
Get certified in identity theft prevention and Red Flags Rule compliance

15. Sampling – If procedural weaknesses or risks are noted, examiners will obtain a sample of notifications from cardholders to ensure that card issuers complied with regulatory requirements to evaluate the validity of address changes before issuing cards.

26 Red Flags for Preventing Identity Theft

In order to protect consumers, the US government has identified 5 categories of identity theft red flags and a total of 26 specific red flags as part of the Red Flags Rule regulation to help businesses detect and prevent identity theft in their day to day business operations. The Red Flags Rule requires companies to establish a formal identity theft prevention program to address how the business identifies, detects, and responds to identity theft red flags to prevent identity theft using these 26 identity theft red flags which offer guidance to businesses for identity theft prevention.

Red Flags Rule identity theft prevention program compliance solutions by Identity Management Institute

What are Identity Theft Red Flags?

Identity theft red flags are suspicious patterns, practices, and activities that indicate the possibility of identity theft. For example, if a customer offers a unique identifier such as a social security number and the SSN is already used by another customer, it is potentially a strong red flag or indication of possible identity theft or if a personal document looks fake, it also may represent a potential identity theft red flag.

Purpose of Identity Theft Prevention Program

The main requirement of the Red Flags Rule is the establishment of an identity theft prevention program. The purpose of an identity theft prevention program is to develop policies and procedures for the following 4 areas:

  1. Identify identity theft red flags with a risk assessment to document how identity theft may occur in your daily business operations
  2. Detect the identified red flags
  3. Prevent identity theft after the red flags are detected
  4. Update the identity theft prevention program to address new threats

Once the program is developed, it is extremely important to train the appropriate staff to become familiar with the program, identity theft threats, and steps to be taken.

Who Should Comply

All financial institutions and creditors must comply with the Red Flags Rule. The Red Flags Rule defines a “financial institution” as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or a person that, directly or indirectly, holds a transaction account belonging to a consumer.

5 Identity Theft Areas under the Red Flags Rule

The Red Flags Rule lists 26 specific red flags under the following 5 general categories that companies must identify to detect identity theft. These categories provide guidance and direction to help businesses focus in on sources of useful information for identity theft prevention:

  1. consumer reports
  2. identification documents and information
  3. address discrepancy notices
  4. suspicious address changes, and 
  5. warning notices received from customers and other sources.

26 Identity Theft Red Flags

The Red Flags Rule regulation lists 26 specific identity theft red flags that companies should consider as part of their identity theft prevention program and training. These identity theft red flags are not only important for compliance with the Red Flags Rule, but they also form the basis for identity theft risk assessment and prevention. Companies should consider these 26 identity theft red flags in their risk assessment process and select the ones that apply to their unique business for developing the identity theft prevention program and employee identity theft training.

  1. Consumer report fraud alerts must be considered as a possible identity theft red flag.
  2. Notice of a credit freeze in response to a request for a consumer report is a potential red flag because a consumer who placed a credit freeze is less likely to apply for credit.
  3. Unusual credit activity, such as an increased number of new accounts or inquiries and spending appear in the credit reports.
  4. Identification documents provided by the customer appears altered or forged.
  5. Photograph on ID card is inconsistent with the appearance of the customer present.
  6. Information on ID card such as name or address is inconsistent with information provided by the person opening account.
  7. Information on ID card is inconsistent with information on file in the organization.
  8. Application appears forged, altered and reassembled.
  9. Personal information is inconsistent across multiple sources.
  10. Lack of correlation between social security number range and date of birth exists.
  11. Personal information is associated with known fraud activity and cases.
  12. Suspicious information and address is supplied, such as a PO Box,  prison, or phone numbers associated with an answering service.
  13. Social security number provided matches social security number submitted by another person opening an account or existing customer.
  14. An address or phone number matches information provided by other applicants and customers.
  15. The person opening the account is unable to supply additional identifying information in response to incomplete applications.
  16. Personal information is inconsistent with information already on file at financial institution or creditor.
  17. An existing customer is unable to correctly answer challenge questions.
  18. Shortly after change of address, creditor receives a request for additional users for the account.
  19. A consumer reporting agency provides a notice of address discrepancy.
  20. Most of available credit is used for cash advances, jewelry or electronics, and customer fails to make first payment.
  21. Drastic change in payment patterns, use of available credit or spending patterns.
  22. An account that has been inactive for a long time suddenly becomes unusually active.
  23. Mail sent to customer repeatedly is returned as undeliverable despite ongoing transactions on the account.
  24. Financial institution or creditor is notified that customer is not receiving paper account statements.
  25. Financial institution or creditor is notified of unauthorized charges or transactions on customer’s account.
  26. Financial institution or creditor is notified that it has opened a fraudulent account.
Certified Red Flag Specialist CRFS for identity theft certification and Red Flags Rule compliance
Get certified in identity theft prevention and Red Flags Rule compliance

Biometric Data Breach Security Threats

The market for biometric data systems is expected to grow from its 2019 value of 33.0 billion to 65.3 billion by 2024. What’s driving this rapid growth? Biometrics are being incorporated into more consumer devices.

Read more

Business Outsourcing Risks

There are certain business outsourcing risks when companies decide to let another company take care of their business operations. When companies make a decision to outsource some of their services to an outsourcee, they have basically concluded that their companies are better off letting someone else do the job for them. Although their assumptions may be true when we look at specific benefits, it may not be true when we look at the entire picture.

Data protection and business risks of outsourcing business functions and services

There are sometimes good reasons to outsource which we will cover later, and companies may outsource some business operations such as customer service or call centers, certain aspects of their system security management specially if the outsourcee offers independence and state of the art technology, IT operations, marketing, etc. However, outsourcing decisions are sometimes based on myths and lack of awareness of the risks. A myth is a false belief and there are a few of them when it comes to outsourcing business operations.

Outsourcing Myths

Myth #1) We will save money – this is actually far from the truth when we look at the big and entire picture. What happens when you decide to bring the outsourced process or function back in-house one day? You will incur huge costs associated with hiring, training, and productivity, that is if your outsourcing contract allows you to easily reverse your past decision and, if the other company supports your decision since they have no incentive to cooperate.

Myth #2) It’s less headache for us – the reality is that when it comes to outsourcing, less is more because when  you have less control over the process, you have more problems and less flexibility to address those problems efficiently and effectively. Remember, when you outsource, you are at the mercy of the other company to solve your problems and manage your risks. The risk significantly increases when the outsourcing company directly deals with your customers and appears to be an extension of you in the marketplace.

Myth # 3) They have better skills – this may be true and is often the basis for outsourcing thinking that they can do a better job. But, it comes at a cost. Your company can also hire and retain the best skilled staff at a higher cost. Nothing is free and some skills like IT are even more expensive no matter who employs them.

Business Outsourcing Risks

Risk #1) Service Level Agreements or SLAs may not be clear enough – sometimes there is a lack of understanding regarding service agreements or responsibility assignments. Roles and procedures may also not be clear or properly defined and communicated. This can lead to a complete breakdown in the business operations initially and slow recovery in operations efficiency and effectiveness which can take months and years affecting productivity and morale which is another component of business outsourcing risks.

Risk #2) The outsourcing project may be poorly planned – one of the consequences of poor planning is fully trusting the outsourcee and letting knowledgeable employees leave the company before their knowledge is adequately transferred. This cost saving error ends up in service delivery delays in the short run and costing companies even more in the long run.

Risk #3) Lack of control over outsourcee staff – usually, firms have bad apples in their pool of employees for good reasons; to bring costs down and not be detected while doing that. When we have control over staff, we can tie their job retention to their job performance but not when the staff is an outsourcee employee who may also be overworked and engaged in serving other customers with or without your knowledge. Remember, the outsourcee objective is to make money by serving as many clients as possible. And when they have too many clients, they can take the risk of losing one client for poor services.

Risk #4) Contracts may not allow early and easy exit – can you imagine waking up one morning, realizing that your company has made the mistake of outsourcing some functions, and yet also realize that you can not easily reverse your decision while the service renewal contract is staring you in the face? If you discover early on that you made the wrong decision, you may be obligated to abide by the contract and even when the contract ends, it will be a huge undertaking to bring the task back in house depending on the scope which will require the cooperation of the outsourcee which will have yet another opportunity to squeeze in more money.   

Risk #5) Transition back to in-house is costly and can take time – remember the myth about saving money on labor cost when your company first decided to outsource? Now think again about bringing the outsourced functions back in house with the unimaginable cost of re-hiring skilled staff and training. That is if your company reputation is still good enough to attract past or new employees. Having an exit strategy is and should be part of the plan for managing business outsourcing risks.

Risk #6) You may be liable for data breach – if you are sharing personal and confidential data with the vendor as part of the outsourcing arrangement, the vendor may sell or use the data for other reasons, and, may not protect the data as well as necessary to comply with the regulations. If the vendor experiences a data breach, your company will be liable and suffer the consequences as noted in risk #7. To reduce the data security and compliance risks associate with business outsourcing, Henry Bagdasarian, founder of Identity Management Institute suggests that companies establish solid data protection SLAs with their vendors and require independent audit reports to confirm compliance with the SLAs and appropriate regulations.

Risk #7) Your company reputation may be at risk – depending on the type of function outsourced and its nature, the outsourcee can be viewed as an extension of your company which can either directly affect your image if they interact with your customers, or, reflect poorly on your outsourcing decision and planning if they don’t perform well.

On the bright side, outsourcing is not all that bad and it may even make sense in some cases. For example, outsourcing is a great option when the skills needed for the project are not immediately available in-house or the skills needed are just temporary, part time, or for a special project which means that you can easily change vendors or bring the function back in house if needed. Managing business outsourcing risks is critical from the start which includes a complete risk assessment and oversight of the vendor and the project.

Blockchain Identity Management

Blockchain identity management is increasingly being adopted for validating identities through blockchain authentication, ensuring data privacy and integrity, and managing access. With the massive growth of online business and data comes the equally massive complexity of securing business transactions and system or data access. Cybercrime risks require industries to incorporate technical solutions to keep systems and data safe. One solution leading the field for cyber security and privacy is blockchain technology.

Blockchain identity management and authentication

Current identity and access management systems offer a few security and privacy weaknesses which a blockchain based technology can help solve. However, blockchain is new and may offer risks associated with sensitive data stored on blockchain public ledger.

Blockchain or Distributed Ledger Technology (DLT) in identity management helps control data in a decentralized manner. Traditionally, businesses use a centralized system for identity management which makes the database a honeypot for hackers. For example, the popular use of Lightweight Active Directory Protocol (LDAP) stores information in a database owned by a single organization.

Identity management with blockchain works in a different way. There is no centralized database, instead, information is stored over a peer-to-peer type environment, by adopting a decentralized framework. The data is stored immutably in publicly owned blocks over the network. This solution provides flexibility, security and privacy for data management with reliable authentication and integrity check.

The Small Business Innovation Research program, supported by the Small Business Administration describes blockchain as “a common, public ledger, which utilizes cryptographic mechanisms to verify transactions and information in a decentralized manner.” In this way, blockchain integrity is verifiable by businesses without relying on third parties to ensure trust.

The role of blockchain in identity management is to provide a means to verify identities, control access, and ensure the integrity the data and transactions. Everything stored in the database is publicly owned and immutable.

The future of blockchain identity management as a standard solution for cryptocurrency and other online transactions looks bright. The World Economic Forum reports that while banks spent $75 million to develop this technology in 2015, they spent closer to $400 million in 2019. This is because blockchain technology costs less to develop and implement than standard technologies, offers data integrity, and ensures data is not modified or manipulated by unauthorized persons. According to International Data Corporation (IDC), global blockchain spending will be around $19 billion by 2024 compared to $6.6bn in 2021 as reported in IDC’s Worldwide Blockchain Spending Guide forecasts.

Blockchain technology is in its infancy. There are clear signs that future business solutions for security and privacy will include blockchain technology. The question that remains is how long it will take to see its full potential. That said, blockchain does not come without challenges and will require time to mature. While blockchain offers a beneficial model to make identities portable, verifiable, secure and private, potential challenges remain to be addressed.

Artificial Intelligence Threats and Security Issues

Projections show cybersecurity spending exceeding $133 billion by 2022, including spending on artificial intelligence and machine learning solutions. Many businesses use AI to assist in breach detection and prevention, but as the technology becomes more ubiquitous, hackers are turning the tables and deploying AI-powered attacks. If such sophisticated solutions can backfire, can enterprises really rely on AI for their security needs while mitigating artificial intelligence threats and security issues?

Artificial Intelligence Threats

A Few AI Statistics

According to Gartner, information security and risk management spending could be as much as $175.5 billion by 2023. Seventy-five percent of enterprises currently rely on AI-based solutions for network security, and 51% use AI as a “primary” threat detection option.

These numbers suggest increasing confidence in sophisticated cybersecurity solutions, but 22% of organizations still lack sufficient resources to respond when incidents occur. There remains a significant gap between the 62% of enterprises making the most of AI and exploring new ways to implement AI solutions and those with little or no solid grasp of how to properly implement the technology.

AI is Changing Cybersecurity (For Better or Worse)

Speed is where AI excels the most by surpassing the human capacity to detect and mitigate threats. Seventy-five percent of cybersecurity executives agree AI allows them to respond to breaches faster, and the technology has been found to speed up evaluations of “breach-worthy” vulnerabilities by 73%. Fifty-nine percent of cybersecurity professionals say AI streamlines the process of detecting and responding critical system weaknesses, and enterprises using the technology are able to find and fix such weaknesses 40% faster.

What does this mean for enterprise cybersecurity in practice?

With the rapidly evolving threat landscape, AI has become a necessity for 69% of enterprise executives. Sixty percent of cybersecurity professionals agree the technology is able to provide networks with “deeper security,” which can be a critical factor in separating enterprises affected by breaches from those able to avoid attacks.

Artificial intelligence shows significant potential for detecting fraudulent activity, malware and intrusions, as well as gauging the risk levels of login attempts. By making threat detection more sensitive and enabling nuanced behavior tracking, AI increases flexibility within identity and access management strategies. IT professionals can use the technology to create conditional rules and reduce friction for users with complex access requirements.

AI Can Backfire in the Hands of Hackers

Ironically, speed is also a major drawback of AI. Hackers are embracing the machine learning algorithms behind the technology’s success to create nuanced attacks personalized for specific individuals. Because AI can be “taught” with data sets, hackers can either create their own programs or manipulate existing systems for malicious purposes. Attacks executed with AI tend to be more successful, perhaps because the technology makes it easier to develop malware with the ability to evade even sophisticated threat detection. For example, pairing polymorphic malware with AI allows these programs to change their code rapidly, making them almost invulnerable to existing cybersecurity systems.

Hackers may also modify enterprise machine learning algorithms by altering inputs to change the way the system recognizes specific elements. This technique can be used to make the system overlook threats and allow hackers to bypass identity and access management controls.

System behaviors are potential targets, as well; with the right modifications, hackers can change the way devices respond or communicate, which may result in dangerous outcomes. Once system information has been changed, it can be very difficult to correct problems and return the network to its original state.

In light of these threats, it’s important for enterprise executives and IT professionals to resist the temptation to be complacent. Although AI is becoming more autonomous, it is by no means a replacement for human diligence. Systems require correct setup and management from the start, beginning with extensive data sets to prevent false positives and continuing with consistent monitoring and updates to maintain strong security.

Avoiding the Pitfalls of AI Technology

No single security solution, including AI, is enough to protect enterprise networks on its own. In addition to developing robust cybersecurity policies for comprehensive protection, enterprises must:

• Promote cybersecurity awareness through ongoing employee education
• Prioritize data protection
• Employ IT professionals with an awareness and understanding of emerging threats
• Use high-quality data sets when training AI systems
• Automate key security processes for faster detection and response
• Go beyond compliance to create tailored security solutions
• Perform routine security audits and penetration testing
• Upgrade software and hardware as needed
• Amend security policies to address new threats

Identity and access management certifications

Like all security solutions, artificial intelligence has its limitations. Enterprises interested in incorporating the technology into cybersecurity frameworks must assess their needs and design multifaceted strategies to address both known and potential threats. Instead of seeing AI as the ultimate solution to all cybersecurity problems, it’s necessary to acknowledge potential drawbacks and implement the technology as part of a dynamic and adaptable security solution.

Government Cybersecurity and Insider Threats

As 2020 gets underway, a growing threat landscape signals the need for stronger identity and access management policies across industries. Although many businesses and organizations are beginning to implement new strategies or update existing protocols in response to cybersecurity trends, some still struggle to protect their networks from hackers, employee ignorance and other breach risks.

cybersecurity news with identity and access management roundup

U.S. State Department Lags Behind in Cybersecurity

A new audit from the Office of the Inspector General shows cybersecurity is still a “major management and performance” challenge for the U.S. State Department. Deficiencies were noted as far back as 2009, but unfilled cybersecurity positions and the absence of a clear chain of accountability appear to be holding the department back from implementing better security.

This lack of cybersecurity oversight may leave State Department information technology systems vulnerable to attack, which could become a significant concern in light of growing tensions between countries around the world. The U.S. government, like any large organization, must prioritize network security to prevent unauthorized access and protect systems, devices and information from malicious activities.

Government Agencies Move Toward Zero-Trust Security

In a recent FedScoop survey, 48% of federal government IT executives said they were switching from perimeter defense tactics to zero-trust network access policies as part of their efforts to meet new federal identity management requirements. The Federal Identity, Credential and Access Management policy, known as FICAM, is designed to promote interoperability, reduce redundancy and improve data protection by creating a common framework for access management and information security.

For many organizations implementing FICAM strategies, zero trust is a key element. Sixty-eight percent of IT executives say it’s a high priority in general; 74% focus on zero trust more for cloud systems and data storage. Other measures, such as passwordless logins, are scheduled to be implemented in over half of federal organizations’ protocols in the next two years. Such changes will support streamlined security while improving overall access control.

Mergers Expand Opportunities for Cybersecurity Companies

Merger and acquisition activities have been heating up in the cybersecurity industry in recent years. Companies seeking to expand their offerings are using acquisition as a way to cater to changing enterprise network needs by adding security coverage for cloud environments.

The need for skilled cybersecurity personnel is also a driving force. The cybersecurity industry is still experiencing a significant talent gap, but companies requiring stronger IT and security teams can improve their services by acquiring and leveraging talent from high-value vendors.

As more businesses merge, integration remains a top concern. Technologies must be compatible and able to deliver a streamlined user experience in order for companies to successfully meet client demands.

Small Businesses Continue to Face Cybersecurity Threats

Although 43% of all online attacks are now directed at small businesses, 66% of key decision makers in these companies don’t think breaches are likely to occur. Only 14% of small businesses have any kind of breach defenses in place; the rest are vulnerable to potentially devastating cyberattacks. A lack of defense is likely to have contributed to the breaches experienced by over half of small businesses within the last year.

With the average cost of a breach incident now at a staggering $200,000, it can be nearly impossible for small companies to bounce back after a cyberattack. Sixty percent of businesses close their doors within six months of being affected by breach activity. For small companies to survive in an environment where cloud-based systems and internet of things technologies are becoming integral to business operations, breach prevention strategies must become a standard part of all security protocols.

Employee Education Remains Key in Breach Prevention

Insider threats continue to represent one of the biggest cybersecurity concerns for businesses of all sizes. In a 2020 report from Gurucul, 53% of organizations agreed cloud migration has made it harder to detect insider threat activities, and 68% reported feeling “vulnerable to insider attacks.” Businesses can reduce these vulnerabilities and improve security by integrating employee cybersecurity education into company culture.

Critical steps for minimizing insider threats include:

• Establishing an employee education framework as part of an overall cybersecurity strategy
• Setting and enforcing security rules relating to password management, personal device security and removable media use
• Practicing attack and breach responses with routine drills
• Creating a policy to govern software installation and curtail shadow IT
• Including cybersecurity awareness in onboarding procedures

To ensure employees take cybersecurity seriously, company executives must make it a point to model and enforce proper security behaviors.

Identity and access management certifications

The evolution of cybersecurity continues to be a key consideration for IT professionals across organizations and industries. As recent news shows, strong cybersecurity policies are essential for protection but remain elusive in many sectors. Moving forward, businesses and government agencies must focus on combining cybersecurity skill with detailed access management policies to avoid the consequences of breach activity.

Third Party Security Risk Management Best Practices

In 2016, the average enterprise had to manage access for 89 vendors. The number climbed to 181 vendors in 2017 and has continued to increase as more industries switch to cloud-based software and services. With this expansion comes an increased breach risk, which requires enterprises to go beyond the borders of their internal networks to address third party access risks and implement strict security procedures for external users.

The Rise and Risk of Third-Party Access

Eighty-one percent of IT professionals reported seeing an increase in third-party enterprise network access between 2015 and 2017, but only 34% of companies keep detailed inventories of the vendors with access to their networks. This low level of visibility may stem from a combination of poor third-party risk management and an unnaturally high level of trust. Two-thirds of enterprise IT professionals admit to trusting vendors more than they should, and just 35% would rate their third-party risk management strategies as “highly effective.”

Assuming vendor access is safe on the basis of familiarity with or the reputation of a vendor can be a mistake with far-reaching consequences. Fifty-eight percent of organizations reported breaches related to vendor access in 2019, pointing to a need for stronger access management policies. While an otherwise trustworthy vendor is unlikely to perform malicious actions while logged into an enterprise system, vulnerabilities in the same vendor’s network or software or human errors can act as a gateway for hackers. If the vendor’s system is breached, hackers could potentially use accounts to access all enterprises to which the vendor connects.

Managing and Mitigating Vendor Risk

Since 63% of businesses lack the resources for appropriate management of vendor relationships, inherited vulnerabilities remain an ongoing challenge. Risk reduction hinges on awareness and visibility. Enterprises need to know who has access to their networks, as well as when and how connections are being made.

Those with existing third-party relationships must take inventory of all vendors and review third-party security policies. This should include assessments of how data is stored and secured, as well as careful evaluation of breach prevention strategies. Following the same procedure before allowing access for new vendors can prevent inherited vulnerabilities from becoming breach risks.

Limitations on vendor access, including which devices may be used, provide additional security. Third parties should only be able to access the information they need to perform essential services, and all devices used should be approved in advance by the enterprise with ownership of the network. Because some vendors may pose higher risks than others, a rules-based risk assessment can be useful in determining the amount of oversight required to minimize the possibility of a breach.

Viewing vendors as users brings them under the umbrella of internal security policies, including onboarding and offboarding procedures. Each vendor should be subject to consistent monitoring for unusual behavior patterns during network sessions and denied access should any red flags arise. In the event a vulnerability is discovered on the vendor’s end, it’s up to the enterprise to point it out and request a fix. If a vendor refuses to correct the problem or chooses to remain ignorant of the potential consequences, it may be necessary to revoke all access or find another provider.

Proper governance ensures such third-party access rules are enforced. Enterprises with strong governance models are better able to evaluate, track, approve and monitor third parties and respond to risks in real time than the 44% of companies taking an “all or nothing” approach to vendor access.

Establishing Third-Party Security Guidelines

When enterprises assume external access poses less of a risk because vendors have their own security policies, they lack the knowledge and foresight required to maintain secure networks. Rather than relying on questionable or inadequate vendor security, enterprise IT professionals must take the initiative and create solid policies to govern vendor access.

Polices should include the following:

  • Vendor and third party access approval
  • Level of access allowed based on vendor needs
  • How access is managed and controlled
  • Policy review criteria for vendor access management including management of privileged accounts
  • Provision for continual risk evaluation
  • Routine review of vendors’ security policies and practices

Consistent enforcement of access guidelines is necessary to protect against third-party vulnerabilities and preserve the integrity of enterprise networks. Compiling policies into a document provides a straightforward checklist for new vendor evaluation and existing vendor monitoring, which is essential in a digital environment where new threats continue to emerge.

Identity and access management certifications

The complex interconnectivity between enterprises and vendors requires diligence and discernment on the part of IT professionals. Because enterprises can’t operate efficiently without support from third parties, it’s essential to establish clear policies and enforce access limitations while continually monitoring network activity. Making vendor boundaries a security priority ensures safer access for all network users and protects enterprises from hackers seeking to exploit third-party vulnerabilities.

Adaptive Authentication for Modern Identity Management

Standard authentication methods are fraught with security risks and vulnerabilities. Even protocols with the highest perceived security levels such as multi-factor authentication and blockchain verification can become compromised, allowing hackers to infiltrate networks and access sensitive data.

Adaptive Authentication is a risk based authentication which determines the appropriate combination of authentication methods to grant entities access based on various risk factors.

Enterprises need better solutions for verifying identities and controlling access to complex systems. Adaptive authentication may provide an answer to the continued challenge of balancing strong security with user experience to prevent breach incidents while supporting productivity.

Granting Access Based on Risk

Because adaptive authentication allows users access to networks and resources based on risk levels, it’s sometimes referred to as risk-based authentication, or RBA. Assessments of risk levels are based on two groups of factors:

• Static access requirements and policies set for specific user types
• Detailed behavioral information for each individual user or network entity

Authentication may be granted using either approach on its own, but a combination provides the most dynamic option for enterprises seeking to improve security.

Behavioral data is monitored and collected using technology known as User and Entity Behavior Analytics. This is an updated version of User Behavior Analytics and includes not only human users but also devices and servers. UEBA builds profiles of entities’ behaviors in a cloud environment and uses machine learning to continue compiling an increasingly detailed view of each user.

Such comprehensive information allows the system to grant or deny access based on more than just login credentials. Profiles include granular data regarding access behaviors, such as roles, registered devices, normal login times and the distance between current and historical login locations. The more these factors deviate from normal behavior during a session, the higher the perceived level of risk associated with granting access to a user or entity.

Basics of Adaptive Authentication

In practice, adaptive authentication combines static access control rules with continuous evaluation of behavioral characteristics. During implementation, IT teams set basic access management rules based on user types and roles to dictate which resources can be accessed with basic login credentials. Beyond this point, artificial intelligence and machine learning take over to determine whether further authenticating factors are required.

Anomalies in behaviors may trigger a prompt for further authentication, such as inputting a code sent to another registered device or providing a biometric identifier. Logging in with an unrecognized device may require device registration or confirmation the device can be trusted. Too much deviation from recognized behaviors results in users being shut out of the system or application they’re trying to access.

Identity and access management teams are tasked with dictating how adaptive systems respond based on different risk levels, which are assigned “risk scores.” Reaching a particular risk score triggers the appropriate predetermined action to protect the system from unauthorized access. A hacker attempting to use stolen credentials or a stolen device to infiltrate a network may not be able to gain access even at the most basic level if the adaptive system detects a significant difference in login location or time.

Should a hacker successfully enter the system, he or she would need to be able to mimic every behavior of the real owner of the credentials in order for the session to continue. Since attributes like keystroke patterns are nearly impossible to emulate, there’s little chance a malicious third party could do much damage before being locked out.

Why and When Businesses Should Switch

Is adaptive authentication the right solution for every enterprise? Given the amount of data many organizations collect, transfer and store, the need for stronger access security is clear. However, an adaptive approach may be particularly appropriate if:

• Current “one-size-fits-all” authentication methods have become insufficient
• It’s becoming difficult to maintain proper security levels for each user and entity type within the network
• Increased speed and convenience would improve business success
• Poor user experience is impacting efficiency and profitability
• Increasing workflow complexity requires smoother transitions between applications or network environments
• The mobile workforce is growing in size
• Bring-your-own-device policies necessitate more dynamic device authentication protocols

For implementation to succeed, adaptive models must have enough information to form comprehensive user profiles. Too little information can increase incidences of false positives, which has undesirable consequences for both efficiency and user experience and burdens the IT department with superfluous security alerts. A successful adaptive authentication framework utilizes a combination of static access rules and detailed records of user and entity behavior to predict risk levels and automate security responses.

Upgrading to smarter authentication methods is necessary to keep up with the increasing complexity of modern cybersecurity threats. Adaptive authentication provides a flexible option for enterprises seeking scalable access management solutions but should be evaluated for efficacy on an ongoing basis.

Identity and access management certifications

Through partnerships between IT professionals and cybersecurity experts, enterprises can implement and deploy adaptive authentication solutions to strengthen existing identity management protocols and protect against emerging threats.

2019 Cybersecurity Roundup and 2020 Predictions

What can businesses, IT teams and cybersecurity professionals learn from some of the biggest breach incidents in 2019? What will identity management look like in 2020? It’s time to kick off the new year by taking stock of the cybersecurity landscape and preparing for new challenges.

Biggest Data Breaches of 2019: A Look Back

Breach incidents increased 33% in 2019 over the previous year to a total of 5,183 events and 7.9 billion exposed records. Sensitive data was a prime target. Hackers honed in on Social Security numbers, passport numbers, bank account information, medical records and similar identifying information.

Many of the largest breaches of 2019 hit well-known companies and social networks, including:

• Facebook and Instagram – Hundreds of millions of passwords compromised when stored as plain text
• Marriott – Up to 383 million guest records
• Zynga, producers of Words with Friends – 218 million player accounts, including email addresses, names and login details
• Capital One – 100 million credit card applications, 140,000 Social Security numbers, 80,000 bank account numbers and additional personal data
• Houzz – 48.9 million customers hacked
• American Medical Collection Agency – Data of over 20 million patients hacked
• Adobe Creative Cloud – 7.5 million customer records exposed in an unsecured database

The sheer magnitude of these breaches highlights the critical importance of securing business data and verifying the security practices of third-party service providers. Performing security audits to identify loopholes and vulnerabilities in complex business networks provides a safeguard against the growing cost of breaches, which has increased 12% over the past five years to $3.92 million per incident.

Identity Management Predictions for a New Decade

As occurrences and costs of breaches rise, businesses must redirect identity and access management efforts to better verify users, not just credentials. IAM in 2020 will require more detailed data collection and a combination of authentication methods to create complete pictures of users, how they access networks and what they do during sessions.

Collecting and storing more data points allows for contextual access control, which mixes strong authenticators like biometrics with other details, including networks, access locations and device types. Taking a contextual approach has the potential to allow businesses to move from single sign-on models to zero sign-on, in which users enter credentials only once and behavioral data is used for continual identity verification.

The shift to ZSO could remove the last bit of friction between users and networks. Current bring-your-own-identity models are convenient but can suffer from security issues if third parties issuing and managing identities fail to do their due diligence in addressing vulnerabilities. As access domains expand, users will require more self-service options, which could create additional security issues unless businesses begin to adopt strategic technology-based authentication methods.

Privileged accounts remain prime targets for hackers and big risks for businesses. Adaptive trust models may provide better access management of users with privileged credentials, as such models are designed to adapt to fluctuating risk levels. By controlling network access using behavioral data, it’s possible to identify unusual behaviors and prevent hackers from infiltrating networks. A hacker using stolen credentials can’t mimic every habit of the real user and will be locked out when behaviors deviate from data on file.

Combining new approaches to IAM with improvements in user and data tracking will allow businesses to locate and fix network vulnerabilities going into 2020 and continue to improve access control as the threat landscape changes.

Cybersecurity in 2020: Predictions and Trends

Cybersecurity experts predict continued changes and challenges in the coming year, including several trends with the potential to significantly impact how business and organizations approach security:

• Moving toward more cloud-based software-as-a-service applications will necessitate improved security measures among businesses and providers
• The ongoing threat and increasing sophistication of phishing attacks will require continued monitoring and education to prevent breaches
• Hackers will move from using stolen credentials to hijacking user identities in an attempt to infiltrate systems
• Businesses and organizations will require personalized authentication protocols to support increasingly dynamic cybersecurity needs
• Developers will begin focusing on edge computing applications to expand cloud environments and improve edge device utilization
• Improved controls will be required to prevent smart device and voice assistant hijacking

In light of these predictions, businesses should be prepared to spend more on cybersecurity in the coming year. It’s also likely new user data privacy laws and regulations will be implemented, thus requiring a greater level of diligence and accountability on the part of organizations handling sensitive information.

Identity and access management certifications

To kick off 2020 with a strong approach to identity management and cybersecurity, businesses should look for qualified experts with whom to partner and begin addressing vulnerabilities within networks, systems and protocols. By fixing issues with the potential to leave network environments open to attack, companies can move forward and face new cybersecurity challenges with confidence.