New research report finds most financial organizations have experienced a breach due to an authentication weakness, yet only a third took action
HYPR, The Passwordless Company and Vanson Bourne, released a new report that reveals the financial sector is failing to combat the biggest threat in cybersecurity – compromised credentials. Findings show that 80% of financial service organizations experienced at least one cyber breach in the past 12 months related to a weakness in authentication, yet only one-third of organizations changed their authentication methods following the breach, leaving a significant number highly exposed to future attacks and breaches. The State of Authentication in the Finance Industry report also shows there is a recognized solution to combat such attacks, with a resounding 89% stating that passwordless authentication is needed to reach the highest levels of security.
The report, which shares insights from 500 IT security decision-makers in the financial sector, represents a cross-section of small and medium businesses and enterprise companies spanning the U.S, U.K, France and Germany. Findings uncover the burden that current authentication practices are leaving on financial organizations globally, specifically the high-risk cracks in security, strain on budgets and overall operational disruption. More importantly, the results identify the discrepancies around “perceived” and “actual” authentication security.
Over the last 12 months, an alarming 85% of surveyed organizations faced a cyber breach; more startlingly, nearly three quarters (72%) experienced multiple breaches in the same timeframe – driving the annual average to a staggering 3.4 breaches per year. Remarkably, 90% of these victims still believe their current authentication approach is secure, despite data proving otherwise. Of these attacks:
- 36% reported phishing as the most prevalent type of attack, followed closely by malware and credential stuffing, equally at 31%, and push notification attacks at 29%.
- The annual average direct cost of authentication-related cyber breaches was $2.19 million, not factoring in intangible and hidden costs.
- Nearly one third lost customers to their competitors and experienced a loss of employee (29%) and customer data (26%) in the aftermath of the breach.
“The finance industry is at the forefront of cybersecurity. As one of the most targeted sectors for attack, financial services companies have an impressive track record of adopting new, innovative defense technologies to deliver the protection that clients need,” said David Reilly, Security and Financial Services Strategic Advisor and former CIO and CTO for Bank of America. “While improvements in perimeter, network and behavioral analytics have advanced, authentication security has not moved at the same pace. We now have the opportunity to make a step-function change and improve authentication security by removing the risk of static passwords and credentials which can be learned and leveraged by attackers. Eliminating the static password risk is the strategic path forward.”
Financial Organizations Have a False Sense of Security Regarding Multi-Factor Authentication
The financial sector is the most highly targeted industry for cyberattacks, and the most forward-thinking and progressive with technology adoption. Despite that, a substantial proportion of respondents (32%) admit that their employees are using legacy authentication methods such as SMS and OTPs, and close to one-quarter (22%) use usernames and passwords only. The report findings spotlight a disconnect as 84% feel that traditional MFA provides complete security and at the same time, 99% agree that their current authentication methods are inadequate.
“The Financial Services industry, like many others, is facing a paradox. Data shows that traditional authentication methods are perceived to be effective but the data also clearly shows that these methods don’t provide enough protection, leaving organizations exposed to unacceptable risk. At the same time, the scale of attacks and malicious strike techniques are rapidly growing, widening this vulnerability gap,” says Bojan Simic, co-founder, CEO and CTO of HYPR. “Ongoing guidance and mandates from government bodies such as CISA are a critical step forward in raising the red flag and calling for immediate action for stronger controls. Passwordless MFA is the gold standard and must be the foundation of all security strategies – the data speaks for itself.”
Benefits of Passwordless Authentication Are Known with Improved User Experience and Security Leading The Way
89% of financial organizations understand that passwordless authentication is needed both to achieve the highest level of authentication security and to ensure user satisfaction. Nine out of ten also agree that the cost benefits are a dominant factor for passwordless adoption. Factors such as password fatigue, impacts to productivity and help desk costs are major adoption drivers. Additionally, respondents named meeting cyber insurance requirements (31%), improving supply chain security (31%) and supporting Zero Trust initiatives (27%) as benefits of passwordless authentication.
[To share your insights with us, please write to email@example.com]