Know your customer, know your business
While much effort is placed on the vetting and verification of the identities of customers transacting with organisations, far less concern is given to the more crucial issue of securing the identities of those transacting internally.
When it comes to the process of customer onboarding, the retail side of business has been relatively well sorted out, thanks to a number of new innovations related to identity verification using fingerprint and facial biometrics as part of a digital "know your customer" (eKYC) onboarding process.
However, when it comes to applying this idea of "know your customer" (KYC) in the corporate space for employees, contractors, partners and customers accessing corporate systems and networks, this is where the challenges become more complex; indeed, they have not yet been fully resolved. This is because the process of onboarding in the enterprise world has traditionally been one that is still very manual, complex and cluttered.
The term "know your business" (KYB) refers to the challenges associated with enterprise onboarding and the management of corporate networks and systems. These challenges are multiple and include issues related to working with manual, paper-laden processes and the difficulties created by having silos of disparate systems, networks, databases and sanction lists that the IT team has to try to manage. Furthermore, the fact that checks against money laundering need to be undertaken in cases of financial transactions within the business ecosystem, at every stage of the transaction, can negatively affect the enterprise customer experience.
It is with the movement of identities across every business transaction and operations process within the ecosystem of the enterprise that the real challenge arises. If you are unable to track these properly, you will be unable to attain the levels of visibility, transparency and accountability required for the business in order to minimise cyber risks.
Artificial intelligence (AI) is often used to track what identities are doing across the value chain, how they are transacting and whether they are confining themselves to the areas of the business they are supposed to.
The problem that AI cannot solve, however, is that unless you are able to confirm that the physical person behind the electronic identity is who they claim to be, you may find yourself tracking the behaviour of the wrong person entirely. A fraudster with a vetted identity still remains a fraudster.
AI is often viewed as the answer to everything, but unless the data set that it uses as its base is clean from the outset, identity management using this technology will be little more than a case of "garbage in, garbage out". This is why it is critical that companies ensure the identities within the business are clean from the outset. After all, it is worth remembering that a large percentage of security breaches are caused by dormant identities being hijacked. An example of such a dormant identity could be that of a contractor who was onboarded but never taken off the system when their contract finished.
The key, then, is to remove these dormant identities from the system, while securing existing ones by tying individuals to their electronic identities in order to ensure that they are who they say they are. This should then be enforced through the implementation of the relevant business processes.
Only when you are able to track an identity across all processes is it worth implementing AI in order to study behavioural changes.
Multi-factor authentication (MFA) can be used when authenticating identities, and the number of factors utilised can change dynamically, according to the business process guiding it. For example, a username and password combination may be enough to send an e-mail, but if someone wants to access critical corporate information, the process may require their fingerprint, a retina scan and a geo-location tag from their cellphone before allowing them access.
Using multiple methods of authentication means you are always assured that the individual behind the digital identity is the correct person and, just as crucially, remains the same person throughout the process.
What is clear from the above is that although the main focus from a security perspective has been that of KYC for digital customer onboarding, to ensure fraud doesn't occur in this space, it is at least as important, if not even more so, to undertake an effective identity management process for your internal employees, as well as your suppliers, vendors and contractors.
Ultimately, you need to consider your entire business ecosystem on an end-to-end basis, so that you can use automation to eliminate manual processes that can create security holes, such as when onboarding and off-boarding suppliers and contractors. By automating such processes, you will significantly reduce the possibility of old identities still floating around on your system, which can be stolen by cyber criminals.
If you are still using manual processes, you cannot fully trust the identities in the system, and if there are any disparities with regard to the identities in your supplier and contracting environment, your business is being placed at high risk. This is why your identity management system ultimately needs to span all your company's back-end engagement systems, including order management, supply chain management and financial systems.
The real challenge for enterprises is the fact that currently so much emphasis is being placed on security around the KYC aspect, despite the fact that KYB is quite possibly even more critical. After all, it is worth remembering that security related to KYC might well protect your organisation's front door, but unless you have done the same with regard to KYB, you will effectively have left the back door and the windows wide open.