User and Account Security in a Digital-First World
Recent research from State of the CIO found that upgrading IT and data security to reduce corporate risk is the top priority for CIOs in this coming year, as companies invest in digital tools that will both make doing business easier and more secure. At a recent webinar hosted by DocuSign, we discussed some of the security challenges companies, especially those in the financial services sector, face with document and user management.
The webinar also included insights from Thomas Novak, the Vice President and Chief Digital Officer at Visions Federal Credit Union, a $5.6 billion asset credit union based in New York with branches in multiple states. Novak’s team wanted a way of completing digital deals quickly, securely, and efficiently. For instance, how could they make it easy for a customer to quickly digitally complete an auto loan across state lines?
Here are some key takeaways from the webinar.
Doing business digitally presents new security challenges
A number of changes have forced companies to rethink their security and compliance protocols. Externally, customers demand greater convenience, and most of the time, that means going digital and mobile. Internally, with remote and hybrid work models now the norm for many companies, legacy security models don’t know what to do when a company based in California has employees living in Colorado and Montana. And, increasingly, connected processes are open to third parties for data analytics and other purposes.
All of these changes have contributed to increased cybersecurity risk profiles. According to financial regulators:
- 74% of financial institutions faced a significant spike in threats linked to Covid. (Covid Crime Index 2021)
- Consumers lost over $5.8 billion to fraud in 2021, an increase of 70% over the previous year. (FTC)
Unsurprisingly, the financial services sector is a prime target for bad actors.
As Novak noted in his comments:
“Security and compliance are really the bedrock of that trusting relationship we have with our members and their communities. We have to be at the forefront of what our members are expecting, and even what they might not be expecting, while being very good stewards of their data, of their information, of that trusting relationship.”
It’s not just financial institutions who are looking at every aspect of their processes to eliminate security weaknesses. Financial regulators are actively issuing guidance and rules on topics like data incident reporting, authentication and access control, and cybersecurity risk management.
In addition to the changes in industry regulations, US state legislators have proposed over 200 cybersecurity related bills. Of those enacted, 20 directly address cybersecurity requirements.
In this climate of economic uncertainty, increasing cybersecurity risks, and evolving regulatory requirements, companies need to be able to scale their security operations in a manner that’s efficient, agile, and easy to deploy and maintain.
Four pillars supporting security and compliance
How do you accomplish your transformation to digital-first in a way that’s secure and compliant without sacrificing customer convenience? At DocuSign, we support cybersecurity in four essential ways.
1. Adherence to stringent security standards
Legacy security models aren’t built to meet today’s rigorous security and compliance needs. Modern, digital-first solutions like DocuSign eSignature and Contract Lifecycle Management (CLM) are purpose-built to adhere to the most stringent security and privacy standards, including those of the U.S. and EU.
DocuSign is ISO 27001 2013 certified and compliant with PCI data security standards for handling credit card information as both a service provider and as a merchant. For those doing business with the federal government, DocuSign eSignature and CLM are authorized at the FedRAMP moderate impact level.
These certifications are at the core of forming customer trust and confidence—key assets for institutions of all sizes. “As we go ahead, we continue to build that trust,” said Novak. “We like to earn that trust time and time again, and that gives us the right to go ahead and innovate.”
2. Flexibility with multiple accounts
Companies embracing digital transformation recognize the benefits of having multiple accounts for DocuSign eSignature to work across business uses, departments, and geographies. What they’re also seeing is that, with DocuSign Admin Tools, they can centrally manage their users and accounts effectively at scale, giving them the power to grow with visibility and oversight.
Admin Tools comes in two packages: Access Management and Organization Management. Access Management allows you to use your preferred single sign-on (SSO) provider to align how users log in to your accounts, provides the means to provision new users, and helps you secure your company’s domain. Organization Management allows you to efficiently manage users, streamline account setup and maintenance, and retain control, all while giving you the ability to scale.
A DocuSign administrator at a Fortune 500 company put it this way:
“Organization Management lets me manage my company's DocuSign footprint holistically. It's helped bring sanity to my workday.”
For Novak, Admin Tools gives his organization the strength they need to handle increasing complexity. “When we're managing enterprise systems and enterprise protocols, it's important that that process is very intuitive, and that it can scale and span across a lot of different business lines regardless of their technical expertise. That's really where DocuSign has been extremely handy: their interface is very intuitive.”
3. Identity solutions
Identity verification and compliance with KYC/AML requirements is at an all-time premium, especially when it comes to sensitive documents, contracts, and communications. Email-based authentication is the first line of defense, but there are DocuSign native solutions that can go even further, including ID document verification: signers can submit photos of their driver’s licenses or other identity documents, including from their phones. Every DocuSign certificate of completion includes a proof of verification.
“In the financial industry, knowledge-based authentication is pretty prevalent, but it doesn't necessarily give us the best way to authenticate and validate a member and who they actually are on top of that,” Novak said. “Tools like ID verification, where somebody can scan their driver’s license, can be a more resilient way to authenticate identity. It also makes it more convenient and allows us to be more thoughtful in our approach.”
4. Detecting and responding to unauthorized internal activity
Along with external threats, companies need the capability to respond to an under-discussed source of data breaches: internal malicious activity. According to the 2022 Verizon Data Breach Investigations Report (DBIR):
- 40% of data breaches were made possible with stolen credentials
- 20% of data breaches were caused by internal actors
- A breach resulting from internal user activity, stolen, intentional, or accidental is on average going to expose 10 times the records of an external breach.
DocuSign Monitor helps you build as much protection against internal breaches as you do against external ones. Monitor offers:
- Tracking of eSignature and CLM activity across your accounts, with over 20 predefined alerts.
- Notifications to your team of potential threats with rules-based and AI-prioritized alerts.
- Built-in response actions to lock user accounts, secure content, and more.
As more and more customers interact with institutions digitally, keeping their information secure from bad actors becomes ever more crucial. “Over 86% of our overall member interactions here at the credit union are through digital means,” said Novak. “Having a tool like DocuSign Monitor helps to protect the front end of the experience.”
Building a strong cybersecurity framework with DocuSign
If your perspective aligns with Novak’s, the digital transformation is, for you, all about trust: your customers’ trust in you, and the trust you place in your service providers. Working with DocuSign eSignature, Admin Tools, and Monitor, Visions Federal Credit Union was able to achieve a remarkable digital transformation while ensuring continued security for their customers—a business relationship founded on trust and support.
“Digital transformation is really about people,” Novak said. “To us, technology is the tool that helps us meet the ends that our members in our communities are looking to achieve.”
The four pillars outlined above are core to DocuSign’s commitment to providing users a secure and compliant framework for completing, storing, and maintaining their agreements. These best practices are the foundation of our support for security and compliance—and they put people, their wants and needs, at the center.