Basic data security isn’t rocket science, even for heavily regulated financial services providers and vendors, say two Minneapolis-based information security experts. IT teams and operations managers can dramatically improve threat readiness simply by following basic information security protocols to the letter.
That means using difficult-to-crack authentication tokens instead of passwords, eliminating or strictly controlling administrator privileges, maintaining and promptly updating security patches, installing anti-malware on every device in your digital ecosystem, and continuously monitoring your servers and networks for threats.
“Do these things well and you’ve removed 90 percent of your surface area of risk,” said Jason Witty, senior vice president and chief information security officer at U.S. Bank.
That’s not the end of the information security story, of course. This is an arms race; white hat security experts can barely keep pace with multiplying, metastasizing digital threats spread by black hat opportunistic lone wolves, organized crime outfits and military intelligence.
Last May, the WannaCry ransomware cryptoworm infected more than 200,000 machines across the world, likely at the North Korean regime’s initiation, temporarily bringing the U.K.’s National Health Service to its knees. Lower-profile attacks succeed daily, often by exploiting the very traits that make us human. So, Witty tells finance decision-makers to address four additional security domains: designating a point person for information security; keeping management and IT staff up to speed on threats; educating end-users about day-to-day data hygiene; and “war-gaming” incident response with senior management.
Information security action items
Financial services providers and vendors are subject to a slew of overlapping data regulations: the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, Dodd-Frank Act, Payment Card Industry Data Security Standard. Executives unsure which regulations apply to their companies can start with the SANS Institute’s “Understanding Security Regulations in the Financial Services Industry,” a plain-English document.
After ascertaining applicable regulations, financial firms need to designate a high-level employee accountable for data security. This person is responsible for implementing and refining threat prevention and response initiatives across the entire organization. Depending on the circumstances, they may be the chief technology officer, chief information security officer, or — in cozier companies — a director-level security specialist.
“What matters isn’t the title — it’s that the buck stops with someone,” said Witty.
Every information security officer needs a road map. Enter the National Institute of Standards and Technology Cybersecurity Framework, a ready-made digital security template designed by a U.S. Commerce Department sub-agency.
The NIST framework encompasses five core functions: identify, protect, detect, respond, recover. Each function breaks down into categories and subcategories corresponding with specific security outcomes. Users assess their information security practices on a four-tier continuum, ranging from ad hoc tier 1 (“partial”) to hardened tier 4 (“adaptive”).
NIST’s standards were initially created for federal agencies, but they’re easily adapted to the market economy.
“A small business owner could go to NIST and choose whatever standards they need to run their enterprise with limited modification,” said Britt Lindley, vice president and chief information security officer at Thrivent Financial. NIST standards are particularly useful for smaller financial services vendors that lack large in-house IT teams, he added. All financial services providers use risk-based assessment tools to evaluate vendor relationships; they’re reassured by vendors that demonstrate consistent adherence to reproducible security frameworks.
External communication is key, too. The Financial Services Information Sharing and Analysis Center, or FS-ISAC, allows member companies to report and synthesize threat intelligence in near-real-time. FS-ISAC’s global reach means members receive threat reports faster than the threats themselves spread — letting members take defensive action against rapidly spreading attacks like WannaCry, or lower-profile risks like phishing emails.
As a peer group, FS-ISAC requires competitors to share data, some of it embarrassing. Executives accustomed to holding sensitive information close to the vest may be reticent to open up, even when the threat is clear. Witty reminds fence-sitters, gently, that information flows both ways.
“If you help others, they’ll help you. If you don’t, they generally won’t,” he said.
‘A new type of weather every quarter’
Even full-time data security experts like Lindley and Witty struggle to keep pace with the ever-evolving digital threat landscape.
“As CISOs, our job is to predict the weather, but that’s challenging when we encounter an entirely new type of weather every quarter,” said Witty.
This quarter, the top-of-mind threat for financial services providers and vendors is crypto-ransomware, like WannaCry. Crypto-ransomware attacks are easy and cheap for black hats to execute, said Witty. In a typical attack, the malware locks up the user’s machine and demands ransom in untraceable cryptocurrency. Without a clean backup, the user is effectively locked out until they pay.
As non-human information security controls grow stronger and more redundant, said Witty, black hats are increasingly focused on end users. That’s precipitating another looming threat: whalephishing, wherein black hats use spoofed C-level email addresses to extract credentials or money from subordinates. An email purporting to originate with the bank’s CFO might ask a junior accounting staffer to wire a sizable sum out of the firm’s general account, with believable touches like “I’ve just spoken about this with Jim, the CEO,” thrown in for good measure.
“When you get an email from the boss, your natural inclination is to act on it,” said Lindley.
That financial service providers and vendors’ greatest resource — human employees — is also their greatest information security liability is at once disconcerting and reassuring. After all, humans might be fallible, but they learn better than algorithms and firewalls.