How finance regulatory agencies can help the sector mitigate security risks

Resident CISO John Checco discusses critical questions around security, workforce and compliance most pressing for the financial services (FinServ) sector today.
finance

John Checco is an information security professional providing security expertise across various industries. He currently resides as leader for the CISO Advisory Board on Financial Services for Proofpoint and President Emeritus of the New York Metro InfraGard Members Alliance (an FBI public/private partnership program).

Since the outset of the COVID-19 pandemic, financial institutions have launched a wave of cloud-based initiatives to support employees with remote access. But in addition to that, the way customers interact with institutions is driving those organizations to push forward digitization initiatives for “banking anywhere, mobile everywhere” that allowed them to engage with and maintain their customer-base during the pandemic

John Checco

John Checco, Resident CISO, Financial Services, Proofpoint

Due to the growing need to support a variety of remote users, maintain business resiliency and align with federal compliance, financial institution leaders and regulators must also contend with heightened security risks that may occur with these quick changes. In some cases, organizations that eased up on rigid security protocols to accommodate shifts in user demands may find themselves unprepared to ensure they are building resiliency against both internal and external security threats.

Security blind spots across finance networks

Cyberthreat actors are quickly adopting techniques, tools and procedures to exploit security blind spots that have resulted from expanding capabilities in the cloud, creating new avenues to infiltrate organization networks that financial organizations share to conduct daily business. Since 2020, Proofpoint has seen a significant jump in the number of cyberthreat actors targeting the networks we monitor, especially via cloud and supply chain vulnerabilities.

Some of these risks are exacerbated by the reliance on legacy transaction systems which continue to be used even though they are fragile systems with limited support and migration to the cloud may be infeasible. Due to their aging architectures, the security controls in many of these systems were often added over time and not designed to interact with today’s more modern systems — leaving them more vulnerable to financial fraud and insider threats. Additionally, we are seeing more sophisticated attacks leveraging socially engineered email tactics or credential dumps from prior hacks that leave employees susceptible to account takeover attempts.

The financial services (FinServ) sector is particularly unique because institutions make up a broad range of financial activities such as banking, investing and insurance that relies on an interconnected network of underlying service providers, including an institutions’ own competitors. As such, hackers have more opportunities to insert themselves in the middle of financial transactions and infiltrate a broader network of finance operations.

Security blind spots inside the network

Those concerns — and the risk of insider threats — have grown larger and more acute with the dramatic expansion of remote workers. Those could either be negligent users who may mistakenly violate policies while trying to perform their job remotely, or malicious users who wish to profit from or harm the organization. 

Finance regulatory agencies will need to play a significant role in how the FinServ sector adapts to new workforce requirements because certain compliance regulations were established based on the assumption that in an office setting there are certain physical and logistical separations. 

While easing regulations during the pandemic allows institutions to continue operating, this unintentionally causes larger issues with security and compliance. As a result, new solutions are needed to help institutions ensure their employees continue to meet compliance standards. For example, during Y2K we saw how easements were lifted to allow organizations deal with that challenge. But what regulators and institutions discovered later was more widespread cases of non-malicious collusion amongst firms.

By working to set new compliance standards around zero-trust security practices, the finance sector can implement a series of tools and policies that help mitigate risks across the network. 

For example, establishing multi-factor, risk-based authentication and conditional access across the enterprise can be paired with other tools that isolate internal-facing browsers to limit data leakage, similar to tools that isolate external facing browsers. And today, modern insider threat management solutions can look at user behavior analysis and anomaly detection go beyond basic triggers such as bandwidth usage and login attempts, to include more advanced detection capabilities which indicate when a security threat needs to be investigated. 

Adopting a data-informed people-centric security approach

Cybercriminals are getting more organized and sharing information obtained from multiple breaches and known visibility gaps. Consequently, the FinServ sector needs to improve its information sharing practices. While the federal government has been supporting strong collaboration practices across the sector since 2018 under the Analysis and Resiliency Center (ARC), the exponential rate that threat actors are working to compromise networks requires a stronger response from both federal regulators and the industry.

At Proofpoint, we believe that taking a people-centric approach to security can better equip organization leaders with insights on both the cyber attacker and the profile types of employees who are being targeted. This risk-based approach allows for targeted security spending where it makes the most sense.

We work with a global network of customers every day to detect and block advanced threats, leveraging over 8,000 gateways across both public and private organizations to gather information on which entities within a specific sector are being targeted and creating contextual security awareness for our customers.

Our ability to share security data behind the scenes, not only give organizations a better chance to extend the visibility of their cyber risk but also to get ahead of, or predict, future threats. 

And we can strengthen the security posture of our clients with a variety of other security tools. For example, domain-based message authentication, reporting and conformance (DMARC) solutions allow organizations to identify the email domains from their trusted suppliers and set policies for incoming emails that block traffic from senders that don’t have an approved IP address or bear the right cryptographic signature. Organizations can also manage access internally with tools like Nexus People Risk Explorer alerts security teams when employees may have too much access or are currently being targeted. 

Finally, my biggest recommendation to FinServ sector leaders and regulators leaders is to just take a moment and breath. The pandemic has brought about a lot of challenges that are both in our control and outside our control. But as long as we continue to work openly and collaborate across the industry, the finance sector will be able to come out stronger in the end.

Learn more about how Proofpoint can help protect federal agencies, and their people, against malicious attackers.

Latest Podcasts