It’s the perfect storm. Cybercriminals have more potential targets than ever, and their tactics keep getting more sophisticated. Meanwhile, consumers are almost numb to the headlines. What can financial institutions do to maintain security? Join us as we talk through the landscape and methods to maintain security with a resident cybersecurity guru.
Transcript
Laura Sewell (LS): In CSI’s 2022 Banking Priorities Survey, financial executives from across the country named cybersecurity the number one issue most likely to affect the industry this year.
Saxon Prater (SP): It’s easy to see why. Newsworthy incidents like SolarWinds, the Colonial Pipeline and the exploit of Log4j vulnerabilities seem to grow more common each year.
LS: And as digital targets and the sophistication of these attacks expand, consumers are becoming numb to these risks.
SP: We asked CSI’s director of Product Management for Managed Services what he considers the biggest threats to financial institutions in 2022, and he said:
Sean Martin (SM): We’re going to see users for the longer term (maybe even permanently) work from home, and there’s going to be some percent of the population that’s doing that. And that really represents a huge change for where data is, how it’s accessed, where vulnerabilities and risks may be, and where we need to put those security controls around.
LS: I’m Laura Sewell.
SP: I’m Saxon Prater. And you’re listening to Fintech Focus from CSI.
LS: To talk us through this perfect storm and offer his insight into what financial institutions should do about today’s cybersecurity conundrum, we’re talking to Sean Martin, CSI’s director of Product Management for Managed Services. Hey, Sean. Thanks for coming on the show.
SM: Thanks so much for having me, guys.
LS: Sean, in CSI’s 2022 Banking Priorities Report, executives named cybersecurity the issue most likely to affect the financial industry in 2022. But they also rated themselves a 3.8 out of 5 in cybersecurity readiness. Do you think that confidence among institutions is a little too high?
SM: So, that’s a great question and one that, to be honest with you, I don’t think that I’m too surprised to hear that result. So, one of the things that I think we’ve really seen over the last few years is a prioritization of cybersecurity that has really led to an increase in security investment for a lot of organizations.
You kind of alluded to, you know, some of the big headlines that we’ve seen. And we’ve definitely had a lot of those headlines that I think have really garnered the attention for a lot of executives. And I think that a lot of organizations are really starting to better understand the cost associated with successful breaches. And so, I think a lot of organizations are trying to mitigate that risk or that cost, and they’ve made some additional security investment, which I think is great. I think what comes along with that is really a feeling of more confidence in your cybersecurity program. And I think that makes a lot of sense.
Now, where we see some organizations have a challenge is when they may not be aware of all of the risks within their organizations. So, if an organization knows they’ve got certain risks and they’ve implemented some programs or technologies to assess or mitigate that risk, then that’s great. But when an organization may not be aware that they have some risks that maybe have changed more recently, they may not be addressing that. And that’s when that confidence or maybe that overconfidence can really challenge some organizations.
LS: Gotcha.
SP: So, it’s kind of like that old proverb, you don’t know what you don’t know. Right? So, speaking of what financial institutions might not know, what would you call the top cybersecurity threat that they should be concerned about?
SM: So, the biggest challenge I see with most organizations right now is the change in their IT infrastructure. And if you really think back over the last couple of years, kind of pre-COVID, if you think about the infrastructure of a lot of organizations, it was much more on-site. Data was contained within their organization. We have controls around that data to prevent access in the way that we would expect that data to be accessed.
But, you know, if you look at the beginning of 2020, a lot of organizations literally overnight went to a work environment where they went from maybe 100% in the office to maybe 100% out of the office. And over time, what we’ve seen is that some of those organizations and some of those employees have started to come back. But more and more, we’re kind of in this hybrid workforce right now.
And we believe that that trend is going to continue where we’re going to see users for the longer term, maybe even permanently work from home. And there’s going to be some percent of the population that’s doing that. That really represents a huge change for where data is, how it’s accessed, where vulnerabilities and risks may be and where we need to put those security controls around.
Another big thing that has really changed the IT infrastructure for a lot of organizations is cloud adoption. So, we see a lot of organizations, you know (again, somewhat related to the pandemic), as we’ve seen voice in collaboration systems start to change.
You know, if you think about pre-pandemic, a lot of organizations had phones at their desk. And if you wanted to make a call, you picked up and dialed a number. And a lot of organizations have moved into things like Microsoft Teams and other collaboration suites where we’re not just talking anymore, but we’re sharing files and collaborating on systems.
And that’s great. There’s a ton of efficiency gain that we can have there. But at the same time, that’s now introducing new risk to organizations that they may not have had before. And so, if they’re not aware of these risks and the potential impact, that’s where we have some cybersecurity concerns.
LS: So, Sean, when we asked how financial institutions plan to respond to cybersecurity threats like what you just spoke about, they answered with recurring vulnerability scanning, routine social engineering exercises, penetration testing and red team exercise. Those were the things that top the list of their planned tactics. Do you agree with these results as being the most important to mitigate risk?
SM: It’s interesting when you look at these results, a lot of that is around identifying vulnerabilities, assessing that and then implementing programs to mitigate those vulnerabilities. And absolutely, you know, I think that that’s very important, especially with things like routine social engineering exercises.
You know, when you think about some of the big risks to organizations, things like ransomware, a lot of the way that you control ransomware is through user education, right? So, if someone gets an email, they click on a link that takes them maybe to a phishing site. And if that phishing site is then able to exploit something on that workstation, maybe that workstation is behind on patches, for example. Then that attack may be successful. That attacker can now inject some code, and now we have a ransomware situation on the network.
So, what I would add to that list is, if you want to say, “What are you doing as an organization to respond to these cybersecurity threats?” I would add basic security hygiene as a critical step. So, it’s things like patching on your workstations to make sure that if a user does click on a link, even inadvertently, we now have some additional security controls around things like ransomware. Things like backups – making sure that you’ve got a successful backup and if you do need to restore because of a ransomware attack or something similar, you have that backup restore capability.
Other items are things like just being aware of what’s going on, so, having some effective way to kind of monitor the security of your network. For example, if you use an externally hosted email system, is it normal for your organization to have successful logins from another country? And if that’s not normal, you definitely want to have the ability to detect when that happens. Those kinds of things, I think are also important to add to that list.
SP: Sean, you mentioned patching. Could you say a little bit more about what that is and how it works?
SM: Yeah, absolutely. You know, one of the things that I think has really improved within our industry is that we’ve got really good cybersecurity controls that help protect our infrastructures for, you know, folks coming in from the Internet. We have firewalls in place. They’re well configured. We have other threat management systems protecting our infrastructure. We’ve also improved what we’ve done as an industry around our critical servers. So, if we have a server within the environment, we have a host intrusion prevention software on there, endpoint detection and response platforms that really harden that server. We also do a really good job of keeping patches up to date on those critical systems.
Where we see some organizations struggle a little bit is just making sure that they’ve got patches in place and that they’re successful on all of the endpoints. And so, if I’m a hacker, for example, and I want to try to infiltrate an organization, what we find is that the endpoints are typically the best place to try to do that because they’re generally the least protected. And back to that scenario I gave before, where if I can, you know, do a phishing attack, I just need one user to click on a link who is not up to date on their patches. And then that causes that system to go out to some other website and then download code to take advantage of a missing patch. And now there’s a vulnerability on that system so that I can inject my ransomware into the organization. From there, that ransomware can start to spread, start to cause all kinds of problems there.
So, the patch management systems are a critical piece. It’s kind of one of those things that, you know, it’s not fun or glamorous to work on. But it’s critical to not only, you know, ensure that you have the patch management system that’s updating all of the patches, but also that you’re aware if there is a failure, you know, to install a patch, getting those pushed out, making sure that all of the systems are within that patch system and so that you can detect when there may be systems that aren’t getting patched. So, things like your remote users. Maybe your patch management system did a great job of patching everything internally. But now that you’ve got some users that are working outside of the network, you know, is it still able to detect how well those systems are being patched, as an example?
LS: This is Fintech Focus. We’re talking with CSI’s Sean Martin about how to secure your financial institution from today’s cybersecurity threats.
SP: All right. So, let’s shift gears and talk compliance since cybersecurity compliance is another hot topic in the space. Why are regulators placing greater emphasis on cybersecurity compliance these days?
SM: I think the short answer here is because it’s very expensive if they don’t. You know, when we think about the cybersecurity regulations and then, you know, what I tend to do nowadays is also lump in cyber security insurance carriers. They know that it’s extremely impactful if there is a successful breach.
And, you know, one that we spent a lot of time honestly talking about is ransomware. And I know I’ve kind of got a hit on that already. But if you think about the cost associated with a ransomware attack, where not only are you potentially having to pay a ransom, we also know that during ransomware attacks, a lot of times not only is the data being held hostage, but it’s likely also being exfiltrated out of the network. And now that data is probably for sale somewhere on the black market. And, you know, having that type of exposure from a reputation perspective, just from a monetary perspective and getting your data back is very costly.
There’s just an overall increase in awareness of the impact of successful breaches. And so, it’s, you know, kind of not surprising to see that we’ve got a lot more regulation on that.
LS: You mentioned cybersecurity insurance. Is that a newer concept or has that been around for a while?
SM: So, definitely been around for a while. And what we’ve seen from cybersecurity insurance carriers is that they are aware that if they are insuring an organization who is hit by a successful ransomware attack, it’s going to be expensive for them to potentially pay a ransom to get that data back. And so, a lot of the cybersecurity insurance providers now are requiring some specific technical controls that we had not seen previously.
So, for example, multi-factor authentication for network administrators when accessing email remotely, when making internal… connections to the internal network via a VPN, or logging in to network infrastructure. These are now all areas where cyber insurance carriers are requiring MFA policies to be in effect. And I think that we’re likely to see some expansion here. You know, the carriers are, you know, for themselves trying to reduce risk. And they know by requiring certain security controls that’s going to lower their risk to have to pay for incidents, should they come up.
SP: So back to the compliance side of things, what can financial institutions do to enhance their compliance posture?
SM: So, I think in general, the answer here is going to be a little bit specific to each organization. And to be honest, to some extent, it’s going to be a little bit specific to an individual auditor or examiner. But I think it’s important to ensure that you have an understanding of where your risks are.
You know, so for example, are you using cloud-based systems, whether it’s maybe a server that you are now hosting in a public cloud environment or maybe you’re starting to implement software as a service application and moving some of your critical applications from your premise network into, you know, a cloud network. Do you plan to continue with a hybrid workforce within your organization or are you using things like APIs to enhance some of either what you’re able to deliver to your customers or maybe how you work with certain applications?
This is all going to kind of change your risk posture, and it’s important to understand all those potential risks and have controls in place. And so, when you think about compliance, it’s about having the right controls in place to reduce risk. And that really kind of starts with, are you aware of all of the risks on your network? If you can feel confident in that awareness and understanding of where those risks are, then you can demonstrate that you’ve got the right security controls in place, and that’s going to really improve your performance from a compliance perspective.
LS: On the same token, financial institutions’ customers and members often look to them as a trusted resource not just for financial solutions, but also on cybersecurity education – to serve as another source of tips and tricks on that. How can financial institutions help them in that respect?
SM: That is a great question. And it turns out that a lot of the techniques that successful organizations use to educate their own employees are the same types of techniques and tactics that consumers can use to protect their personal accounts.
A good example of this is something like multi-factor authentication. You know, we’re seeing that and we are encouraging customers to use MFA for their employees whenever they are accessing data within the network. MFA is also something that consumers can use to protect their own accounts when they’re logging in remotely. MFA is something that’s going to prevent, you know, an account compromise where intruders are going to come in and then be able to access some information from a consumer perspective. And then it also turns out that that consumer education, when that’s successful, that’s something that also helps our financial institution customers, because they see fewer incidents of fraud if they are practicing some of those good security hygiene things themselves.
SP: Yeah, that makes total sense to me. Like, your people can be your best defense or your weakest link, depending upon how well informed they are and how prepared they are.
Sean, I was going to ask you, do you have any advice for institutions that may be struggling to get engagement with their consumer cybersecurity training?
SM: Sure. What I would say is do it right now. One of the things that are happening right now (as we’re all aware) is the Russian invasion of Ukraine and all of the headlines that are going on with that. We’re seeing a lot of security headlines associated with that, with potential cybersecurity attacks from Russia, or from other organizations. So, right now is a time when folks are just… you know, cybersecurity awareness is top of mind. Folks want to know what’s going on. Could there be some sort of large-scale attack? People are very open to this type of education, so it’s a great time.
We’ve worked with a lot of customers to help them engage their employees, to make sure that their employees are just aware and following, you know, standard cybersecurity practice. It’s a great time for organizations to reach out to their consumers and remind them of, you know, what their particular financial institution’s policy is, you know, related to things like sending out emails. Will your organization, send out links to emails or will you not, remind consumers that you will not ask them for their username and password and those kinds of things? We find that it does a couple of things: helps protect consumers and the financial institutions and it also just builds awareness and confidence, which leads generally to increased satisfaction.
LS: Very good information. Well, Sean, do you have any final words, final pointers for institutions trying to shore up their cybersecurity defenses?
SM: Yeah, absolutely. I think, number one, just make sure that you have systems in place to really assess and identify your vulnerabilities, your risks that you may have and especially as your IT environment has changed. You may be doing things like vulnerability assessments to identify, you know, potential vulnerabilities on systems, make sure that you’re also including your cloud systems in your remote workforce systems within some of that scanning.
Work with an expert if you don’t have one on staff or just make sure that your folks are just really aware of where all of your data is, how it’s accessed, and how you’re preventing inappropriate access. What are the security controls that you have in place to protect all of your infrastructure?
LS: That’s it for this week’s episode of Fintech Focus. Thanks again to Sean Martin for joining us today, and thanks to all of you for listening.
SP: Check out previous episodes of this show and learn more about what we do at CSI by visiting csiweb.com. You can also subscribe to Fintech Focus wherever you get your podcasts. We’ll be back soon. But until then, say hi to CSI on Twitter @csisolutions or on our Facebook page: facebook.com/csisolutions.
It’s been great talking to you, and we’ll see you next time.