By Dave Henderson, co-founder BlueFort Security
Financial services organisations are increasingly recognising the importance of digital technologies as a driver for increased profits, regulatory compliance, and enhanced customer experience. As remote and mobile access have become more commonplace, digital technologies, including collaboration tools, have shifted from a ‘nice to have’ to a ‘must have’.
IT security teams within financial services, in particular, operate under the understanding that there must always be careful consideration to ensure privacy and security for all users, and their data. There are good reasons that laws and regulations like GDPR, CCPA and HIPAA exist and regulated firms must satisfy the FCA and PRA that they are operating within the strict guidelines that are in place.
However, if IT security teams weren’t stretched enough before March 2020, they’ve certainly got their work cut out for them now. A geographically dispersed workforce, with hundreds of computers and devices all operating outside the protection afforded inside the corporate network has all the hallmarks of a cybersecurity disaster waiting to happen.
For financial services firms, the need to ensure markets are ‘clean’ and free from abuse is paramount. Working from home – which many will still be doing – places an immense burden on IT security teams as they must prove that appropriate controls over inside information and effective information barriers remain in place, regardless of where their teams are working from.
Julia Hoggett, Director of Market Oversight at the FCA, recently spoke out about the “challenges of surveillance driven by our new ways of working and the importance of effective culture to manage those risks”.
No wonder 91% of CISOs say they suffer from moderate or high stress.
Collaboration Application Sprawl
As employees have adopted a wide variety of tools for internal, external and ad hoc communications, many organisations find themselves in the challenging, and risky, situation of collaboration application sprawl. For the most part remote workers have simply been trying to find a quick and easy communication workaround to being physically separated from their colleagues. There was no malice intended.
However, there is a large elephant in the room when it comes to these collaboration platforms. The simple fact is that Slack, Microsoft Teams, Zoom and the majority of other similar tools aren’t very secure, and neither are shadow IT apps such as WhatsApp. Their sudden and widespread adoption has the potential to be a recipe for security disaster. Even if the legitimate user has no malicious intentions, these platforms are wide open for exploitation by cyber criminals. Earlier this year, Standard Chartered became the first global bank to ban the use of the Zoom video conferencing app and Google Hangouts, as a direct result of these security fears.
But what exactly is at stake here?
If a malicious actor is able to compromise a user account, there is a strong probability that they’ll gain access to a company network. And then once inside the corporate network there’s untold damage that could result. For example, they could pose as a trusted employee to share malicious documents or files to move laterally into other devices. Depending on how the platform is configured, they may also be able to move into file-sharing apps such as G-suite or Sharepoint to gain access to sensitive data.
Here are some classic collaboration platform cybersecurity mishaps:
- TeamViewer is a collaboration software that facilitates remote control, desktop sharing, online meetings and file transfer. A couple of years ago, the software had to issue an emergency patch for a bug that could have let attackers access users’ machines via desktop sessions. A separate social-engineering attack earlier last year used an illegitimate version of the software to trick users into surrendering access to their computer.
- More recently, Abnormal Security researchers highlighted a multi-pronged Microsoft Teams impersonation attack where attackers were impersonating genuine Teams notifications to target employee credentials. With newly registered domains and multiple URL redirects, these attacks demonstrated levels of sophistication far exceeding those seen in standard phishing campaigns.
Another significant security loophole with these collaboration platforms is that legacy security and data loss prevention (DLP) tools that have been in place for years to handle on-site collaboration and work environments are simply ineffective now that Google, Slack and Dropbox are part of our daily modus operandi. A key reason for this is because collaboration apps lack granular controls, meaning enterprises can only do so much to restrict how they’re used.
Also, because of the informal nature of the chat function in these platforms the lines between what’s appropriate to discuss – and what is not – can become blurred, leading to conversations straying into discussing sensitive data. The potential fallout from this could be just as damaging to a company as the fallout of a successful phishing attack.
Minimise the risk, focus on the reward
Clearly employee training is an important, and ongoing priority. But for financial services firms, trust lies at the heart of everything, the focus has to be on protecting the data itself. And that means as organisations allow sensitive information to move off premises and into new collaboration platforms, they must ensure that employees are using and securing data properly. As previously mentioned, there are good reasons that laws and regulations like GDPR, CCPA and HIPAA exist.
Strong data loss prevention (DLP) policies combined with a Cloud Access Security Broker (CASB) and Secure Web Gateway (SWG) will be ‘must have’ tools of the trade for any financial services organisations that are embracing digital technologies. These will provide both visibility into collaboration tool usage across the organisation – on a user, device and activity level – as well as the ability to enforce granular security policies, for example on files or messages containing sensitive or restricted data.
As we start to look ahead to next year, the only certainty for security teams is that 2021 will continue to be full of uncertainties. With the ‘work from home’ model now likely to be the norm, rather than the exception, IT security teams could face their toughest year to date.
Financial services firms are subject to especially stringent controls – and quite rightly so. When it comes to the introduction of new communication tools there is an expectation they will update their policies, refresh their training and put in place rigorous oversight reflecting the new environment. For example, policies should prevent the use of privately owned devices where recording is not possible. Ultimately, there is definitely risk around collaboration platforms – but when robust, cybersecurity policies and tools are deployed, and enforced, the rewards win out every time.
