Blog

Remote Work Security and Document Protection in Banking: What’s Next?

Which industries have the highest potential for remote work? Finance and insurance, says McKinsey & Company. There’s a catch, however. How can organizations realize this potential without compromising data security and privacy? 

*

The consultancy found that three-quarters of activities in these sectors can be done remotely without a loss of productivity. Information security wasn’t part of the study. So what are the implications from a data protection perspective?

That’s where things get dicey. The forced rush into hybrid and remote work arrangements and the sorry state of remote work security have bank CISOs and compliance officers on edge. Some – mostly larger – financial institutions have mastered the transformation more effectively than others. What’s their secret? 

Before we answer that question, let’s first take a quick step back in time. In 2015, a Morgan Stanley insider downloaded confidential information on 730,000 of the investment bank’s wealth management clients to his personal laptop and posted a sample for sale online. Back then, it could have served as a wake-up call.

Today, it almost seems like quaint history, because not many heeded that call. The shift to Work-from-Home (WFH) due to COVID-19 has taken the insider threat to unstructured data to a whole new level.

Battlezone home office: Data protection reset required?

As a result, insiders – often working remotely – now account for more than 50 % of data breaches in the financial sector, according to security research. Several terabytes of sensitive data have been ransacked or leaked from more banks and financial services or law firms since that 2015 data breach. Think Pandora Papers, the confidential documents including supposedly secure PDF files, images, emails, and spreadsheets from 14 financial service companies offshore. 

Bank CISOs and compliance officers we talk to are more worried than ever about the lack of visibility and loss of control over sensitive proprietary data when employees are working from home. 

Or take Jeremy Baumruk, who heads up Professional Services at Xamin. His company manages IT security for more than 50 U.S. banks. In early 2020, he told the American Bankers Association’s Banking Journal: “When an employee is using their own computer, IT has almost no control.”

18 months later, research shows: that warning about remote work security still stands. Industry experts point to misconfigured VPNs, insufficiently secured home WiFi networks, unmanaged personal devices, personal cloud storage services, and unmonitored home office printers.

Remote Work Security - infographic excerpt

Source: Tessian (Infographic)

Remote work hasn’t only exacerbated the insider risks posed by negligence or disgruntled employees. Cybercriminals on the outside have taken notice, too. They wage automated campaigns that increase the pressure on banks to take decisive countermeasures. 

Many recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention tools (DLP), firewalls, endpoint protection – cannot ensure adequate protection. Recent threat reports confirm: attackers are busy exploiting the remote work blindspots and endpoint vulnerabilities to the fullest.

 

Document theft-as-a-service: Search. Scoop up. Siphon off.

As a result, credit unions, investment banks, and mortgage lenders, and their remote workers, are bearing the brunt of automated ransomware campaigns right now. In the first half of this year alone, banks experienced a 1,318% year-over-year increase in ransomware attacks, reports cybersecurity firm TrendMicro in its 2021 Midyear Security Roundup.

What does this have to do with document protection? There’s a direct and significant connection. New ransomware variants don’t merely encrypt the victim’s business-critical data and demand a ransom for unlocking it. The latest exploit kits are also optimized for data exfiltration.

In other words, they are designed to search for, scoop up, and siphon off sensitive information, which is then used for more elaborate extortion schemes. Only last week, the FBI sent out this Private Industry Notification [PDF]. It describes how perpetrators specifically target confidential documents about planned mergers and acquisitions, to release them on the internet if the victim doesn’t pay up.

So why have some financial institutions been less impacted than others by data leaks and theft during their shift to remote work? 

Identify, protect, control  – with Enterprise DRM

One answer is that they didn’t bide their time until the next data breach. Instead, more banks launched a “digital transformation” that some say is long overdue for the industry as a whole. One pillar of their strategy is shifting to a data-centric security model, enabling them to protect their data at rest, in use, and in transit.

Bank CISOs recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention (DLP), firewalls, endpoint protection – cannot ensure adequate protection anymore.

Instead, they leverage Enterprise Digital Rights Management solutions such as Fasoo to identify, encrypt, and oversee the access to unstructured data at the file level. This way, sensitive documents remain protected against unauthorized access if leaked or exfiltrated, no matter how that happens.

The Fasoo Enterprise DRM framework follows a three-way approach to ensure gapless document protection and remote work security:

    • Identify: Fasoo automatically identifies data worth protecting, from legacy repositories to newly created documents, which are secured at the point of creation. Unlike DLP, which is limited to tagging such information for protection within the organization’s IT perimeter, Fasoo sets the foundation for protecting and controlling confidential data anywhere, on any device.

 

    • Protect: Enterprise DRM provides an additional layer of security by combining FIPS 140-2 validated encryption and access control. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

 

    • Control: Fasoo enables banks to assert control over their confidential data through the entire document lifecycle, based on flexible and people-friendly central policy management.

 

Boost for remote work security and productivity in banking

This control transcends the digital domain. Fasoo’s printer-agnostic secure print capabilities (Fasoo Smart Print), for example, enable organizations to apply print protection and watermarks for plain and DRM-secured documents alike. Its screen security component (Fasoo Smart Screen) applies screen watermarks to applications and URLs to block screen capture attempts of sensitive data and monitors all screen capture attempts.

“Enterprise DRM is working great for us,” says the CISO of an S&P Top 100 global bank, a Fasoo customer. “It gives us a quick at-a-glance look at all our sensitive data and enables us to assert control wherever it goes.”

Would you like to learn more about how organizations in the financial sector, from community banks to global financial institutions, leverage Enterprise DRM to secure their digital transformation?

Connect with our industry experts here. 

###

Book a meeting