Blog

Tag: CISO

Which industries have the highest potential for remote work? Finance and insurance, says McKinsey & Company. There’s a catch, however. How can organizations realize this potential without compromising data security and privacy? 

*

The consultancy found that three-quarters of activities in these sectors can be done remotely without a loss of productivity. Information security wasn’t part of the study. So what are the implications from a data protection perspective?

That’s where things get dicey. The forced rush into hybrid and remote work arrangements and the sorry state of remote work security have bank CISOs and compliance officers on edge. Some – mostly larger – financial institutions have mastered the transformation more effectively than others. What’s their secret? 

Before we answer that question, let’s first take a quick step back in time. In 2015, a Morgan Stanley insider downloaded confidential information on 730,000 of the investment bank’s wealth management clients to his personal laptop and posted a sample for sale online. Back then, it could have served as a wake-up call.

Today, it almost seems like quaint history, because not many heeded that call. The shift to Work-from-Home (WFH) due to COVID-19 has taken the insider threat to unstructured data to a whole new level.

Battlezone home office: Data protection reset required?

As a result, insiders – often working remotely – now account for more than 50 % of data breaches in the financial sector, according to security research. Several terabytes of sensitive data have been ransacked or leaked from more banks and financial services or law firms since that 2015 data breach. Think Pandora Papers, the confidential documents including supposedly secure PDF files, images, emails, and spreadsheets from 14 financial service companies offshore. 

Bank CISOs and compliance officers we talk to are more worried than ever about the lack of visibility and loss of control over sensitive proprietary data when employees are working from home. 

Or take Jeremy Baumruk, who heads up Professional Services at Xamin. His company manages IT security for more than 50 U.S. banks. In early 2020, he told the American Bankers Association’s Banking Journal: “When an employee is using their own computer, IT has almost no control.”

18 months later, research shows: that warning about remote work security still stands. Industry experts point to misconfigured VPNs, insufficiently secured home WiFi networks, unmanaged personal devices, personal cloud storage services, and unmonitored home office printers.

Remote Work Security - infographic excerpt

Source: Tessian (Infographic)

Remote work hasn’t only exacerbated the insider risks posed by negligence or disgruntled employees. Cybercriminals on the outside have taken notice, too. They wage automated campaigns that increase the pressure on banks to take decisive countermeasures. 

Many recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention tools (DLP), firewalls, endpoint protection – cannot ensure adequate protection. Recent threat reports confirm: attackers are busy exploiting the remote work blindspots and endpoint vulnerabilities to the fullest.

 

Document theft-as-a-service: Search. Scoop up. Siphon off.

As a result, credit unions, investment banks, and mortgage lenders, and their remote workers, are bearing the brunt of automated ransomware campaigns right now. In the first half of this year alone, banks experienced a 1,318% year-over-year increase in ransomware attacks, reports cybersecurity firm TrendMicro in its 2021 Midyear Security Roundup.

What does this have to do with document protection? There’s a direct and significant connection. New ransomware variants don’t merely encrypt the victim’s business-critical data and demand a ransom for unlocking it. The latest exploit kits are also optimized for data exfiltration.

In other words, they are designed to search for, scoop up, and siphon off sensitive information, which is then used for more elaborate extortion schemes. Only last week, the FBI sent out this Private Industry Notification [PDF]. It describes how perpetrators specifically target confidential documents about planned mergers and acquisitions, to release them on the internet if the victim doesn’t pay up.

So why have some financial institutions been less impacted than others by data leaks and theft during their shift to remote work? 

Identify, protect, control  – with Enterprise DRM

One answer is that they didn’t bide their time until the next data breach. Instead, more banks launched a “digital transformation” that some say is long overdue for the industry as a whole. One pillar of their strategy is shifting to a data-centric security model, enabling them to protect their data at rest, in use, and in transit.

Bank CISOs recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention (DLP), firewalls, endpoint protection – cannot ensure adequate protection anymore.

Instead, they leverage Enterprise Digital Rights Management solutions such as Fasoo to identify, encrypt, and oversee the access to unstructured data at the file level. This way, sensitive documents remain protected against unauthorized access if leaked or exfiltrated, no matter how that happens.

The Fasoo Enterprise DRM framework follows a three-way approach to ensure gapless document protection and remote work security:

    • Identify: Fasoo automatically identifies data worth protecting, from legacy repositories to newly created documents, which are secured at the point of creation. Unlike DLP, which is limited to tagging such information for protection within the organization’s IT perimeter, Fasoo sets the foundation for protecting and controlling confidential data anywhere, on any device.

 

    • Protect: Enterprise DRM provides an additional layer of security by combining FIPS 140-2 validated encryption and access control. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

 

    • Control: Fasoo enables banks to assert control over their confidential data through the entire document lifecycle, based on flexible and people-friendly central policy management.

 

Boost for remote work security and productivity in banking

This control transcends the digital domain. Fasoo’s printer-agnostic secure print capabilities (Fasoo Smart Print), for example, enable organizations to apply print protection and watermarks for plain and DRM-secured documents alike. Its screen security component (Fasoo Smart Screen) applies screen watermarks to applications and URLs to block screen capture attempts of sensitive data and monitors all screen capture attempts.

“Enterprise DRM is working great for us,” says the CISO of an S&P Top 100 global bank, a Fasoo customer. “It gives us a quick at-a-glance look at all our sensitive data and enables us to assert control wherever it goes.”

Would you like to learn more about how organizations in the financial sector, from community banks to global financial institutions, leverage Enterprise DRM to secure their digital transformation?

Connect with our industry experts here. 

###

Ron Arden Talks About NYDFS and Cybersecurity at FinCyberSec 2017Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented Countdown to Compliance with NYDFS 23 NYCRR 500 during FinCyberSec 2017 at the Stevens Institute of Technology in Hoboken, NJ on May 31, 2017.  Ron was part of a day long event that focused on technical, regulatory, process and human dimensions of cyber threats faced by financial systems and markets.

Dr. Paul Rohmeyer, who organized the conference, started the day with opening remarks that set the stage for how the world of business and cybersecurity has changed in the last year.  With constant attacks, like the WannaCry ransomware attack and the ever changing business and technology landscape, financial services companies have a lot to address as they look to safely promote new business models.

Dinesh Kumar, CTO from Mitovia, started the presentations by discussing security effectiveness.  Collectively companies spend upwards of $100 billion annually on cybersecurity, yet data breaches are a daily occurrence.  Dinesh focused on using a business model to determine outcomes of cybersecurity rather than focusing on tasks or events.  If you ask a typical cybersecurity professional what she or he does, they might tell you they monitor something or try to prevent something.  If you ask a sales person, they will say I increased revenue by xx dollars or I brought in five new customers.  They don’t tell you they made 20 phone calls or had eight lunches to get the outcomes.  Understanding that cybersecurity is a means to a business outcome helps focus resources and activities.

Fasoo sponsors FinCyberSec 2017Ron Arden was up next and focused on the new NYDFS 23 NYCRR 500 cybersecurity regulations for financial services companies doing business in NY.  Ron cited numerous statistics from the recent Ponemon survey on “Countdown to Compliance” that showed many organizations are not ready for the regulations and will need help to meet the compliance deadlines.  A big focus of the presentation talked about understanding that the purpose of the regulation is to protect financial businesses and their customers.  Ron advised the audience to not get caught up in the minutiae of the technical and governance details without focusing on the real point which is to protect nonpublic information from unauthorized access.  There were numerous audience questions about third-party service provider security readiness and how financial organizations can ensure they are covered.  It will take a combination of legal, process and technology solutions to address this.  Ron spoke about Fasoo’s six step plan to address the data-centric security and encryption requirements in the regulation which address the main information protection points of the regulation for both the covered entity and it’s service providers.

Michael Frank, President of Secure Business Strategies, finished out the morning presentations by comparing our brave new world and its cybersecurity practitioners to an Eagle Scout and how we need to think differently.  He cited the scout motto and oath and how with a few changes to wording they are very relevant to our cybersecurity fight.  Key to Michael’s presentation was that cybersecurity equals business today.  New business models from Quicken Loans, Amazon and many others are turning financial services on its head.  Key to their success is the notion of trust, which is reliant on providing a secure, end-to-end business process.  We as consumers of goods and services need to trust these providers to keep our information secure as we do business.  Without it, these businesses will fail.

The afternoon continued with numerous technical presentations and ended with a great panel discussion with a CISO and two technical practitioners.  Discussions went back to some of the morning’s topics on security effectiveness and business outcomes.  The often cited Target data breach emerged as an area to discuss that compliant does not mean secure.  Focusing on business effectiveness allows an organization to understand and prioritize its investments in security policy, process and technology.  While a cybersecurity strategy should support the business strategy, it’s amazing how many companies do not do this.

This conference was a very successful event and I expect it will continue as more emphasis is placed on practical approaches to increasing security in the financial industry.

Click here to see the Countdown to Compliance, Fasoo Sponsored Ponemon Institute Survey of NYDFS 23 NYCRR 500Fasoo sponsored a Ponemon Institute survey to determine the readiness of financial firms doing business in New York State to comply with the new cybersecurity regulation NYDFS 23 NYCRR 500 that went into effect on March 1, 2017.  The regulation includes deadlines to implement procedures and solutions to achieve compliance with the new standards.  Since New York is one of the world’s financial capitals, the state wants to ensure that organizations that operate under the banking, insurance or financial services regulations provide a secure information sharing environment to protect companies and their customers.

“The survey is aptly titled “Countdown to Compliance,” said Dr. Larry Ponemon.  “Our goal is to provide insight into the challenges these organizations face in complying with the demanding new requirements which apply to all ‘nonpublic information’ – at rest, in-transit and shared with third parties.  The survey will provide insight into their efforts to comply over the next 180 to 365 days.”

Many organizations may not realize they are covered under these regulations, but if you just go to the NY Department of Financial Services website, you can search for your business.  If you are a financial institution,

insurance company, insurance licensee or service contract provider, you are most likely covered.  This also includes foreign banks that are New York State-chartered or licensed.

This is the second Ponemon Institute survey sponsored by Fasoo during the past year. The previous research, titled “Risky Business: How Company Insiders Put High Value Information at Risk” polled IT security practitioners on risks of data breaches by trusted insiders.  The information in that survey is still very relevant to financial services firms and any business today.

“Both of these Ponemon surveys build market awareness and inform CIO/CISO and Compliance Officer leadership as to the need and now the mandatory New York State requirements for data-centric security, audit, and compliance solutions,” said John Herring, CEO of Fasoo, Inc.  “We are joining with leading Legal, GRC and Insurance cybersecurity professionals to sponsor several events across New York State to highlight strategies and enterprise ready data-centric solutions to address regulatory compliance.”

If want to get an early release copy of the “Countdown to Compliance” survey and keep apprised of Fasoo sponsored NYDFS events, please register here.

 

Photo credit thenails

Fasoo talks about cyber security and protecting sensitive data in the finance industryRon Arden, Vice President and COO of Fasoo, Inc., participated in a panel discussion on cyber security priorities in the finance industry at FinCyberSec 2016 at Stevens Institute of Technology in Hoboken, NJ on June 1, 2016.  Ron was joined by Alan Brill, Senior Managing Director from Kroll, and Michael Frank, President of Secure Business Strategies.  The panel was moderated by Dr. Paul Rohmeyer, who organized the conference.

The first topic of discussion addressed the challenges of cyber security in the financial services industry.  Dr. Rohmeyer asked if there are unique priorities of CISOs who are operating in different industries or if they are similar?  Ron mentioned that people either want to disrupt operations or steal data when you experience a cyber security event.  Regardless of industry, the general goals are the same.  There are clearly unique processes in financial services that may not be in other industries, but the basics are the same.

Michael Frank mentioned how the lack of security basics is hurting the financial industry and many others.  We rely so much on technology and assume that everything works that we frequently neglect simple things.  Systems that use default passwords or assume that someone is who they say they are with minimal confirmation are common issues.  Another example is the risk that a typical printer poses to a company if a user can print any sensitive document.  Uncontrolled printing lets anyone print anything and take it out of the business.  We are so focused on protecting the perimeter of our companies from hackers, that we are ignoring the trusted insider who can steal valuable information on a piece of paper.

Fasoo sponsors FinCyberSec 2016There was also discussion on the risk posed by insider threats to unstructured data – typically files and documents.  Most of the data breach headlines focus on hackers stealing information from databases, yet most of the intellectual property inside a business is in documents we work with every day.  Encrypting these documents and restricting their access through persistent security policies is the best way to ensure that only authorized users can access the sensitive information inside.

Another topic for the panel was “Where are we off target?”  Are companies focusing in the wrong areas when it comes to cyber security?  Discussions again focused on securing the valuable data in your company and ensuring that you follow business processes.  Too much emphasis is placed on technology as the silver bullet without thinking about the people side of things.  One example was a major financial transaction where the person executing the transaction got an email from the CEO asking him to transfer a large amount of money to another bank.  While this may be normal, there is a process to verify this through a phone call.  The email looked legitimate, but was actually a phishing email that looked close to the real thing.  A simple phone call verified it was bogus, but most people just accept that the technology is working.

During Ron’s closing remarks he mentioned that just because a company is compliant does not mean it’s secure.  A perfect example is Target from a few years ago.  Target was PCI compliant, but they still had a major data breach.  Cybercriminals exfiltrated large amounts of unencrypted data that caused major problems for the company.  Regulations frequently have guidelines that meet minimal requirements for data security, but do not specify technologies or processes.  That is changing and newer laws are mandating encryption and permission controls as ways to ensure that sensitive information remains safe from all unauthorized users.

This conference was a very successful event and I expect it will continue as more emphasis is placed on practical approaches to increasing security in the financial industry.

Home Depot to Pay Big for Data BreachData breaches are beginning to cost companies a lot of money.  This isn’t potentially lost revenue or brand damage, which may be hard to measure.  This is cold, hard cash.

Home Depot has agreed to pay as much as $19.5 million to compensate consumers for the data breach it suffered in 2014 that affected more than 50 million cardholders.  That figure includes $13 million to reimburse customers for losses and $6.5 million for a year and a half of identity protection services.  They have also paid out or plan to pay $161 million in total for costs related to the breach.

As part of the settlement, the company agreed to improve data security and hire a chief information security officer (CISO).  That’s good.  As is common in these cases, the company did not have to admit it did anything wrong.  Not good.  I understand this is common in these settlements, but I find it unfortunate, since the customers are affected by the negligence of the company.  To me this is like saying that if I left my front door open and somebody came in and robbed me, it isn’t my fault.  Companies must take data security seriously, but many of them do not even do the basics of locking the front door.

The standard approach to help those affected in these breaches is to offer identity protection services to the victims for a period of time.  That sounds great, but what happens after that?  Cyber criminals are smart enough to know they can hold on to personally identifiable information (PII) for just a little longer and then use it.  Of course I can change my credit card number, but I’m not going to change my name and address.

A very common cyber attack today is phishing, which tricks someone into clicking an email link or going to a fictitious website.  The goal is to steal information the criminal can use to get money, defraud someone or get something else of value.  Having identity protection services may help monitor your credit cards or bank accounts, but does little if someone tries to pose as you to get healthcare, uses your name to defraud a relative or makes small purchases that fly under the radar.

If you handle regulated or any sensitive data, you need to encrypt it and control its access.  That doesn’t mean only control access while sitting on a file server or in a database.  These breaches prove that hackers can get past those security layers.  You need to provide strong encryption on the data itself that requires multiple authentication factors before allowing someone to access it.

I think these large settlements may finally be a wakeup call for organizations that handle PCI regulated data and any PII or PHI.  Hopefully Home Depot and other organizations will heed the advice from security experts and the FTC and improve their data security practices to prevent data breaches in the future.  Nothing spurs action like a hit to the bottom line.

 

Photo credit Mike Mozart

Fasoo Had a Busy Month in October Showing Data Security SolutionsThe month of October was very busy for Fasoo as we were all over the US talking to people about data-centric security and how it is the best solution to protect your sensitive information from insider threats and external hackers (APTs).

We started the month by attending the Rochester Security Summit in Rochester, NY.  This two-day event brought together executives and technical staff from numerous organizations in the Rochester area to share intelligence on how to protect their businesses from cyber attacks.  Fasoo was part of a vendor pavilion with our partner Brite Computers showing attendees how to protect data localized from databases, files downloaded from content management systems and those shared through the cloud and on mobile devices.  Ron Arden, Vice President – North America, presented to a packed room on “Closing the Threat Gap: A 21st Century Approach to Minimizing Risk” as part of the Threat Landscape track at the event.

The following week saw Fasoo sponsoring an executive luncheon on The Internet of Things (IoT) at the Nasdaq Ron Arden and Bill Blake at the National Cyber Security Awareness month eventMarketsite in New York City.  The event was put on by the National Cyber Security Alliance (NCSA) as part of National Cyber Security Awareness Month (NCSAM).  Bill Blake, President – North America, and Ron Arden got to participate in the luncheon and spoke to the numerous executives and government officials.  We were even part of the closing bell ceremony; look for us around 1:00 into the video.  With all the interest in IoT devices and the tremendous data that each will generate, Fasoo was educating people on how to protect the information collected and ensure that PII, PHI and other personal data is protected.

We finished the month in Las Vegas at the IBM Insight 2015 conference.  Fasoo was a Silver Plus Sponsor, so we had a booth right in the middle of all the action.  Security and analytics were big focuses of the conference this Dayhuff and Fasoo show charging station at IBM Insight 2015year as many organizations are trying to understand where they have sensitive information (the crown jewels) and how best to protect it from internal and external threats.

Bill Blake, Ron Arden and National Account Manager Alper Kizar were all in Vegas talking to customers, IBM staff and generally enjoying the warm weather.  Bill presented “Closing the Threat Gap: A 21st Century Approach to Minimizing Risk” to an enthusiastic audience at the Expo Theater.  Our partners Dayhuff and Neocol joined us in the booth and throughout the conference as many attendees were talking about securing the mountains of unstructured data in their companies.  Of course Vegas would not be complete without some fun, so Dayhuff held its annual get together at the Ri Ra Irish Pub.  The Irish definitely make some great beer and it was great to unwind with everyone after a long day at the conference.

During the different events, I heard a lot of recurring themes from attendees, vendors, speakers and security professionals.  I think they show the challenges CISOs, CIOs and other executives face as they try to move their businesses forward in an ever changing security landscape.  Here are a few of them.

clip_image001 Corporations do not have perimeters anymore

clip_image001 Security is everybody’s job

clip_image001 Monitoring data is hard, it’s like dust, it’s everywhere

clip_image001 Users are very naive about security and need to be educated

clip_image001 More than half of all data breaches are caused by human error

clip_image001 When you increase where the data is, it increases the risk

clip_image001 Being compliant doesn’t mean you are secure

Fasoo has the best approach to address each of these points through strong file encryption and persistent security policies that travel with the data.  Access to sensitive data is controlled through good identity management that ensures your sensitive data is protected and controlled regardless of location or device.  Working with existing applications and workflows makes it very easy for users to apply security to files, since they don’t have to think about it.  Automatic security policies apply the right level of access control as soon as someone creates a file.  This makes it easy to control unstructured data, whether it’s created locally or downloaded from an existing information system.

Check out some of the pictures from our busy October as the weather turns colder and the end of the year is in sight.  Hopefully we can help you create a secure work environment by protecting your most sensitive information from getting into the wrong hands.

Categories
Book a meeting