Stephen Scharf, Chief Security Officer, DTCC
Physical infrastructure when WFH can go overlooked…
In addition to placing unparalleled pressures on healthcare systems across the globe and introducing significant limitations to our daily lives, the COVID-19 pandemic has put the spotlight on operational resilience in financial services.
One of the key challenges financial services firms faced was the need to rapidly facilitate a shift to a near 100% remote workforce, leaving some organizations exposed to increased cyber security threats. While most large financial firms previously had implemented robust and secure remote working processes, they were not designed to support the entire workforce. The need to rapidly move to a new working model drove some firms to quickly modify existing technology. As is often the case, such makeshift approaches may create cyber security gaps while also expanding the number of entry points for cyber criminals to exploit.
As Covid-19 spread, cyber criminals started shifting efforts from focusing on corporate entities to home-based attacks. Established strategies such as phishing and business email compromise (BEC) were successfully adapted and continue to be leveraged during the pandemic, albeit on a much larger scale. In the US, it has also been observed that phishing and BEC attempts that historically focused on tax related matters at this time of the year, have become increasingly focused on Covid-19 as a key “lure”.
The industry-wide switch to remote working also revealed new challenges related to the physical infrastructure at employees’ homes, such as secure printing and wireless networks. Printing can be business-critical and therefore ensuring the ongoing availability of secure printing has been key for a number of financial services firms. With the vast majority of modern printers now wireless and connected to other machines over the internet, the sudden, large scale introduction of these new devices has significantly increased the number of potential entry points for cyber criminals.
The remote working environment also uncovered new insider threats, as employees started to connect to established infrastructure using devices that do not always have the requisite security parameters in place. As a result, the industry has seen new risks emerge due to well-intentioned individual employees who, operating under significant constraints, have found new and often creative ways to address technical challenges in order to get their job done, such as using their personal devices and email accounts. Some firms are already addressing these issues by increasing employee training around cyber security best practices related to home working environments as well as rolling out the most up-to-date protocols for their workforce.
So far, the industry has adjusted remarkably well. Firms that were historically slower to augment their cyber security practices have reacted quickly to the increased cyber risks brought forth by Covid-19. Basic cyber hygiene tools, such two-factor identification, have become much more ubiquitous, while many firms have also enabled secure remote administration of functions that were not previously available off-site. The global crisis has highlighted the impressive computing power of existing systems, which handled the global shift to working in isolation.
We have also seen that, while the number of highly targeted BEC attacks is on the rise, the move to a remote working environment may actually create some disruptions to this established model of cybercrime. Built specifically to exploit human nature, BECs typically involve hacking senior executives’ emails with fraudulent requests for payments. To achieve success, modern criminals leverage a variety of techniques using social engineering to gain their target’s trust, a process that can involve months of research as the criminal accesses a firm’s emails and observes the target’s language patterns. The victim’s movements are often tracked too, with BEC attacks timed for when the target is travelling or off work and unable to confirm that fraudulent requests, usually involving a money transfer, are genuine. With global travel bans in place and business leaders being more accessible, malicious actors are limited in their ability to exploit senior executives’ unavailability. As a result, while the overall number of attacks is on the rise, some cybercrime may be less fruitful.
Still, vigilance matters. Given the interconnectedness of markets and the potential for a single cyber-attack to spread quickly and globally, the financial services industry is arguably more exposed than others, and the contagion effect creates further challenges when it comes to containing attacks and resuming business services. The full impact of Covid-19 remains unknown, so firms must continue to prioritize their cyber security risk management controls while collaborating with peers across the industry on emerging threats, best practices and sector resiliency. We are all in this together.
This article first appeared in Computer Business Review on June 26, 2020.