FS-ISAC Cybersecurity. Photo: Cybercrime Magazine.

7,000 Financial Services Firms To Double-Down On Cybersecurity

FS-ISAC provides work-from-home computing guidance to its member base

Steve Morgan, Editor-in-Chief

Sausalito, Calif. – May 25, 2020

The non-profit industry consortium, FS-ISAC (Financial Services Information Sharing and Analysis Center), which is dedicated to reducing cyber-risk in the global financial system, recently held a webinar with the ABA (American Bankers Association) and SIFMA (Securities Industry and Financial Markets Association), in order to provide work-from-home security guidance to its 7,000 financial institution members.

Banks and financial services providers of all types and sizes are wise to heed FS-ISAC’s advice as the COVID-19 pandemic has sent millions of employees to work from home.

Technology Recommendations

The need to over-communicate with your employees can not be understated.

  • Embed technology and security representatives in the various planning groups to ensure proper consideration of the technical aspects of a wide-scale work from home (WFH) scenario and the security considerations that come along with it.
  • Over-communicate with personnel. Make sure how-to documents and FAQs about WFH are readily available. Widely re-share IT, Security, and HR contacts.
  • Remind personnel what technology and services are allowed, as they will be working hard to get their jobs done in a new model that they may not be comfortable with, and you don’t want to end up with any unsanctioned services happening in your environment. Reiterate how to share documents and collaborate on information while working remotely. For example, if you’re utilizing Office 365, remind employees to use Teams, SharePoint and OneDrive to share documents and collaborate. Ensure that employees are not trying to use services such as Google Drive or Dropbox if those are not allowed. Explicitly block unsanctioned services.
  • Plan for last mile/home internet connectivity limitations which may be based on physical location or impacted by an increase of family and neighbors online.
  • Monitor performance, consumption and load — this applies to both internal technologies such as VPN as well as critical business tools such as collaboration and communication platforms (O365, Google Suite, Zoom, WebEx) and carriers (Verizon, AT&T, Orange, Vodafone, etc.) Consider what services (e.g. streaming) you can exclude from your VPN tunnel to reduce the impact on your network while meeting your security requirements.
  • Review and update auto-routing of phones for call centers, help desks, operation centers, etc. as appropriate.

Cybercrime Radio: Robert Herjavec on COVID-19 and Cybersecurity

Protecting work-from-home employees is a critical need

Security Recommendations

Synchronize efforts with your managed security provider.

  • With a distributed workforce, ensure that security tooling is going to work off the network and there is a requirement or security control in place to monitor all web traffic.
  • Define the options for staff around the world to access your environment. Be sure to set proper user-level and admin-level accesses. Connectivity options include corporate devices with VPN, VDI, cloud workspaces, bastion hosts, and potentially even personal devices with your corporate VPN and robust host checking.
  • Security, privacy, risk and compliance teams in particular will be adjudicating policy exception requests. Many of these requests will be valid business needs but not all of them will be wise business decisions. When evaluating them, ask: does this align with our risk appetite?
  • Make sure the governance around the exception management process and decision criteria is well laid out and good tracking mechanisms are in place so that you can revert back to business-as-usual operations at a future point. To allow previously restricted behavior such as adding printers, create an exception policy for specific users or groups or use a just-in-time admin provisioning tool coupled with a service desk approval process.
  • Monitor for unsanctioned data access and movement. Adapt your data loss prevention (DLP) and user behavior monitoring rules to account for remote workers which may include but not be limited to concerns around printing at home, email forwarding, external storage drives, and alternate work schedules.
  • If using managed service providers (MSPs) for security monitoring, notify them of the shift in operating models so they can tune and tailor their notifications to you and adjust their monitoring activities.
  • Double down efforts on security patching and updates to remote access management solutions.
  • Ensure security controls such as web filtering support a remote workforce.
  • FS-ISAC members should monitor FS-ISAC traffic to stay up to date on evolving threats and best practices.

These technology and security recommendations were originally published in IF-ISAC’s “Work From Home Security Tips For Financial Institutions.”

FS-ISAC’s CEO Steve Silberstein recently told Bloomberg that working from home makes it much more difficult to protect financial services firms from cybercrime. “Now most work is done outside the firm’s firewall,” said Silberstein.

We’re all in this together,” said Jason Witty, chairman of FS-ISAC and CISO at JPMorgan Chase & Co., the largest bank in the U.S., in an interview with Cybercrime Magazine more than a year ago (when he was EVP and CISO at U.S. Bancorp.) This was well before the novel coronavirus hit, but Witty’s synopsis is now truer than ever. Point is, security leaders at financial services firms are fighting common enemies — cybercriminals, and now, COVID-19.

Robert Herjavec, founder and CEO at Herjavec Group and a previous keynote speaker at FS-ISAC’s annual Summit, recently joined the Cybercrime Magazine podcast to offer his advice for remote worker cybersecurity. His firm provides a cyber checklist for remote work scenarios.

We are living the future right now,” Herjavec recently told CNBC. Clearly, work-at-home is here to stay and financial services firms need to plan accordingly.

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.