Maintaining security systems at financial institutions is top of mind for a lot of security leaders. How can bank security teams harden networks against cyberattacks, or maintain security during a hybrid-cloud migration?
Here, we talk to Ross Hamilton, Chief Information Security Officer at banking and payments infrastructure provider Episode Six.
Security: Tell us a bit about your security background.
Hamilton: I’ve been in financial services for about 20 years, working in technical roles with operational security elements. Since around 2010, I’ve worked in more formal security leadership capacities. Episode Six (E6) — the banking and payments infrastructure provider where I’m the Chief Information Security Officer — is the third fintech I’ve worked with. E6 is a U.S.-based company with a global footprint, so I enjoy the elements that come along with this.
In my current role with E6, I have overall responsibility for both the security of corporate IT and also our globally distributed payment service. Our cloud service operates in multiple regions, serving clients in many countries. It’s an interesting opportunity to work with these multiple regulatory environments and to ensure we’re doing the right thing by our customers.
I’ve always been interested in the security implications of every-day activities, and my educational background is in computer science. Being involved in running computer systems for many years has led me to be deeply invested in the security of systems that process people’s data. I don’t just do this because I enjoy it, I do it because I want people to feel confident that their data is safe.
Security: What cybersecurity threats are most commonly facing banks right now?
Hamilton: In one sense, we all face similar threats. Every bank — and most companies for that matter — has to deal with the baseline level of pain that comes with email phishing, ransomware attacks and similar threats.
For banks specifically, they also have more unique, targeted issues because they are considered to be high value to bad actors. That includes targeting everything from computer systems to personnel. Because of a bank’s role within the larger financial ecosystem, persistent threat actors may go after them to try and achieve longer-term, higher-impact objectives.
Drilling down further, when it comes to smaller financial institutions, like community or regional banks and credit unions, the threats can vary compared to big banks. Smaller players may be more likely to be targets of ransomware attacks where actors aim to deny access to computer systems to achieve a payout that they know is often covered by insurance. Big banks are more likely to be targeted by actors with ambitious goals of destabilization.
Regardless of size, it’s crucial that banks take a multifaceted approach to cybersecurity, especially at a time when various threats can lead to larger-scale financial crime. All banks are exposed to a variety of fraudulent intent through their electronic channels.
Security: How can bank security teams harden their networks against cyberattacks?
Hamilton: I look at it more as establishing a robust information security program rather than simply securing a network. Of course, there are industry best practices that apply across the board, but banks should avoid a check-the-box approach and instead invest the time to understand the specific threat landscape that applies to their institution. From there, they can drive toward mitigating those risks.
Key to a cybersecurity program is risk management, so banks need to maintain a comprehensive risk register. It’s not just about one security-based task but rather a broad array of activities that operate on an ongoing basis. Maintaining a risk register is a big part of this, as is vulnerability management at a more tactical level. Banks really need to understand their technical system — like auditing software, where to set strong passwords, keeping systems up to date, etc. All of this can be tracked through a vulnerability management program.
Another important consideration is segregating the different parts of their systems. That way, in the event of a compromise, it can be contained to avoid a catastrophic event.
The last thing I’ll say is that employees really are the first line of defense. Attackers are going to go after employees, they're going to send them phishing emails, and in the age of social media, they’re even sending messages on LinkedIn. Making sure employees are well-educated is key to ensuring systems remain secure. Part of this is establishing awareness and trust so people know who the security team members are and that they can be approached with issues. The last thing a security team should want is an employee who is too fearful to admit a potential error. Approachability is key.
Security: For organizations yet to migrate to the cloud, can you share some tips for maintaining security during a cloud or hybrid-cloud migration?
Hamilton: As an organization migrates to the cloud, it’s unlikely the end state will be exclusively cloud-based. Rather, a hybrid model is more common because banks will still have people in back offices, and some infrastructure requires physical presence. Security officers should view the cloud as extending the security program that is already in place.
When planning the move to the cloud, banks should consider all of the different phases for migration. Then, conduct a run-through of the risk register for each of those phases. Consider how the changes being made alter the exposure to risk — either by introducing a new risk or changing an existing risk. Each scenario should be reviewed ahead of time to avoid having to react in the moment. Preparation is crucial.
Another thing for banks to consider is business continuity planning. If a migration is happening over time, make sure that your bank not only has a robust business continuity and disaster recovery plan in the end state, but also a way to keep the business online if a service goes down during any point in that migration. Planning to manage failure all the way through better equips the team to deal with any potential challenges before they arise.
Finally, if a bank is working with a cloud vendor, be clear on responsibilities. Traditionally, a bank has been entirely responsible for managing security controls. In the public cloud, many security controls operate on a shared responsibility model. For example, take a basic control like a firewall. The cloud provider and bank both have a responsibility to configure it in order to work correctly. The cloud provider will take care of infrastructure maintenance, but the bank needs to configure appropriate policies for the control to function correctly.
Even with cloud security controls being listed in a provider's assurance report, banks and others still need to understand their responsibility for it to operate effectively. Be sure you understand what you’re getting from the cloud. For this, communication is key.