By Dave Henderson, Co-founder at BlueFort Security
Kitchen table trading is a notion that would have seemed laughable to many financial services firms at the end of 2019. But while mobile phones are generally banned on trading floors globally and conversations often tracked and recorded, the rapid deployment of remote working models has meant that many of these safeguards were no longer practical. Indeed, early on in the pandemic, the Financial Conduct Authority (FCA) relaxed its rules for those working at home. However, while the regulator accepted that – in some instances – organisations would be unable to comply with their obligations, firms would still be expected to come up with ways to address the issue.
Like most organisations and indeed most industries, digital collaboration tools acted as a lifeline for financial services during periods of widespread workplace disruption in 2020. But while many of these changes were initially seen as a temporary way of ensuring business continuity, it has become all too clear that remote working – or at least hybrid working – is here to stay. For IT security and compliance professionals, this leaves plenty of challenges to consider. Those within financial services, in particular, operate under a set of rigorous rules and regulations around privacy, data security and insider trading. Regulated firms must demonstrate they are working within the boundaries set out by the FCA and PRA.
The daunting challenge of collaboration sprawl
The challenge of delivering on these requirements with a geographically dispersed workforce – with hundreds of computers and devices all operating outside the protection afforded inside the corporate network – is a daunting one. Particularly while working remotely – which many security teams will still be doing long into 2021 – being able to prove the appropriate controls over inside information and effective information barriers remain in place, regardless of where their teams are working from, is complex.
Collaboration application sprawl, which a recent report from Aternity revealed has increased dramatically since March 2020, significantly extends an organisation’s threat surface and has the potential to impact data governance in new ways. With employees adopting numerous collaboration tools for internal, external and ad hoc communications, simply gaining visibility is tough enough – effectively monitoring, managing and securing these platforms can be far more challenging.
For the most part, remote workers have simply been trying to find a quick and easy communication workaround to being physically separated from their colleagues. But as the oft-quoted proverb goes, the road to hell is paved with good intentions. The challenging task now facing security and compliance teams with these collaboration platforms – from Slack, to Microsoft Teams and Zoom – is enforcing stringent data and security policies over a range of new applications. The sudden and widespread nature of their adoption also poses a number of security risks, with platforms often left wide open for exploitation by cyber criminals. Indeed, shortly after the first lockdown started, Standard Chartered banned the use of the Zoom video conferencing app and Google Hangouts, specifically because of the security risks it suddenly faced.
Defining the collaboration threat
If a malicious actor is able to compromise a user account on one of these collaboration tools, there is a strong probability that they’ll gain access to the corporate network. Once inside, a threat actor can cause significant damage. For example, they could pose as a trusted employee to share malicious documents or files to move laterally into other devices. Or, they might move into file-sharing apps such as G-suite or Sharepoint to gain access to and exfiltrate sensitive data.
Another significant security loophole with collaboration tools is that legacy security and data loss prevention (DLP) tools that have been in place for years to handle on-site collaboration and work environments are simply ineffective now that Google, Slack and Dropbox are so commonplace. Collaboration apps lack granular controls and there is only so much an organisation can do to restrict how their use.
The informal nature of the chat function in these platforms also means the lines between what’s appropriate to discuss – and what is not – can become blurred. Conversations can easily stray into sensitive territory, with the fallout being just as damaging as a successful cyber attack. With chats easily created – and not often deleted – there are far more potential exit points for sensitive or regulated data. Ensuring confidential files are not accidentally shared with external guests or other unauthorised users, or posted in the wrong place, is extremely difficult – and yet it must be done. Financial services organisations have a duty to ensure confidential insider information is not disclosed to unauthorised third parties, even under challenging circumstances.
Indeed, in a speech at a recent City Financial Global event, Director of Market Oversight, Julia Hoggett, explained: “New challenges, including controlling inside information moving within a firm and leaving a firm may also manifest at times like these… We expect firms to have updated their policies, refreshed their training and put in place rigorous oversight reflecting the new environment – particularly regarding the risk of use of privately-owned devices.”
Ensuring data oversight in a changing environment
Information lies at the heart of everything financial services firms do. Now, more than ever, this needs to focus on protecting the data itself. With sensitive information now moving out of the confines of the corporate network and into new collaboration platforms, IT security teams must ensure employees are using and securing data properly.
Strong data loss prevention (DLP) policies combined with a Cloud Access Security Broker (CASB) and Secure Web Gateway (SWG) will be ‘must have’ tools of the trade for any financial services organisations that are embracing digital technologies. Security teams must prioritise both visibility into collaboration tool usage across the organisation, as well as the ability to enforce granular security policies.
While the pandemic has fundamentally changed how many organisations will operate in the long-term, 2021 undoubtedly holds further challenges. As Julia Hoggett highlighted in her speech, when it comes to new technologies and communication tools, there remains an expectation that organisations will update their policies, renew their emphasis on training and ensure oversight is just as rigorous oversight in a changing environment.
Ultimately, there is no such thing as risk-free. However, with comprehensive, robust, and well-considered data security policies and tools in place, security teams can recreate the closely monitored environment of the past in a new and exciting era for the industry.