Security Prioritization- A New Business Imperative
By Jenny Menna, SVP, U.S. Bank
During this time, there have been many positive innovations in technology, as we at U.S. Bank have launched faster payments through The Clearing House, introduced Zelle (person to person payments) and leveraged technologies to enable our clients to pay with their phones and authenticate with their faces. Every minute, 50 voice activated devices are shipped increasing the “Internet of Things.” As we strive to provide a seamless customer experience, using all the new tools that are integrating into our daily lives, we also face a complex and growing set of risks.
2018 began with the Specter and Meltdown vulnerabilities. Both showcased weaknesses in the core of just about every device we use from mobile to servers. Patching these vulnerabilities is more complex than traditional application patches, requiring further testing and risking significant production degradation. Seemingly, every day there is new information—often conflicting with that from the prior day—about exploits and mitigation strategies. This presents challenges for both the CISO and CIO and requires us to work in close partnership. In 2017, we learned about vulnerabilities to Wi-Fi, Bluetooth and Apache Struts, the latter of which led to one of the most significant breaches of all time and exposing the personal information of 145 million consumers.
The threat landscape also continues to grow. Criminals have grown increasingly sophisticated, operating like large complicated companies with multilingual help desks and money back guarantees. They’ve diversified their business lines like any successful and growing enterprise. They offer malware as a service and training on how to use it, lowering the barrier of expertise needed for entry into the field. The amount of Business Email Compromise schemes continues to grow and expand into ransomware costing businesses more than $5 billion to date.
Banks are familiar to nation state attacks. In fact, many large financial institutions were attacked in 2012 in response to United States government sanctions. Large and small companies across industries have been victims of intellectual property theft. And high profile destructive malware as political retribution made front page news. But last year, we learned for the first time that a nation state was using its resources and military for financial gain. It’s definitely a scary time.
So, what have we learned and what can you do? First of all, patch your systems and then check to make sure that the patch is complete. The vast majority of successful intrusions happened using known vulnerabilities.
If we share information and mitigation approaches, one firm’s detection becomes everyone’s prevention
In our industry, we talk about the “Advanced Persistent Threat” but honestly, when I worked in government we joked that it was the “Adequate Persistent Threat” because we don’t really require the bad guys to bring their A game. I’ve been in this business for more than a decade and the same advice when I started is true today: Update your systems, use up-to-date antivirus protection, train your employees to be cautious with emails and online, use unique, complex passwords and change them regularly–plus, use stronger forms of authentication whenever offered and know your networks so you can spot unusual activity. I cannot think of any high profile attack that would not have been stopped or at last mitigated by strong application of those practices.
What else have we learned? Security is not just an issue for the technology team, the CISO or CIO. We need to have regular conversations about the systems, data and vendors our businesses rely on with the business people. How else can we understand the real impacts or loss of confidentiality, integrity or availability of any of those? Engage your leadership team and your board. Given the size of the opportunity and frequency of attacks and successes by the bad guys to date, this is a prime board issue in 2018. Financial impacts to recover and risks to reputation and customer trust are significant. If prevention measures fail, how would your business respond? What is your roll back or offline back up capabilities and how should those change with the risk landscape and business needs? When and how would you escalate? Notify your customers and the public? Engage outside counsel, response vendors or public affairs firms?
Having these conversations after the fact is too late for your business. We have them regularly within U.S. Bank. We conduct quarterly exercises, all the way up to our Board and we complete exercises as an industry. Approximately $15 trillion moves between U.S. financial institutions every day (electronically). We are interdependent and interconnected and must partner with our peers and with government to identity and mitigate risks. We recognize that public confidence in our entire industry is critical to its success. U.S. Bank is proud to be active in industry cybersecurity efforts from information sharing to exercises and research and development coordination. There is no reason for each business to reinvent the wheel. If we share information and mitigation approaches, one firm’s detection becomes everyone’s prevention.
We are also using new technology to protect ourselves and our customers. Like in technology, we are leveraging orchestration in security to help our tools work together, faster, to keep up with the speed and volume of the threat. Orchestration helps us to bring detection to deployment of courses of action in machine speed. We are similarly investing in machine learning and artificial intelligence to address the threat landscape and to help detect security and fraud incidents quickly by mining the massive volumes of data we have. We recognize that for most of us, security is a cost center and not the driver of our business. As such, we must partner with technology teams to make security an enabler in the world of Development Operations and Agile development. It’s not necessarily easy, but it’s critical for shared success in this environment.
New ways of using our mobile phones has also helped us innovate to be more secure. We at U.S. Bank support all of the major mobile payment solutions, which offer tokenized payment using passcodes and/or biometrics which lower risks of data theft from traditional card use. We are using the Zelle mobile platform to do more than just offer more secure person-to-person payments. We’ve launched a new program called Zelle Disbursements to allow businesses to send secure, efficient electronic payments to individuals. We continue to expand biometrics and behavioral identification such as mobile location services and fraud detection methods. Using voice, location, and other factors to offer our clients a growing suite of choices to improve and secure their experience.
We need to continue to support and enable these innovations in a way that respects privacy and allows our clients to engage us using the new technologies they are integrating into their lives. Will the pace of change slow in 2018 and beyond? Will this ridiculous pace slow? It’s not likely, but it will be an exciting ride as we find out.