By Rob Byars, Vice President, Information & Cyber Security, Wells Fargo
What for you are the benefits of attending a conference like the ‘Fraud and Financial Crime USA’ and what have attendees learnt from your session?
Conferences like this are crucial for learning, sharing, and collaborating on the most pressing challenges in our industry. Whether you’ve been in the financial industry for 30 years or 3 years, there is always something new to learn and apply; given the rapidly changing landscape where criminals are consistently seeking and finding news to exploit the seams between our digital channels and traditional banking practices.
In the Cyber Risk Panel Discussion, we discussed the importance of aligning cyber and fraud teams. The criminals have already achieved ‘cyber-fraud convergence’ and if the industry is going to successfully counter the growing trend-lines for cyber-fraud, then we must do a more effective job of bridging these two major silos. So we explored various models of cyber and fraud alignment in addition to delving into issues related to monitoring critical functions, managing third parties, and issues around personal identifiable information (PII).
When aligning fraud and cyber teams how can risk professionals protect customer information?
Information security and the protection of customer information, in particular, are paramount. However, some in the industry have shown some reticence when it comes to aligning cyber and fraud teams due to regulatory concerns and trepidations about expanding internal (cyber) access to customer information – and that’s okay. We shouldn’t rush into fusing teams and systems without a very thoughtful and deliberate process taking into account protections, procedures, and customer-focused imperatives that cannot be compromised. Conversely, we should also consider the positive aspects of how aligning fraud and cyber-teams and how that enables firms to enhance the protections extended to their customers by proactively identifying previously compromised credentials, customer information, etc. This is not an either or issue. It is essentially a question of how to get to YES on cyber-fraud convergence and enhance, not detract from, the protections in place for customer information. A good start would be implementing a cross training program between Fraud and Cyber teams. These teams have until recently walked different paths, but their paths converged because fraudsters did. We need to converge our areas of expertise and develop new ways to protect our customers, figure out what works and what doesn’t, and share our stories whenever possible.
Why is managing third party relationships information a key concern when dealing with cyber risk?
You’re only as strong as your weakest link. When assessing a firm’s expanded attack surface, the relative ‘unknowns’ about third party cyber security postures may be more than the ‘knowns’ and thus increase the relative risk that a third party could be a potential attack vector. Add to that the potential ‘concentrated third party risks’ firms may share, in addition to more and more sensitive data being stored by third party providers, and you can understand why third party cyber security risk is getting a lot more scrutiny.
The question, however, isn’t if it’s a key concern why (since most will already agree it’s important), the question is how do we best manage the risk? Are the current assessment frameworks for measuring third party cyber risk satisfactory? How do firms assess individual risks for third party providers and how do they mitigate it?
How can we manage identifying vulnerable employees with access to data?
This is an interesting question. At the heart of managing vulnerable employees access to data is implementing an effective access control program that ensures only those with proper authorization and authentication can access sensitive data. This includes not just the individuals themselves but also the devices they use. Another key element is implementing an effective Insider Threat Program to mitigate the potential that an employee may, wittingly or unwittingly, use their authorized and authenticated access to data in such a way as to cause harm. This means we must also have effective means of identifying and reporting unusual behaviours, associations, or other unusual, suspicious activities that could indicate the presence of a potential insider threat.
However, I think also need to look closely at those who have access to certain data or critical functions who may be individually targeted by an external threat. Organizations should identify prioritized critical functions, and the individuals who are associated with those functions, in order to implement control measures and alerting criteria that an employee may be targeted. Think of this as a ‘high-value employee list’ meriting additional counter-intelligence focus that would nest with existing executive protection programs, with an added emphasis placed on cyber protection.
One other area that needs to be mentioned here is the threat posed by those exploiting social media platforms. This is an area of vulnerability that is obviously much more difficult for companies to manage but it should be noted that there are a number of advanced persistent threats (APTs) that have developed advanced skill-sets and on-line trade craft who have even successfully duped some senior-level cyber experts, with significant consequences.
What do you see ahead for the future of monitoring and reviewing dark net boards and how will this adapt the industry?
The future will require more resources dedicated to active collection of the dark web. More analysts, artificial intelligence (AI), and machine learning will be required to lean into the constantly evolving threats that exist within the dark web. From an industry perspective, much of our focus is on protecting our customers whose personal information are being monetized and exploited by cyber criminals. We try to proactively identify when these types of trades are taking place in order to get ahead of the eventual attempts to further victimize our customers. We also monitor for the sale of exploits and just about anything else that could conceivably impact out industry. We’re not alone in this. Governments are also committing resources to the dark web due to the security threats posed by some of the groups and things are attempting to sell – whether it be weapons, humans, drugs, terrorist facilitation, malign services for hire, or repackaged nation-state developed exploits. And of course your credit card information.
Some companies, it should be noted, have already taken the next step to ‘leak’ selective ‘honey accounts’ to illuminate transaction patterns and activities on the Dark Web. Some are also working closely with law enforcement agencies to leverage cyber technologies to orchestrate and automate tracking to support intelligence gathering and disruption operations. Disruptive operations are not for everyone, but perhaps something to strive for if your organization has the talents, resources, and mature processes to expand into this area.
So overall, I think we will continue to see this a ‘growth industry’, of sorts, and our industry will need to adapt as it evolves. Part of that adaptation will be raising awareness so there is a broader recognition that there is a compelling need for the whole of industry, in collaboration with our US Government partners, to approach the dark web as a platform of systemic risk to the financial industry and other critical infrastructure.