Cybersecurity in Banking and Finance
In mid-2019, Lora McIntosh took a sick day. Part way through it, though, her phone started ringing. And ringing. It was work. McIntosh is the chief information security officer at Simmons Bank, and the bank’s antivirus provider had just issued multiple red alerts.
“We freaked out a little bit,” said McIntosh, reached through Women in CyberSecurity. “If you have malware on your network and it's triggering on a whole bunch of systems, that could mean you're being targeted [by hackers]. It could be a really, really big deal.”
In addition to being upsetting, financial sector breaches can be wildly expensive. Right around this time, Equifax agreed to pay up to $700 million in damages to users whose data had been stolen from its systems.
The Simmons leadership team strategized quickly. They reached out to potentially compromised clients, asking them to reset their passwords. They quarantined computers that might have been infected with malware, taking them offline so they couldn’t spread the virus to other machines on the bank’s network.
“It’s triage,” McIntosh said. In other words, they handle a security crisis like an overrun emergency room, treating the most dangerous wounds first.
“It can be really stressful,” she added. “There are times that I go, What have I done?”
There’s a fundamental asymmetry to her job: Whereas hackers and malware distributors only need to find one security hole to infect an entire system, McIntosh and her team must maintain robust defenses around the clock. Cybersecurity in banking requires constant attention.
Top Contributors to Cybersecurity in Banking and Finance
- Fire Eye
But not every crisis is as bad as it seems — or a crisis at all. When things went haywire on her sick day, McIntosh’s company reached out to its antivirus provider for more information. The response, when it finally came, was anticlimactic: false alarm. Still, the threat of a genuine breach looms large.
Making a “Cybercop”
McIntosh (left) usually works at the bank’s offices near Little Rock, Arkansas, overseeing the security systems. She manages three teams that help her on that front, each focused on one area: monitoring tools, researching alerts and managing user access levels. McIntosh also handles IT governance, an umbrella term for the company’s security policies, standards and procedures — for example, the protocols users should follow before connecting to the bank’s network.
McIntosh hasn’t always worked in banking, but she’s been drawn to information security since high school, when a teacher offhandedly mentioned it in class. McIntosh already loved computer; she had recently installed Linux via dial-up modem, a process that took “on the order of days.” Information security spoke to her; she liked the idea of being a “cybercop.”
In college, she studied computer science and worked in the campus networking department. The office was flooded with cease and desist letters. Students routinely used the campus network to download copyrighted files through popular but illegal file-sharing software, like Limewire and KaZaA. For her senior project, McIntosh decided to tackle that problem by installing an open-source Snort Intrusion Prevention System that blocked illegal downloads.
She began working in cybersecurity full-time after graduating in 2004, hopping in and out of industries, doing a stint at the National Security Agency and consulting for an energy company. Then came an opportunity in banking, and there she has stayed. The industry poses compelling challenges. It’s an obvious treasure trove of sensitive data and money, which makes it catnip for hackers. By one estimate, major financial institutions face hundreds of thousands of online attacks every day — multiple incursions each second.
We’ve rounded up some of the key companies that help the financial sector protect its digital data.
Location: Redmond, Wash.
Heavily regulated offline and on, financial institutions must comply with more than 800 cybersecurity laws and standards — and Microsoft has helpfully compiled all of them into a free Universal Compliance Framework. The company also offers detailed maps of how these required controls can be activated in Azure, and how they integrate with typical banking workloads. Azure also comes with built-in finance-friendly security features, like AI that crawls real-time activity logs for signs of fraud.
Location: Austin, Tex.
Forcepoint’s security platform constantly weighs security against convenience by calculating constant real-time risk scores for each user to carefully distinguish accidental flubs from suspicious behavior. The lowest-risk users then face fewer authentication hurdles in the Forcepoint system, while higher-risk users — potential hackers or internal threats — are flagged. This user-centric system protects on-premise and Cloud-based data centers equally well. It can also scan webs of disparate endpoints, including computers and phones, for trouble.
Location: Sunnyvale, Calif.
Proofpoint offers protection against some of the fringe digital threats faced by financial institutions and other prime hacker targets. The software safeguards of enterprise social media accounts (which can be used to phish customers, among other things) and screens attempted hacker invasions via social engineering. The platform even protects against non-compliance threats using ultra-modern archiving features that ensure banks neither lose nor delete data that must legally be on hand.
Location: Milpitas, Calif.
FireEye’s consultants patch vulnerabilities by custom-fitting the company’s security platform, Helix, into existing bank security systems. Though heavily regulated, financial sector companies often have digital vulnerabilities. Routine mergers and acquisitions, for example, create various gaps in threat coverage. Helix offers a versatile fix, with features like malware communication tracking — which comes in handy at Citizens National Bank of Texas, where Helix sits between the enterprise firewall and the Wild West of the internet, blocking threats that might otherwise leak through.
Location: Tel Aviv, Israel
Check Point’s comprehensive architecture secures on-premise data warehouses mobile devices like phones and laptops, even global networks of ATMs. It’s designed to ward off persistent attacks, whether targeted phishing campaigns or swarming bots. And it does so while hewing to federal and local regulations and prioritizing macro-scale efficiency.
In the near future, McIntosh said, financial institutions will cautiously migrate to the Cloud. Though the industry faces high-tech threats, it’s never been known for early adoption. Financial data is too sensitive for true experimentation, McIntosh explained, and off-premise cloud storage is “a big paradigm shift” for the field.
“The old security mentality was: I've got a building and then I'm going to put some walls around it and I put up a moat and a drawbridge and all these perimeters and defenses,” she said.
In other words, it was all about on-premise data storage. The notion of entrusting sensitive information to outside servers banks can’t directly manage raises security question, which McIntosh ponders daily. Potential solutions include virtual firewalls and encrypted Cloud storage — but it’s unclear what’s right for banking.
“We're not just going and buying the latest, greatest thing,” McIntosh said of infosec professionals in the finance sector. “[We’re] very strategic.”
The same goes for machine learning solutions, though McIntosh sees potential applications in banking — especially in fraud protection.
“If you think of the amount of raw data that [our systems] ingest on a daily basis… [it’s] thousands and thousands of events per second. Humans cannot make sense of all that data,” she said. “In the next couple of years I think that we're going to have better algorithms to analyze that data.”
But it’s a slow process. Machine learning algorithms must be trained to read cues the way human security officers do, and they need to be integrated into ultra-secure software. McIntosh has yet to come across the right machine learning product for her bank.
Shopping for products, though, is far less stressful than recruiting and retaining talent, she said. There’s a global shortage of cybersecurity professionals who can protect large systems from targeted threats, and hiring is more difficult in Little Rock than in renowned tech hubs like San Francisco. By the American Cyber Alliance’s (ACA’s) count, Arkansas now has more than 800 open cybersecurity jobs.
McIntosh hopes the state of Arkansas can begin cultivating cybersecurity talent rather than just hoping it will materialize. She has high hopes for the ACA, in particular. Locally founded, the organization focuses in part on workforce training. In addition to collaborating with schools and colleges on their tech-related curricula, the team runs a 14-week cyber-apprenticeship program that functions kind of like a security-centric coding bootcamp. It’s nontraditional, but so is much of tech.
“A college degree isn't a prerequisite to do a lot of the things that are in IT,” McIntosh explained. “There are high school kids who can probably hack things more effectively than some professionals.”
The bootcamp, she thinks, can “tune up” some of that organic talent that might not flock to university campuses.
“I think it's really the only way we're going to solve the skills' gap,” she said.