COVID-19 has forced the financial services sector to move to a distributed workforce model and in turn this has heightened the role of incident response (IR) teams to take a more proactive approach in supporting the new remote workforce wherever they are located.
This comes when CrowdStrike has observed a significant increase in criminal activity in recent months, with nefarious players leveraging community interest in government benefits packages and COVID-19 information to launch phishing campaigns. In addition, Australian banks have been increasingly targeted by denial-of-service ransom attacks and e-crime activity is up over 330 per cent since the start of the year over the same period from 2019.
Financial institutions have an obligation to protect company and customer information, made harder by the era of open and digitalised banking increasing attack surfaces. These fiduciary obligations have been coupled with an increase in remote working due to COVID-19. Many financial institutions have had to scramble to increase their remote working capacity in early 2020. Thus, incident response must be top of mind for businesses, as rectifying an incident effectively will help mitigate losses, reduce future risks and increase business resilience.
There are several ways in which IR teams can ensure business continuity and client satisfaction during ambiguous times. These include:
Education exercises for C-level management
Incident response teams play a growing role in educating C-level management on familiarisation with cyber hygiene and deploying emergency action plans that enable security teams to invoke procedures, which include revoking targeted accounts and emergency firewall change requests.
Working with IR teams to rehearse drill scenarios such as reporting anomaly behaviour, vulnerability scanning and emergency patching should be prioritised to ensure everyone is clear on their role and fully prepared when confronted with a breach. As a general rule for any skill, you are only as good as your past practice.
Demand is higher than ever for business leaders to have IT knowledge in their repertoire and IR teams empower this. Even the most intelligent and business astute will likely execute a stressful, unfamiliar situation inadequately.
‘Breach counselling’: Beyond the technical side
Individuals are often unprepared for what is often a catastrophic event in their lives when a breach unravels, spiralling into all sorts of conspiracy theories and denying the seriousness of the issue. The five stages of grief (denial, anger, bargaining, depression and acceptance) are also encountered in customers dealing with a data breach. They’re often non-linear, amplified by remote working and not having an IT team onsite.
The evolving role of IR professionals integrates emotional awareness and guidance as business leaders often engage in ill-informed decisions during the breach grief cycle such as withdrawing and trying to handle the issue on their own. In typically two out of three cases, the victim is not aware of the breach until informed by a third party, enhancing their distress.
Experienced IR teams facilitate rational thinking for the client and play an empathic role, reassuring teamwork during the investigation. Their expertise to look over your shoulder and provide cyclical, clear communication should be applied to grasp problem-solving methods, make the right decisions and validate confidence in a solution.
Security infrastructure and change management
IR teams ensure you have a secure infrastructure system in place that is effective remotely. Their expertise should be invested in long-term planning and solutions, as hastily patching up a problem when already compromised is futile.
Many executives plummet into the trap of approving infrastructure without proper testing that can introduce harmful vulnerabilities into a network. Alongside IR teams, businesses need to prioritise updating policies to factor in personal devices, data privacy considerations and the adoption of new technology. Traditional forensics and legacy systems are no longer enough to combat today’s sophisticated techniques of adversaries. Deploying next-generation security solutions allows greater visibility of endpoints, providing surveillance-like capability to proactively scan for threats. Without an office IT team to access at ease, changes to policy need to be clearly communicated to limit human error.
The number of attacks occurring is rising exponentially and it is impossible to predict when and where they will happen. During these uncertain times, working with IR teams to combat the cyber challenges of a distributed workforce and industry digitisation is vital for the sustainability and resilience of the financial services sector
Mark Goudie is the services director, Asia Pacific and Japan at CrowdStrike.