Questions & Answers

1. We are a small community bank. Bank regulators hold us responsible for a breach even if it was done by a vendor. How do I make certain that our data is held on our servers and NOT in the cloud?

There is little you can do technically to ensure a vendor isn't mishandling your data, so ensure you have the right contract provisions in place. Cyber Insurance is the first consideration here, as it can give you both first-party (internal) and third-party (vendor) liability protections and help to cover that liability in terms of fees.

When it comes to the data governance side of this, you have to look at protections in the form of a contract. It's hard to prevent or protect a vendor's use of your data in a technical sense, because that extends beyond your own control.  Do ensure you review your vendors' materials to understand what they say they store and where, but know that what they publish is only the promise, and promises are sometimes broken.

It's important to note that utilizing trusted cloud vendors or cloud data storage solutions does not pose an inherent risk that we advise against, even for banks. There are many data security benefits to utilizing cloud solutions. Our advice is to ensure you are using well-vetted, trusted vendors that adhere to the regulatory and compliance standards required by your industry, and that you protect your own liability through contracts and adequate cyber insurance. 

2. Is there an application that we can use to authenticate that we are talking to our customer, like MFA, in this day and age of Deep Fakes?

What we're able to do in these situations currently would fall under authentication "challenges', i.e. challenging that the person is who they say they are. The traditional way of doing this used to be the "shared secret" – and the usual shared secrets of the past (mother's maiden name, place of birth) are no longer adequate since personal data can easily be scraped from the web. 

Today, authenticating a customer comes down to whichever element you have the best "trust" in.

What is your "challenge" that they have to respond to? Do you trust that you've pre-negotiated a secret verbal phrase? Perhaps you trust the mobile phone number on record (not one that was just supplied as part of the same possibly-fraudulent engagement!), and you can have them confirm something you send by text message. Maybe their email address is what you store and trust. Perhaps they have your custom app on their phone and can authenticate a challenge that way.

Most fraud is successful when the initiating party never has the lens turned back on them, so anything you can do to turn the authentication back to the client/caller will help. With deep-faked audio and video now easily accomplished, trusting solely based on recognizing a voice or face is now entirely off the table, even between coworkers within your own organization.

3. What is the best way to protect your organization from Business Email Compromise?

Microsoft's internal statistics show that over 99.9% of business email compromise (BEC) incidents are on accounts that don't have Multifactor Authentication (MFA) enabled. 38% of M365 accounts have MFA enabled, up just 10% from last year according to a blog from Microsoft's VP of Identity Security.

Five Nines has observed similar in our own handling of BEC incidents. That small percentage where MFA is ineffective comes down to human error (more sophisticated phishing or attacker-in-the-middle techniques that trick the user, approving a Push notification one shouldn't have, or misconfiguration).

So, MFA is a great first defense. Your best secondary defense against BEC is to have effective training in place for all employees in your organization, to instill a healthy level of cyber awareness (and paranoia). Your team members need to be able to recognize the indicators of the latest phishing scams and identify red flags in their digital communications that could lead to a breach of credentials.