An emerging defense against hackers
Advisors have struggled to stay ahead of hackers, who are increasingly enticed by the value of client data.
Wealth managers, along with other financial services, suffer the highest cost of cybercrimes among all industries, according to Accenture. The threat is enough that advisors have received regular warnings from SEC and FINRA to increase their internet security. The same regulators have also made cybersecurity testing among RIAs a top priority in their exams.
But most cybersecurity attacks start the same way they always have: Someone clicks on a link they shouldn’t have. Often, the signs of malicious intent are generally invisible to the human eye. The Accenture report notes the top forms of attack are web-based or from malicious software.
Advisory firms concerned about securing client data against such threats should take note of a move by some of the biggest banks to invest in an emerging system that could cut off the route hackers have to a computer.
JPMorgan Chase, American Express and HSBC announced on Monday that they are leading a $40 million round of funding into Menlo Security, a firm that develops isolated browsing technology.
Such systems force all internet activity to happen in a protected space on the cloud, preventing malicious code from reaching a company’s network. The technology is not brand new, but it is starting to gain traction as some large banks have finished their testing of it and are going public with their use of it.
"We’re very big believers in this new paradigm, isolation technology,” says Rick Smith, head of private investments at JPMorgan, which began investing in Menlo two years ago. “Isolation technology is fairly new on the field, it’s only four or five years old, and it’s only beginning to get real traction in the marketplace. Menlo is a leader in that space.”
Large financial institutions rarely go public with their investments in, and uses of, security technology. They often say they don’t want to put a target on their backs or encourage hackers to try to break any security they talk about.
In this case, Smith sees a broader good.
“It’s in the best interest of everybody in the financial services industry” to know about and implement technology like this, Smith says.
HOW IT WORKS
Using isolated browsing software is a little like viewing a zoo animal through a glass wall. You can see everything, but nothing dangerous can break through the wall and attack you.
An institution that has implemented this technology, as soon as an employee clicks on a link, that link is opened in a protected, virtual glass box — a cloud instance run by a vendor. The experience shouldn’t look or feel different to the user, and vendors say there’s no delay. The isolation technology works across desktops, laptops and mobile devices.
“There’s no chance of your device being infected because it’s not allowed to ever connect directly to the outside world,” says Amir Ben Efraim, co-founder and CEO of Menlo Security. “What we do from there is mirror the session in a transparent way, and send the mirroring back to the end user, so they think it’s a native interaction. They can’t tell any of this is going on.”
Isolated browser technology can be integrated with an existing network so that all outbound requests — directly to the web or when clicking web links in email — go through the isolation platform. When an employee is traveling, a flag is set on all of the company’s end-user devices, which ensures that they connect to the web through the isolation technology.
Gartner analysts have estimated that by 2021, 20% of enterprises will adopt a remote browser solution to isolate internet browsing from enterprise systems, up from less than 1% in 2016. Such organizations will experience a 70% reduction in attacks that compromise end-user systems, they say.
Authentic8, Aurionpro, Digital Guardian, Fireglass, Light Point Security and Ntrepid all offer this technology in addition to Menlo Security.
JPMorgan, which allocated $500 million of its $9.5 billion tech budget in 2016 to security, has been using Menlo’s isolation technology for web browsing for two years.
Every time someone on JPMorgan’s network clicks on a link, what appears to be a browser pops up on the person’s computer as usual; it’s really a one-time instance in the cloud. When a user clicks on to another web page, the previous browser is thrown away and a new instance is spun up in the cloud.
In the wake of cyberattacks at Equifax and EDGAR, SEC Chairman Jay Clayton makes an unusually lengthy statement appealing for RIAs to bolster security.September 21
Most advisors don’t have required safeguards in place, one expert says.September 28
“It prevents downloading of malware onto your computer because everything is done in this isolated unit in the cloud,” Smith said.
JPMorgan is in the process of rolling out the same isolation technology for email to prevent phishing.
“You get an email from somebody and it says, ‘Urgent, reset your password!’ There’s always a sense of urgency about it, they’re trying to get you go click on the link,” Smith said. “When you click on that link, if you’re not protected, all kinds of bad things can get downloaded onto your computer, including keystroke monitoring software.”
Using the Menlo software, clicking on a link embedded in an email also triggers an instance in the cloud.
Al Pascual, senior vice president of research and head of fraud and security at Javelin Strategy & Research, isn’t seeing banks rush to adopt isolation technology.
“This is not new technology; there are a number of providers in the market who have been offering this for a while,” he said. “I have not heard much among our clients as far as interest in deploying.”
Asked why this technology hasn’t gained more momentum before now, Smith explained that sizable organizations tend to be conservative about making changes. “This is protecting the core assets of a firm,” he said. “So people are very cautious about it, and they like to test things; they like to see how other people deal with such issues.”
Pascual suspects many banks are daunted by the expense of isolation technology. “If you think about a bank that has hundreds of thousands of employees, deploying [the software] at scale can be cost prohibitive,” Pascual said.
Menlo’s pricing is tiered with volume discounts based on the number of seats, starting at $100 per user per year. Efraim said this is in line with competing providers.
Pascual acknowledges that the technology is useful.
“Banks are being targeted by the kinds of attacks that take advantage of the fact that anyone can undertake a ransomware attack or phishing attack that’s predicated on getting an employee to click a link, or even drive-by downloads,” he said. “There are very real threats these solutions can help mitigate.”