The Importance of Browser Security in Financial Institutions

By Alon Levin, VP of Product Management at Seraphic Security

Once upon a time, financial institutions had to deal with criminals like John Dillinger, Bonnie (Parker) and Clyde (Darrow), and Valerio Viccei who committed crimes worthy of—and sometimes depicted in—Hollywood movies. While the threats facing the average financial institution are less sensational than the Knightsbridge Security Deposit robbery or the Banco Central burglary at Fortaleza, there is a reason the cybersecurity industry remains rife with references to the apocryphal Willie Sutton quip about banks being “where the money is. ” The threats—though less dramatic—remain pervasive.

Instead of individuals, modern villains are criminal gangs with sinister names like “Carbon Spider” and “Stardust Chollima.” Instead of physical break-ins, modern “heists” are more likely to be cyberattacks, though the risk is not limited to hard currency. Financial services firms also hold a wealth (pun intended) of information on their clients and customers. No doubt, this combination of assets and data is why the Boston Consulting Group found that financial services firms are 300 times more likely to be targeted by cyberattacks than companies in other sectors. The same research also found that, even though the cost of addressing a cyberattack is especially high for banks and wealth managers, most are not equipped to respond to cyberthreats.

Software, not safe deposit boxes

Even though much of what financial services companies do relates to physical assets, most of the work is digital. Both employees and customers conduct their business electronically and they both use a common tool: web browsers. In the case of employees, many (if not most) core business applications have been “webified” and even legacy “green screen” applications can be delivered through the browser.

However, unlike legacy software applications, browsers can and do access resources outside the enterprise network. Similarly, online banking is the norm rather than the exception for most customers, but they do more with browsers than handle their finances. Because of their pervasiveness, portability, and mixed-use browsers can be the target of several types of attacks:

• Phishing – While this technique is usually associated with email, the browser is where the real damage is done. Attackers use official-looking emails to lure victims to authentic-looking websites and harvest their credentials, deliver malware, or trick them into authorizing fraudulent transactions. Attackers can use the stolen credentials and malware to further compromise and extort the organization, or just “take the money and run.”
• Adversary-in-the-Middle – This technique enables an attacker to eavesdrop on and potentially manipulate data in transit between the browser and a server. Such an attack may enable an attacker to steal sensitive data and disrupt business operations.
• Exploitation – Browsers are complex pieces of software, and all software has bugs, some of which can be leveraged by attackers to execute malicious code. Organizations are particularly susceptible to exploitation if they are unable to rapidly deploy the patches that mitigate the underlying vulnerabilities. Attacks of this type have similar consequences to those listed above and can give attackers an important foothold in a critical tool that provides broad access to enterprise resources.

Securing the virtual premises

There are a variety of physical security measures ranging from specialized vault doors to motion detectors to silent alarms that have developed to make bank robberies more difficult. Many IT security solutions also exist, although browsers have historically been under-defended. But ignoring the browser is like failing to protect the teller window: they are where important transactions take place and where criminals can gain critical access.

Fortunately, solutions exist that can embed better security directly in the browser and prevent the attacks described above. These solutions allow for safe browsing so that end-users can perform both work and personal tasks, using whatever browser on whatever device they choose, without risk to themselves or to the organization. These solutions also include data leakage/ loss prevention (DLP) and other policy controls to protect sensitive data—such as customer information—from accidental or intentional disclosure. Embedding these capabilities in the browser, instead of trying to implement them with external tools, provides both a better defense and a better user experience. It also means that, even as hybrid and remote work persists, organizations can provide consistent protection and policy enforcement, regardless of employee location.

To torture an old banking idiom a bit, it’s important to “look after the pennies so the pounds will look after themselves.” That is to say that starting with something small, like browser security, can help build an important foundation for securing the rest of the organization. The technology exists and—like any investment—the best time to start is yesterday. The second-best time is now.