Tuesday, June 28, 2022
Anurag Lal, president and CEO of NetSfere, discussed the event and its implications for financial services firms with The Green Sheet in this exclusive interview. Lal previously served as Director of the U.S. National Broadband Task Force for the Federal Communications Commission under the Obama administration
What are some key takeaways from the Credit Suisse story?
Because cyberattacks in messaging are relatively new and ever-evolving, placing blame is not always black or white. For example, Anthony Kontoleon was reported to be leaving to pursue other opportunities. While no inappropriate information was being shared, it was still enough for him to be asked to leave because of the risks posed with using an unapproved, consumer-grade messaging app. Because the same messaging platforms are also used personally, usually with the same profile, users are more likely to interact with professional contacts in a more casual way and may be more likely to share sensitive client information, similarly to how they would share a photo or article with a friend or family member without considering the consequences.
Why, in your opinion, do financial institutions take such a dim view of consumer-grade messaging apps?
Because these apps are so easily and universally used, the threat seems so low. These apps are used every day both professionally and personally – the more we see something, the less harmful it seems. In the case of WhatsApp, financial institutions that operate globally would be likely to use it because it is the most popular global mobile messenger app worldwide, making it easy to communicate with international partners, investors, clients etc. However, they are starting to see that popularity does not equal safety and can actually make the platform a bigger target for cyberattacks if not properly regulated. Recent lawsuits brought against platforms by organizations in other industries, including healthcare providers and educational institutions, have likely cautioned financial institutions from running the same risk. Recently, four top healthcare providers in North Carolina filed a lawsuit against Meta for intentionally intercepting user data obtained through the tool Meta Pixel. The tool was also implicated in a data breach that shared information from FAFSA accounts with Facebook.
What are the most trusted communications methods currently in use among financial institutions?
A trusted communication method should be one that implements end-to-end encryption and zero-trust security. End-to-end encryption ensures that any form of communication goes from the sender to the recipient that can only be encrypted and decrypted by those specific parties. This removes the threat of interception by a bad actor. Zero-trust security requires users to prove their identity each time they log-in to a communication platform through two-factor authentication, alerts when a new device is used, and other similar safeguards.
What secure characteristics do trusted communication methods commonly share?
In addition to end-to-end encryption and zero-trust security, trusted communication methods are constantly being updated to keep up with the growing volume and technological advancements of cyberattacks. Platforms that provide trusted communication methods also have organized protocols in the event of a data breach to mitigate the damage and maintain the trust of their users. They are also invested in studying how an attack happened in order to figure out how to prevent it in the future and change update their system accordingly.
What are the differences between trusted communication methods and off-the-shelf messaging apps?
The answer is simple: security. Trusted, enterprise-grade communication methods are made for exchanging sensitive, confidential company data, IP and files securely. In a world where the workforce is becoming more remote and less centralized in a physical office, employees need tools to help them communicate and collaborate quickly and efficiently without concern that their information could be accessed by an external party. The main difference between enterprise-grade and consumer-grade messaging apps is just that – level of protection from outside entities. Enterprise-grade messaging solutions are built with necessary encryption and security protocols to shore up defenses and lock down communication.
What advice do you have for third-party service providers for messaging best practices when working with bank partners and clients?
The best way to ensure that you are safely communicating with colleagues and clients, both internally and externally, is to utilize compliant, secure communication and collaboration channels. Fully encrypted communication channels ensure that your message is going only to the intended end-user, protecting company records and other items to the highest level. Compliance of your messaging solutions ensures you're following regulations and other rules like data retention policies, Sarbanes-Oxley and other mandates.
It's also important to educate employees within the organization on cybersecurity dangers as hackers and phishing scams become more and more sophisticated. They're resulting to more realistic email schemes and even SMS messaging (also called 'smishing.') Implementing aforementioned zero-trust models and regulating "Bring Your Own Device" (BYOD) policies will also help keep messages safely in check.
What protections has NetSfere put in place to safeguard internal and external communications?
NetSfere uses device-to-device encryption, which prevents messages from being detected or unlocked until they reach the desired user's device. This is also known as "end-to-end encryption," which prevents any weak access points in the communication delivery process – which is where consumer-grade messaging apps falter. You've likely seen countless breaches with apps like WhatsApp, which is why the Credit Suisse news was so alarming. The lack of encryption in these types of apps puts the entire organization at risk when used for business affairs.
NetSfere's messaging solution is also fully compliant and gives enterprises and IT administrators complete control over corporate accounts to ensure user deployment and compliance. 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
