How Safe Is Your Data? | Canopy Financial Technology Partners

As a new market entrant in an industry that has been notoriously slow to adopt modern practices, the bar has not been set too high by those that have preceded us, specifically as it relates to use of emerging technology and prioritizing infrastructure security.

Early in the discussions of who we are as an organization, we quickly determined that in order to obtain competitive operational efficiencies, we would be required to partner with a cloud native technology service provider that offers a Managed Software as a Service (MSaaS). Check, enter LauraMac.

Next, we needed to assess what our infrastructure requirements would be and how we could achieve the requisite operational security infrastructure to support our business footprint. We immediately decided that the only solution would be to build (configure) a cloud native enterprise infrastructure to support our business operations, deliver access to disparate technologies, and maximize the value of one of our core principals, establish and maintain a strong infrastructure security posture, to meet the strict cybersecurity and privacy obligations that our heavily regulated clients expect from us.

Each betrayal begins with trust…

We started our assessment with this simple question: How does adopting the traditional business model potentially expose us, and as a result, or clients to risk? We understood first we will need to support a large mobile/remote workforce, provide security to protect our team members (from themselves most of the time), permit various types of accessibility endpoints (aka devices), manage and connect disparate applications, and ultimately protect and preserve the most important thing our customers entrust us with, the secure custody of consumer data.

As part of the modern Financial Services industry, albeit a vendor thereto, it is clear we will need to design, build and continually optimize our security model to more effectively adapt to the everchanging complexity of the modern tech stack. With this in mind, the first major step we took would have to be toward our eventual goal, that we are going to establish a Corporate SecOps standard would set us in to the direction of achieving a secure infrastructure through a continuous improvement model and move toward the goal of obtaining a Zero Trust security posture. Ok, sounds easy, right? But how do we do this while embracing a remote workforce, and not inhibiting our team’s productivity?”

Well, the answer was clear, let’s start by figuring out how to reduce the single largest attack surface that an organization faces… and believe it or not that would be email. Honestly, I hate email, but no matter where I go, or whom I interact with, it has established itself as a standard in the business world despite the inherent dangers associated with its use. Email is the source of spam, malware (ransomware) and phishing attacks. According to CSO Online, “[p]hishing attacks account for more than 80% of reported security incidents.” Phishing may be the single most dangerous social engineering attack vector that a corporation will face. Per Wiki, “[p]hishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details or other sensitive details, by impersonating oneself as a trustworthy entity in a digital communication. Typically carried out by email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.”

With some simple but quick maths, were able to determine that >95% of user communications are purely in-house, meaning that <5% of all of our projected email communications would need to go outside of our infrastructure via the use of a mail server or webmail interface. Let that sink in, <5%… but 80% of security incidents are the result of Phishing attacks that use email as their attack point. Answer was obvious, let’s limit use of email to only client facing, or external party facing, team members.

As a first step toward our Zero Trust goal, we have elected to use a purely internal messaging solution for that 95% of communications that are internal and not offer email to most of our team members, purely because there are safer and more intimate means of communication available to us that suite our security posture and cultural goals of creating a more personal work environment. And then for those unfortunate souls that must use email to communicate to the outside world, we would educate the heck out of them to be aware of the risks associated with phishing attacks. Not impenetrable nor impervious to attacks, but a day one key decision that takes us toward our Zero Trust goals by significantly reducing the single largest risk vector for businesses today. Just say “no” to corporate email.