For regulated investment firms, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has prioritized “cybersecurity with an emphasis on, among other things, governance and risk assessment, access rights and controls, data loss prevention [...] and incident response.”
While firms have significantly strengthened their compliance policies, their actual practices still reveal alarming gaps. Behind closed doors, compliance leaders in many firms I get to speak to admit that they lack the tools to sufficiently monitor, audit, and enforce employee web use policy.
Regulators expect firms to make a “reasonable” attempt to ensure oversight and remediate areas of weakness. So what’s getting in the way?
Whether research analysts or investment managers use business apps or social media, they rely on the locally installed web browser as their primary tool. It is the very same tool that increasingly leaves firms exposed to risks of data breaches and compliance violations online.
In a recent report, Osterman Research cites “a wide range of threats” resulting from the use of locally installed browsers, including “ransomware, other types of malware, leaks of sensitive and confidential information, and catastrophic data breaches.”
This puts an extra burden on compliance and IT leaders. While more business functions in investment firms are shifting to cloud-based applications and services, ironically their locally installed browsers are still stuck in IT’s past.
Their inherent security weakness makes them a gateway for web-borne exploits. 1 in 13 web requests today lead to malware, up from 1 in 20 in 2016, according to security researchers at software firm Symantec.
As a result, the browser has become synonymous with increased risk, loss of control and compliance violations online. The underlying reason is simple: the local browser was not designed with security and compliance in mind.
At its core, the local browser remains an anachronistic holdover from the 1990s rush to the web. Its inherent lack of security and auditability leave firms exposed to risks of data breaches and data loss.
As a result, the browser has become synonymous with increased risk, loss of control and compliance violations online. The underlying reason is simple: the local browser was not designed with security and compliance in mind.
This has created a dangerous blind spot for the compliance team and IT. The browser’s architectural flaws and vulnerabilities make it notoriously difficult to manage, monitor, and secure against web-borne exploits.
The outdated, supposedly “free” local browser comes at a cost. It necessitates IT security point solutions which lull users - and IT admins - into a false sense of safety. Examples are antivirus (AV) software and secure web gateways (SWG) on the local network, which aim to fill the security or compliance gaps left by the local browser.
Such tools add more complexity and maintenance requirements, and they also tend to introduce additional risks, security researchers warn. The same holds true for URL filtering solutions that aim to mitigate web risks by categorizing sites in “blacklists” and “whitelists” - at a time when most compliance risks emanate from the web’s “gray zone”.
The exponential growth of the web has rendered traditional black/white, risk/no-risk categories obsolete. Blacklists have failed to make firm safer, because they are outpaced by the web’s rapid growth. Loss of productivity commonly results when team members are unable to access sites they need for research.
Whitelisted or authorized sites, on the other hand, may be assumed safe, but aren’t. Too often, they contain web-based scripts that the browser executes locally, infecting the firm’s IT infrastructure with malware.
A cloud storage service may be whitelisted for internal use, but it can also be abused. Using a local browser, insiders can exfiltrate proprietary information to a personal account with the same service. This is an actual example, not merely a theoretical possibility.
Firms are usually blindsided by such incidents. Problems like these typically arise in firms that still use a local browser to access the internet, which prevents oversight and control for the compliance team and IT.
Compliance and IT teams face a conundrum. A more restrictive web use policy may help ensure network security and oversight. On the downside, it may also lead to a productivity loss and put the firm at a competitive disadvantage.
Team members rely on the web to quickly aggregate actionable market intelligence from widely disparate sources. They also need to access office resources from home or via public WiFi without putting their firm at risk.
All this is why, following the example of leading financial institutions and organizations in other highly regulated sectors, more investment firms are taking the logical next step. They eliminate the risks associated by replacing the regular browser by isolating web access with a cloud browser that can be centrally managed, monitored, and audited.
How do cloud browsers work? With Silo, the compliance-ready cloud browser made by Authentic8, all web code is processed on a remote host configured for regulatory compliance and data security. No code from the web can reach the local IT infrastructure. The cloud browser serves as a central, audited asset that ensures all user activity on the web can be reviewed against GRC requirements.
Authentic8 Whitepaper: A Cloud Browser Built
for Compliance and Control - download it here [PDF]
Browser isolation outside the firm’s IT perimeter offers a win-win-win instead of weak compromises, enabling CCOs and IT to implement the recommendations of the OCIE. Employees get access to the web via a secure, compliant, personalized browser. IT gets complete isolation from the risk of malware, a robust set of administrative controls, and a fully auditable log of a user’s activity, all embedded in a remote cloud browser.
Since May of 2018, investment firms with business interests in the European Union have one more reason to use a cloud browser: GDPR. Browsers that touch the data of European citizens, for example when accessing HR apps, would have to provide privacy controls that fulfill the requirements of the European Union’s Data Protection Directive (Directive 95/46/EC) and meet the requirements of the General Data Protection Regulation (GDPR).
Market research indicates that most firms expect their cloud browser solution to provide a single point of control and granular oversight for IT administrators and the compliance team. With a compliance-ready cloud browser, there should be no more blind spots when team members go online.
Each browser session should be built from scratch, based on embedded policies predefined by the firm’s IT security or compliance teams. A compliance-ready cloud browser enables the team to centrally manage network device access, websites, content types, credentials and data operations. It should log and encrypt all user actions, to facilitate compliance reviews and post-issue remediation.
Last but not least, investment firms should ensure that the solution they select has already proved its mettle in real-world use. By choosing a cloud browser trusted by the firm's peers in the financial services sector, their law firms and vendors, as well as by regulators, they will save time and money and regain control on the web - before it’s too late.
The original version of this post appeared in Corporate Compliance Insights, a leading source of news and information for compliance officers, risk managers, internal auditors and general counsel. Would you like to learn more about remote browser isolation for financial servces firms? Download the Authentic8 whitepaper A Cloud Browser Built for Compliance and Control here [PDF].
Authentic8 Team is a group of cybersecurity enthusiasts, investigation sleuths, top-notch engineers, news junkies, policy wonks and all-around fervent writers hell-bent on bringing you the best darn blog in the industry.
Want to learn more about the Silo Web Isolation Platform? Have a general inquiry about Authentic8? We’d love to chat! Click one of the buttons below to get in touch with our representatives.
