BOCA RATON, Florida — The head of cybersecurity for
Brian Minick, chief technology and information security officer at
Minick also discussed challenges with information sharing among banks, which can be a potent defense against cybersecurity threats but can be counterproductive in certain cases.
Information-sharing challenges
Minick on Monday shared an anecdote about a meeting that occurred while he was working in the defense sector. This meeting highlights the challenges and risks associated with sharing highly sensitive threat intelligence, even in seemingly secure environments.
The meeting was held in a SCIF, which stands for Sensitive Compartmented Information Facility. Minick described it as a classified space designed with strict security protocols: no bugs, no listening devices, no phones, although paper was allowed. The purpose of the meeting was to share how Minick's organization was tracking a specific nation-state attacker. They met with "seven or eight defense contractors" to share this method, he said. Minick noted that the method they had developed had been effective at catching this attacker for more than a year.
However, less than a week after that meeting, the attacker changed its pattern. This change meant that the method Minick's team had been using to detect the attacker was no longer effective.
Minick's conclusion was that "someone in that room went back to their company and lost control of that information," he said. This breach allowed the attacker to learn how it was being tracked and subsequently change its tactics to evade detection.
For Minick, this experience reinforced the idea that "very sensitive, very effective" information like specific tracking methods needs to be kept within a trusted group that is capable of managing and controlling it securely. Information that is shared more broadly should ideally be less sensitive or have a shorter expected lifespan for its effectiveness.
Banks attack their own systems
The goal is to maintain a "dynamic, very morphing defensive postures" to adapt to attacker changes, he said.
Minick affirmed the importance of proactive security measures such as penetration testing and bug bounty programs. The bank also uses internal red teaming to identify potential vulnerabilities before external attackers do.
"Anything we can do to find weaknesses within our systems, within our code, we welcome," he said.
Managing third-party risks
Third-party vendor risk is a substantial challenge, Minick said. He cited MoveIt as an example; a ransomware group exploited a vulnerability in the file-transfer software to steal data from thousands of organizations. The vulnerability compromised data
Effective management involves vetting vendors' cybersecurity programs, controls and processes. Financial sector requirements are higher than in many other industries, Minick said. He suggested that the industry needs to collaborate to influence vendors on security practices.
Layered defenses are also critical, ensuring visibility into vendor products and integrating them into detection capabilities.
Regarding the shift to cloud computing, Minick sees it as a "shift of risk" rather than elimination. While cloud environments can simplify some security tasks like encryption configuration, they also introduce concentration risk as hyperscalers — companies such as Amazon, Google and Microsoft that have major cloud computing businesses — become potential targets. The bank has moved from a "cloud first" to a "cloud smart" strategy, evaluating various hosting options based on specific business cases.
Insider fraud doesn't work out for the insiders
Minick also addressed the challenge of insider threats, such as in the case of
Key mitigation strategies Minick highlighted involve employee awareness, education and fostering a culture where employees are encouraged to report suspicious activity without fear of reprisal, even if they made a mistake.
"Creating that culture where you're encouraging people to let you know what they're seeing, what's going on … is also key," Minick said.
He also emphasized that it's important to highlight the risks employees take on if they collude with bad actors, reminding the audience that the situation did not turn out well for the Coinbase employees who took the bribes. Specifically, the employees lost their jobs; Coinbase referred them for criminal charges; and, according to
"You're the dispensable one in this situation from an attacker's perspective," Minick said of colluders. "They're not here to take care of you in this transaction."
What are the threats faced by banks in cybersecurity?
- Nation-state intelligence organizations (though more prevalent in defense, still a factor)
- Organized crime groups primarily motivated by financial gain and stealing money
- Attackers targeting bank customers directly rather than the bank itself
- Smishing and text message scams, such as fake toll collection fee messages
- Fraudsters creating fake bank websites and buying online ad space to trick customers searching for the bank
- Attacks via third-party vendors and supply-chain vulnerabilities
- Concentration risk, in which where large cloud providers (also known as hyperscalers) become attractive targets due to housing data from many institutions
- Employees colluding with attackers, potentially through bribes or deception
- Deepfakes and AI used to impersonate individuals (like a CEO on a call or a loved one) to facilitate fraud
