As financial crime investigations have moved increasingly online, a rift has grown between the financial crime analysts and the IT teams that enable them. The mismatch of investigation and cybersecurity priorities has created a productivity issue for analysts. A recent survey conducted by Authentic8 and Association of Certified Financial Crime Specialists (ACFCS) found that 57 percent of analysts have seen caseload productivity decline or stagnate over the previous year, which could put their organizations risk monetary loss, compliance violations and exposure to adversaries.
To avoid these issues, organizations need to understand what’s at the core of the productivity problem and look for solutions that heal rather than worsen the analyst-IT tension.
Why Financial Crime Analysts and IT Collide
Financial crime analysts have a job to do: conduct high-quality investigations efficiently and follow leads wherever they may go to bring a case to its conclusion. But IT has their own mandate: protect the organization from security risks and maintain visibility and control as users access the webs. This need for IT to audit web activity and implement policy configuration is critical to the well-being of the organization, both in terms of reduced cyber risk and maintaining compliance.
The problem for financial crime analysts, though, is that their work can take them across the open, deep and even dark web — areas that are typically restricted by IT. Any type of web access has its risk, and that risk gets greater the deeper you go. In the course of their work, analysts may need to follow criminal activity into some pretty dark places. In their pursuit, they could open up their organization to malicious content, potential retribution by adversaries (of the cyber nature or otherwise), attribution back to the organization or, worse, analysts may abuse the tools, violating employee use policy or jeopardizing compliance.
What Financial Crime Analysts Need
Secure, Compliant Dark Web Access
According to the survey mentioned above, the majority of financial crime analysts are not leveraging the dark web in their research, although 46 percent think it would be valuable if it could be done securely and with an audit trail. This demonstrates not only the desire for investigative freedom but also a recognition of the need to protect their organization in terms IT can appreciate. But the ability to access the dark web would have significant improvement on caseload productivity, and likely on some of the most challenging cases.
84 percent of respondents believe their organization should invest more to reduce management overhead for IT related to investigations. While essentially all respondents (98 percent) agreed they needed to protect IT infrastructure while browsing unsafe sites, they are often left to their own devices to do so or are forced to rely on clunky permissions processes. Both these approaches take time away from investigations themselves, further affecting productivity.
91 percent of analysts agree that anonymity during investigations is desirable, if not critical. But the means by which anonymity is achieved often puts a heavy burden on IT to build and maintain parallel infrastructure and networks. The use of “dirty” machines and connections usually also requires physical access to in-house environments, which has proven especially difficult during the shift to remote work during COVID-19. Organizations may encourage work-from-home analysts to use their own devices, but that puts the end user at risk, and further complicates the audit and oversight requirement.
Achieving Managed Attribution
To truly manage attribution and misattribute financial crime analysts’ identities during investigations, wider user agent string and browser fingerprint attributes need to be manipulated. The user agent string, essentially the device you’re appearing as online, contains various elements attributed back to the user machine (e.g., the browser, operating system). Browser fingerprint elements tell the website more about the requesting computer, like language and keyboard support, display size and more. A real managed attribution solution can control and manipulate these elements. Online resources can also inform analysts of what these elements should be changed to; for example, the most common browser and operating system and time settings to match the egress location when visiting a target site. Proper misattribution will help analysts go unnoticed by the research target’s webmaster, thereby maintaining the integrity of the investigation.
Making Both Sides Happy
One of the underlying components of enabling managed attribution is the ability to isolate web access related to an investigation on a remote machine. An isolated web environment can support advanced capabilities useful to both analysts and IT.
Pairing web isolation with managed attribution gives analysts the anonymity they need and the layer of separation organizations need to control web-related risks. Leveraging a SaaS solution for both offloads the burden put on IT from the “do it yourself” approach of in-house systems and provides analysts the resources they need. Purpose built solutions should also have policy configuration and audit capabilities baked in. The need for proper audit and oversight of analyst activity cannot be overstated; they’re essential to maintaining good governance and are the means by which analysts can access resources that IT would normally restrict.
Once you have the secure access, managed attribution and oversight problems solved, IT can then move up the value stack by providing analysts tools that assist them in doing their research. One important enabler is secure cloud storage. Allowing efficient capture and annotation of potentially toxic content without bringing it inside the organization is a critical capability to meet the needs of the analysts’ job function without further increasing IT risk.
With this approach of web isolation, managed attribution and secure cloud storage, analysts are enabled to do their job well while giving IT the visibility and control they need to keep the organization secure.