October 2016 - Just a few years ago, if your company was hacked by a cyber attacker, you probably did not suffer a material financial loss. The situation may have been embarrassing, if the public or your customers knew about it at all. The incident likely served as a wake-up call to the executive and technology teams to strengthen security, and ensure that systems were up to date. In contrast, if your company were attacked today, the scenario could be vastly different. Today’s cyber criminals are highly skilled and focused on monetary gain, either through unauthorized transactions or holding your data and critical systems for ransom. In addition to financial loss, your company could risk significant reputational damage with your customers and the public if you are not prepared to mitigate and respond to a breach.
Cybersecurity has evolved into one of the most urgent, complex challenges companies face, as both technology and human behavior can contribute to the risk. Financial services providers in particular are easy targets because of the vast amount of money that flows through the system. Today’s cyber attacker is organized and structured. Hacking organizations hold recruiting events, offer signing and performance bonuses, and train their teams – much like large consulting firms. It’s a high reward culture where the return on investment can be dramatic in a short time. Furthermore, foreign hackers are often funded by governments, which influences if and how law enforcement gets involved and potentially shields the attackers from accountability to U.S. law and companies.
The financial services industry overall has been a leader in imbedding cybersecurity into the organization and culture. However, with fixed budgets and hierarchical structures, it is a constant challenge for financial companies to remain the necessary one step ahead. Additionally, as the industry shifts toward outsourcing transaction processing and storing data in the cloud, opportunities for attackers to exploit weaknesses increase.
Partners, Technology, and Talent
Changes in the industry and evolving cyber threats necessitate having the right partners, technology, talent, and culture to support an effective cybersecurity program. As companies leverage third-party partners for transaction processing and data storage, it is imperative NOT to outsource the risk management and cybersecurity risk management of these functions. Maintaining controls in a hosted environment is paramount. Companies and their partners must be transparent and share information freely. During contract development, it is important to spell out service level agreements and include more specific context and provisions around cybersecurity, such as how breach notifications will be handled, and how the two parties will respond and work collaboratively.
In house, the latest preventive and detective technologies can help identify where cybersecurity problems exist. Technology alone, however, cannot close all of the vulnerabilities. People must take action on information, and they must exercise vigilance to monitor and maintain systems continually. Companies need to become better at tracking risks and understanding how these risks integrate into the organization. Additionally, as outsourcing grows, each prospective partner’s security must be evaluated. Many companies do not have adequate staffing to accomplish these strategic and forward-looking tasks while managing daily cybersecurity risks that demand constant attention. Demand for security talent is high across industries and the supply is low, particularly at the top levels. As a result, talent acquisition and retention may likely drive up the share of IT spending devoted to security in the coming years.
Creating a Culture of Support
An IT ecosystem of partners, technologies, and talent is only as secure as its weakest link. Establishing a culture that prioritizes cybersecurity at every level and every function can help bolster the weaker links. Culture is particularly important for financial services companies as they are ready targets for attackers. Executives and the board of directors must regularly and consistently demonstrate support for cybersecurity. The right tone at the top can help an organization apply resources, including budgets, people and talent, and ongoing training to create an effective cybersecurity program.
Whether a company is putting a formal cybersecurity plan in place for the first time or refining an existing plan, a few key best practices can help managers address the challenges of today and remain nimble for the future.
Align the organization with a basic security framework, such as NIST, CSI, or FFIEC. Use this framework to develop a cybersecurity program and help allocate resources.
Invest in frequent third-party assessments of the security framework. Third-party firms will bring the most current knowledge of threats and technologies to the organization. Use these assessments to triage how resources are allocated and applied for maximum effectiveness.
Be proactive in frequently engaging the outside world and be willing to share security data. The security team should participate in governmental and industry groups that share information. Cybersecurity is real time and a network of professionals can help an organization stay informed.
Build a top-down culture of discipline, vigilance, and openness around cybersecurity, and make it clear that management supports it. Ensure the chief information security officer has direct access to the CEO or chief risk officer. Communication is critical.
Develop a breach response plan. Practice preparedness protocols through simulations and tabletop exercises. Walk through scenarios with the cyber insurance provider, legal counsel, and public relations firm. Don’t leave the implementation of the response plan to the heat of the moment.