In September New York Governor Andrew Cuomo announced a new regulation on cybersecurity and the financial services industry in his state. The issue: Cyber-attacks are increasing, and on a global scale.
We read or hear about data breaches almost every day. These announcements no longer surprise us because they have become so common. The result of a data breach, however, can be horrific and traumatic to the victim.
New York’s new regulation underscores that you need to be doing more.
What we haven’t learned yet
The real questions are, have all of the cyber-attacks been discovered?
Are the virtual fortresses wrapped around our non-public information and personal identities protecting us?
I would speculate that the answer to those questions is: “No.”
When I served in the U. S. Navy, I worked in electronic warfare. Our duty was to detect electronic threats and respond accordingly.
We had state of the art systems. When deployed at sea we were constantly vigilant, searching for potential threats. Our advantage: We knew our enemy and why we were there. This remains the mission of our armed services. But when thinking of electronic commerce and public and private businesses, the scene changes.
The bad guys have access to the latest technology, even moreso than when I was in the service. The internet and the world wide web leave all of our systems at risk and vulnerable.
In today’s world, most think that virus protection, a firewall, and changing your password from time to time is enough.
Our response: Absolutely not enough! Not even close.
Every business that stores non-public information is vulnerable in today’s threat scenarios.
Connectivity and access exponentially increase your threat exposure, and every business should exponentially increase their defenses. Even though your bank or credit union is closed and the door is locked, your enterprise is exposed 24 hours a day, every day.
How New York tackles cybersecurity
Department of Financial Services (DFS) take this threat seriously. Even if your financial institution is outside of New York, you should take notice and set a plan in place to emulate the controls that go into effect on Jan. 1, 2017.
Your bank should seriously consider significantly strengthening the following:
• Data storage. It should be encrypted (moving or at rest) at all times.
• Vulnerability. Your company should conduct testing quarterly.
• Multi-factor authentication methods. Adopt them, already.
• Threat detection and analysis. Adopt them, not just blocks.
• Data and enterprise compromise simulations. You should practice with a true war-game scenario, not just an incident response plan. Make it real!
• Track the movement of data. Track it both within your enterprise and when it is leaving your enterprise.
Threats have evolved
What is important to note is that you could have malware operating within your enterprise today—well below the level of monitoring that would trigger your alerts.
The malware can take small amounts of data each time it operates, and after a year it could steal it all and you would never suspect it until the complaints start coming in… yup, too late!
So, the question is … what protection do you have established and in place just in case you are comprised?
We always say, as a good rule, never let the enemy inside the castle. Let them in to what they think is the castle, and once they are exposed, isolate and destroy the attacker.
Taking action today
So, you need to re-think you approach to protecting your data.
Look at the New York State Department of Financial Services Proposed Regulatory Change 23 NYCRR 500, and the recently updated FFIEC Handbook on Information Security, particularly the section on “Supervision of Cybersecurity Risk and Resources for Cybersecurity Preparedness” (September 2016). Other notable sections are “Encryption” and “Oversight of Third-Party Services Providers.”
As an industry consultant, I am amazed at how lax the state of data security and protection is in our industry.
My firm’s research clearly identifies the number of attacks are increasing. Starting at very large companies, the attacks are continuing to move down the food chain.
Sooner or later you will be attacked! Are you ready? Don’t wait until it is too late!
Finally, if you think you have it under control, or that you are not vulnerable, or it is not an issue at your institution, I would strongly suggest that you update your resume.