Yet again, millions of people have been exposed to unauthorized access to, and fraudulent use of, their information because of the inadequacies of “cybersecurity”.
Just look at the firewall report of any company to see thousands of attempted attacks each day via the internet. Why would any company think they can operate in today’s business environment without maintaining the most stringent security controls? However, all too often, the following control processes, which would prevent 85% of all breaches, are not enforced. These controls include:
1) User installation of applications is restricted (“whitelisting”).
2) Operating systems are pushed current dates.
3) Software applications are regularly updated.
4) Administrative privileges are restricted.
We all know how priorities change within an Information Technology Department. Acquisitions, new product lines, regulatory/industry changes, and other factors result in high-demand environments with limited resources. These demands can easily end up affecting the overall network/systems security environment of any company.
So what can financial institutions do? Remember those risk assessments that we are required to update on an annual basis? Risk assessments are designed to be used, not just annually, but anytime they are necessary. It is important to communicate with senior management teams and Boards of Directors when there are decisions that need to be taken to mitigate or accept risk. Therefore, if there are projects that interfere with regular maintenance activities, or if industry controls are not followed because there is a perception that the implementation of the control would be too restricting to conduct business, then it is the responsibility of the IT Manager to document, in the form of a risk assessment, an explanation of the threats associated with the issues, along with the controls that should be implemented to mitigate risk to the level of “acceptable” to senior management and the Board of Directors.
The risk assessment process should also include key risk indicators that enable the IT Manager to effectively monitor the status of the company’s IT environment. Examples of key risk indicators that should be monitored include the following:
-The presence of unauthorized hardware and/or software.
-Accuracy and appropriate authority for critical administrative actions.
-Status of operating updates.
-Status of software application updates.
-Patch management processes.
-Cybersecurity training for IT security staff, employees, Boards of Directors.
-Employee compliance with Internet and Email Acceptable Use Policy.
-Network performance indicators.
Finally, multilayer protection and monitoring processes, with real-time alerts, are critical. Even with an adequate firewall/IDS infrastructure, engaging the services of a third-party network security/monitoring company is recommended. Also, network performance should be monitored not only for uptime, but also for instances where there is a drain on resources, which could be an indicator of an advanced, persistent threat that may be attacking the company’s network, or has breached and now resides on the company’s network.
In conclusion, it is not always clear what actually happened in major breach situations, but if we closely monitor the little that is said, in most cases there is a key phrase in the explanation that ties back to one of the four key controls cited above. The high cost of a breach impacts not only a company’s bottom line, but companies impacted by a breach must also recognize and address the loss of credibility, confidence, and customer base.