By Russell Sommers, Senior Manager, Baker Tilly
Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I have more than 14 years of experience in public accounting, risk advisory, information technology and cybersecurity advisory in financial services and other highly regulated industries. I also lead a broad array of projects, including cybersecurity consulting, regulatory compliance consulting, internal controls advisory, internal audit, information technology audit and risk assessment.
Most recently, my work is focused on conducting cybersecurity assessments against industry and regulatory frameworks, developing roadmaps for compliance with cybersecurity regulations and industry best practices, designing and implementing vendor risk management, internal audit, compliance audit and enterprise risk management functions, and designing and testing incident response, disaster recovery and business continuity plans.
What, for you, are the benefits of attending a conference like Risk Americas 2019? What part of the conference are you most looking forward to?
One of my favourite things about these types of conferences is the networking component. It’s great to reconnect with industry contacts and meet new, high talent, like-minded people. I also enjoy sharing information with other professionals, so we can glean insights from one another from what we are implementing in our respective organizations, as well as common challenges and pain points we are experiencing across the industry.
Another reason I get excited for these types of conferences is that it helps me stay on top of my game. In a world that is constantly evolving, the only constants are disruption and change. The aforementioned knowledge sharing at conferences like Risk Americas helps inform me of upcoming issues and trends companies are seeing.
You will be joining a panel discussion alongside Ulster Savings Bank and Credit Suisse on “increasing cyber resilience and BCM in an advancing threat landscape”. What do you believe will be the key talking points amongst the panellists?
Preparedness: understanding where you are on the crawl, walk and run spectrum. On one end of the spectrum is the company without an incident response plan or a dated plan, and on the other end is an entity with an incident response plan, an emergency response plan, a crisis management plan, business continuity plan, disaster recovery plan each tested multiple times during the year and multiple data centers running hot with automatic failovers.
Key components of preparedness include:
- Knowing your environment (e.g., data, network, applications, third parties)
- Understand criticality (i.e., risk assessment) of each network component (i.e., critical, major, moderate and ancillary)
- Testing preparedness (e.g., incident response, business continuity, disaster recovery, emergency response and crisis management)
- Improving plans based on results
- Building sustainability/resiliency
The hardest part is to identify and map all data and applications, system interdependencies, network segmentation, data flow, configuration management and communication protocols.
Another key discussion point will be how organizations are ensuring comprehensive stakeholder involvement in the planning and testing of BCM programs. If the only individuals involved in the organization’s BCM plans are in the IT function, you create blind spots, which lead to either inefficiencies or ineffectiveness of response.
What are the best practices that need to be made when financial institutions look to protect sensitive information, and train their staff to protect information?
From a technology perspective, the processes that need to be in place to protect sensitive information are:
- Data classification schema: Identifying PII/PHI/PCI data, material non-public information and public information
- Network segmentation: Maintaining NPI in restricted locations on the network
- Data loss prevention (DLP): Possessing tools to monitor and restrict the movement and unauthorized use of data
- Encryption: Encrypting data in transit and data-at-rest, which is only possible once a data classification schema is implemented
- Access restriction: Implementing “least privileged access” across the board giving employees access only to that which they need to operate
- Patching and vulnerability management: Following a patch management process, which guides implementation for critical security patches, significant updates, standard bug fixes, and patches, is imperative. It is also important to be conducting regular vulnerability scans and penetration tests to identify issues, prioritize the issues based on risk and have a process for remediation tracking.
Similar to software and technology, humans also have vulnerabilities. Because of this, regular training of information security staff, executives, directors and personnel remains paramount to protecting sensitive information. Part of this protection should include an effective training program that includes a mechanism through which completion is evidenced and employee performance is assessed and evaluated. Ideally, employees illustrating deficiencies through evaluations will receive enhanced training to increase their cybersecurity awareness. One effective way to assess employee behaviour is to consider combining social engineering exercises with security awareness training by creating a feedback loop and highlight and reinforce good behaviour.
In your experience, can you give an example/case study of where you have helped an organization combat cyber crime?
While not explicitly addressingcyber crime, we have helped organizations in several ways, the best example of which is a financial services company with NYS DFS regulatory compliance requirements. We worked with management to perform a current state NIST CsF maturity assessment along with an NYS DFS Part 500 cybersecurity assessment. While helping build the resulting 24-month road map, we helped management establish their risk assessment process and challenge their results, increase their maturity at the governance, people, process and technology levels, specifically:
- providing board level training and reporting,
- working directly with training personnel and coordinating training programs for security specialists
- reviewing cybersecurity process documentation, challenging current state processes
- assisting in the evaluation of applications (e.g., MFA, encryption) as well as ongoing monitoring solutions and managed services providers
- conducting incident response table top exercises complete with debriefs and plan improvements
In doing so, we addressed cyber-crime pre-emptively and helped the organization become more prepared and resilient in the event of an attack.
How can financial institutions ensure they stay ahead of cyber criminals in the future?
Bad actors have a distinct advantage compared to financial institutions, whereas the institution has to be “right” every time, the bad actor only has to be “right” once, and bad actors are much better at sharing information amongst themselves as to what “worked.” Financial institutions have the FS-ISAC for information sharing which is a great mechanism, but it relies on members to share their weaknesses and provide insight to a “private” part of their business. However, as cyber criminals are constantly becoming more sophisticated and trying new tactics in order to manipulate individuals in organizations, these information sharing networks are going to become more helpful. Secondly, the need to focus on changing end-user behaviour and helping staff develop scepticism when dealing with incoming communications (e.g., email, phone, SMS, etc.), social media and browsing is essential to thwarting future attempts from cyber criminals. People will continue to be the weak link, and it will become increasingly more necessary to educate staff, test their competence through simulations, reinforce good behaviour, re-test, etc. The more aware and “ready” personnel are to identify questionable content and prepared to act as prescribed (i.e., notify Info Sec) the better prepared an organization will be to respond.
How do you see the impact of cyber resilience evolving over the next 6-12 months?
This answer truly depends on the company’s culture. Organizations with a strong CISO with board and executive support will see their resilience increase as a result of employee training, continued phishing exercises, firewall hardening, employee communication and reporting protocols, process improvements, information sharing amongst peers, the implementation of additional tools and continued testing of incident response. Organizations that treat regulatory compliance as the gold standard and don’t strive for comprehensive information security and continuous improvement will continue to struggle.
A few pieces of anecdotal information:
- In November 2017, a man in Virginia was arrested in a “Nigerian Prince” scam of defrauding victims of over $3 million.
- In a recent FBI Private Industry Notification, cybercriminals focusing on healthcare claims processors targeted at least 65 payment processors with one reporting losses of at least $1.5 million
As sophisticated as we want to believe attacks are, the simple attacks, those which exploit humans and human tendencies, are still proving very effective. Until organizations can effectively change employee behaviour, they’ll always be in a defensive position against an opposition that uses volume as a weapon.