Cybersecurity – Getting the basics right
October is Cybersecurity Month – so it’s a good time to step back and consider whether or not your organization is getting the fundamentals right. Many experts believe that ensuring the basics are in place can dramatically reduce cyber risk, and regulators agree – not just in speeches but also in the new rules they are beginning to draft at great speed.
The headlines seem to imply that cyberattacks emanate from the world of comic book villains – as events beyond the ability of companies to prevent. It’s an attitude that has shaped many firm’s approaches to cyber risk. In its annual U.S. State of Cybercrime Survey, CSO magazine asked “Which of the following groups posed the greatest cyber threat to your organization during the past 12 months?” Almost half of respondents cited external threats such as hackers, organized crime, or foreign entities. Only 13% cited current employees.
Major policy initiatives from governments also often emphasize large-scale anti-cyber threat programs. While these programs – such as the EU’s new cybersecurity initiative, with a new agency and increased spending on law enforcement – are very necessary, they tend to underscore the idea that a cyberattack is inevitable, and not a matter of “if” but “when” it will occur.
It seems there is a clear bias towards external causes in the minds of many boards and senior leadership teams. And yet according to the UK government’s Cybersecurity Breaches Report 2017, released in April, the most common types of incidents involve fraudulent emails sent to staff – in a stunning 72% of times where firms identified an attack or breach.
Other studies are beginning to back up the UK research. A Ponemon Institute research report released in September explored cybersecurity impacts on small and medium-sized organizations. It said that of the respondents who had a data breach, 54% indicated that negligent employees were the root cause, an increase from 48% in the previous year.
It’s clear that employees can play a crucial role in providing an opening for these kinds of attacks. So, it’s hardly a surprise that experts are now saying that the best prevention is a cybersecurity strategy that stretches across all three lines of defense – and that averting damage to an organization can be accomplished through simple pre-emptive steps. The UK’s Financial Conduct Authority is even going so far as to say that organizations could eliminate up to 80% of the cyber risks they are confronted with if they improved the way they looked after their IT infrastructure, including the conducting better patch management and employee training.
The FCA is advocating that financial services firms implement programs such as ‘Cyber Essentials’ or the ‘10 steps to cyber security’. In the US, the Federal Financial Institutions Examinations Council (FFIEC)’s Cybersecurity Assessment Tool, as well as the National Institute of Standards and Technology’s Cybersecurity Framework also provide insight into how basic prevention steps can be used to help ameliorate a firm’s exposure to cyber risk.
Financial services regulators are busy updating their supervisory frameworks around cyber risk management. For example, the US Securities and Exchange Commission released a statement on cybersecurity in late September that discussed the progress it is making on its approach – following on from an August paper that discussed observations from reviews of firms’ policies and procedures. New York State’s cybersecurity rules – which became effective earlier this year – are some of the toughest in the world, and most other US states are in the process of implementing their own. The Office of the Comptroller of the Currency is also in the process of consulting on updates to their cybersecurity frameworks.
Cyber risk is now viewed as an issue for individual firms, as well as source of much larger systemic risk for the global economy. Organizations can expect a wide range of new rules over the next 12 months, focusing on the policies and procedures necessary to prevent breaches.
Financial services firms should be looking at how they can improve their approach to cybersecurity across all three lines of defense – detection; policies and compliance; and testing and auditing – to reduce their cyber risk exposure. Regulators will be focusing on firms’ approach to cyber risk management in their inspections even before new rules are put in place. Steps to take now include:
- Assessments – Firms should be assessing their cybersecurity program at least annually. This includes conducting a cyber business risk assessment and reviewing their capabilities, their gaps, and their overall maturity in regards to controls and their efficiency and effectiveness.
- Reviewing policies and procedures – Given the fast pace at which governments and regulators are updating cybersecurity rules, firms should put in place a robust approach to policy and procedure tracking and management. This includes implementing software solutions to help manage and enforce policies in a more “business as usual” way.
- Testing – Organizations should specifically test how well their policies and procedures are aligned with controls and are proved to be implemented, efficient, and effective. For example, will employees click on an email that looks questionable? Or how effective are policies about sending attachments, from both an IT and a human resources perspective?
- Evidencing – It’s very important that all of this activity is documented correctly so that it can be evidenced to internal audit, external audit, and the regulators. For many firms, it will make sense to put in place a formal, technology-supported approach to this task.
- Training – Having employees trained in both the organization’s policies as well as what to do in “real life” situations is key to reducing cyber risk.
Being proactive when it comes to cyber risk is important – for both regulatory compliance and for keeping the firm safe. Firms should move quickly to ensure they are engaged with this important, rapidly evolving issue.