Common Sense Cyber Security for the Financial Executive
By Val LeTellier, Senior Cybersecurity Consultant
The rampant proliferation of easy-to-use hacking tools and criminals willing to deploy them means that as an executive in the financial industry, you need to continually better yourself to stay safe. Criminals, activists, and nation-states can realize their goals with greater efficiency, increased speed, and total anonymity. With little risk of getting caught and huge upside potential, almost anyone with access to the internet can now make money from data they steal.
Thankfully, the process of protecting yourself is simple and effective when you adopt the following three principles:
- Protect what needs protection. TorchStone focuses on securing data that 1) you are required to secure by law or regulation, 2) you cannot afford to be made public, 3) is critical to your continued operation, and 4) can be used to facilitate attacks against you or your clients. In focusing most on the data that truly needs protecting rather than trying to lock down everything, you will not spread yourself too thin and inadvertently create cracks for attackers to slip through.
- Think holistically. Recent major attacks have exploited numerous vulnerabilities across technical, human, and physical domains. Attackers often combine social engineering, hacking, and physical access into one attack. Thus, technology alone cannot protect you from a breach. The firms with the greatest success in preventing attacks employ a comprehensive cyber defense. Technology is subject to human error, and devices and software are full of security vulnerabilities as they rush onto the market. By viewing your organization as more than just a series of devices on a network, you gain a far more accurate perspective of an organization’s defensive capability and resiliency. This is exactly how an attacker will view your organization.
- Think like an attacker. The perfect complement to a holistic security approach is assessing that approach and identifying possible vulnerabilities by taking an attacker’s perspective. It is important to anticipate what information may attract an attacker, and how an attacker may choose to act. . By thinking like an attacker, you increase the likelihood of developing truly effective security measures.
Attackers will typically opt for the safest way to get the data they want, and they usually follow these steps:
- Collect and analyze public data on the target.
- Use the data to craft an attack plan. Determine who has direct and indirect access to the desired information or data, and learn how to manipulate those persons.
- Conduct pre-attack surveillance. Identify, analyze, and rank security gaps; determine how those gaps will be used to achieve the goal.
- Eliminate roadblocks and execute the attack plan.
There are two broad categories of attackers: those operating from outside your corporation (“black box”) and those operating from inside (“white box”). Black box attackers are operating with limited information. They can typically only use public data and personal observation. As insiders, white box attackers have the benefit of inside information. They use public data, observed activity, and privileged internal information to develop and exact their attacks. If you think about all the possible motives for a black or white box attacker and exactly what information they would have access to, you will be much better prepared for their attacks.
Now that you have used holistic thinking and an attacker perspective to determine what data from your organization is most in need of protection, you can now create effective countermeasures. Consider these seven areas as you build your defense:
- Define what requires protection. Look beyond the obvious for data that attackers may want to steal and exploit to make money.
- Determine who has access. Look carefully at which of your partners, vendors, and contractors has access to your company’s data. An attacker may also be able steal your data through physical means, such as destroying servers and infrastructure—with the same results as a cyber attack.
- Define what “right” looks like. Create concise ground rules and accountability for your organization. Articulate what your employees should and should not be doing and detail the ramifications for negligence or malicious action. Human error is the most frequent cause of data breaches, therefore, creating clear policies and procedures is of utmost importance.
- Harden your first line of defense. Employees need to know the tactics and techniques used by attackers, why they could be targeted, and how to protect against data collection and attacks. Without proper cyber security training, your employees can become victims of spear-phishing and social engineering efforts aimed at stealing network credentials.
- Understand the insider threat. A true insider who is wittingly working to harm the organization can result in devastating damage. Consequently, it is important to audit employees’ work activity, both online and in-person. Monitoring badge records, file downloads, and file transfers may help to quickly identify unusual worker activity. Employee privacy must be considered, so any internal oversight should be implemented with the full support of senior executives, including IT, HR, and the General Counsel.
- Prepare for the inevitable. It is not a question of if you will experience a cyber attack, but when. The best way to prepare for the inevitable is to own the risk. Educate shareholders and partners of the risk and create a validated incident response plan. Test your plans through structured walk-throughs, tabletops, and live exercises.
- Build a positive security culture. More than any single factor, a strong organizational culture and high employee morale can help create a positive security culture and strong cyber security posture. A common sense of pride, belonging, teamwork, collaboration, and loyalty supported by a strong cyber security education program creates an incredibly powerful security measure.
The pendulum is swinging toward greater accountability for those responsible for protecting information and access. Failure to protect information and access may result in fines from the FTC and FINRA, class action lawsuits, negative publicity, and possible termination of employment. Being proactive and protecting what needs protection, thinking holistically, and thinking like an attacker can help you stay ahead of the hackers and criminals of the world and keep your workplace safer.
Val LeTellier has twenty-five years of risk management experience in the public and private sector. Prior to providing security consulting to Fortune 500 firms and government agencies, he ran intelligence, counterintelligence, and security operations as a CIA Operations Officer and State Department Diplomatic Security Special Agent. Mr. LeTellier holds an MBA, MS in Systems Management, BA in Political Science, an Information Systems Security Certificate, and is a Certified Information System Security Professional (CISSP). He is also the author of Protecting Your Company’s Data: An Insider Threat Checklist.