Once upon a time, cyberspace was comprised of hackers who were considered computer whiz kids working out of the basements of their parents’ home. Lovers of technology who were not necessarily looking to harm the systems they explored.
But those days are long gone.
Today our digital neighborhoods are rife with profit-seeking pirates, criminals, and multilevel crime syndicates as well as nation states looking to defend national sovereignty, project national power, and gain an economic advantage. Attacks are increasingly elusive and widespread making for a fast-changing and complex landscape.
No sector, no company, no individual is immune. Not surprisingly, cyberattacks are becoming the top national security threat according to the FBI, with threats to financial firms on the upswing.
As cybercriminals become increasingly more sophisticated and agile, our methods for defending against cyberattacks must expand beyond our own four walls. It requires that we all work together as a community of defense.
“Cybersecurity – Building a Community of Defense” was the theme of a panel I hosted recently prior to the Investment Company’s Institute (ICI) Mutual Fund General Membership Meeting. Joining me were Joshua Larocca, Vice President, Stroz Friedberg; Simon Moorhead, Chief Information Officer, IFDS; and Mark Morrison, SVP & Chief Information Security Officer, State Street Corporation. We discussed the landscape, emerging threats, and prevention. Some takeaways from our discussion:
- You gain no competitive advantage by keeping cyberthreats to yourself. The Financial Services Information Sharing and Analysis Center (FS-ISAC) is one example of an organization being leveraged by a number of financial services companies. A well-informed and active community of defense is now being endorsed by regulators and law enforcement as well.
- An agile defense is the best defense. Seventy percent of all breaches are the result of exploiting a known problem (Adobe and Java are among the most targeted applications).
- No such thing as a secure password. Passwords less than 14 characters can take a hacker less than an hour to crack. In the future, registering your device certificates and using a “Chip and PIN” approach will be the norm.
- See something, say something. Getting people to recognize threats is the key to prevention. Organizations should look to increase employee training and engagement.
- Most experts agree that it’s not a matter of if your firm will be attacked but when. Therefore, we’re beginning to see a shift in information security programs to be better prepared to react when the inevitable happens and contain the damage and restore normal operations.
- Don’t wait until game day. Organizations need to have plans in place and practice them before an incident occurs.
At Boston Financial, we’ve been fortunate and haven’t experienced a security breach. This can be attributed to our layered security approach, supporting a “Defense in Depth” strategy to mitigate known or potential security risks (along with some good luck).
Likewise, our senior management is also highly invested in our Information Security Program, reviewing and approving policies annually. And we have ongoing information security training for our associates, helping foster a culture of awareness and prevention in the organization.
But we’re not naïve. We know, like any firm today, we’re susceptible. And although we have an Incident Management/Response Plan in place that includes internal teams such as Legal, Compliance, Technology, Client Relations, as well as external entities such as Law Enforcement, Regulatory and our Customer Executives, we have to continue to be diligent in our testing.
At Boston Financial, we embrace the community of defense approach. We believe we will all be safer if we share information on cybersecurity and adopt a “Neighborhood Watch” type approach. Cybercriminals may be getting more creative, but we believe all of us are smarter than any one of us. Is your firm part of the community of defense?