No company is immune to some type of cyber security attack; it’s a rapidly growing industry. The returns are great, and there is very little risk to the perpetrator. It’s estimated the likely annual cost to the global economy from cybercrime is more than $400 billion– that’s with a “B.” (www.bloomberg.com).
On April 14, NICSA held its forum, “Cyber Security – Managing 21st Century Risk.” The sessions were designed with operation and business leaders in mind. I left the forum with several key messages, one being that cyber security is a business issue. As David Grady, vice president at State Street Corporation stated, “it takes a village to secure an environment.”
Senior leaders across every organization are stakeholders. They don’t need to understand the details, but it’s imperative they understand the big picture to understand the overall risk blueprint. One of the core challenges is not everyone speaks the same language and terminology– lawyers, information security, business leaders all have different languages and how they define risk. However, through proper governance, relationship building, and practice these barriers can be overcome.
To manage risk, it’s important to acknowledge the main components. The questions to be addressed are:
- What data needs to be protected?
- Where is the data located, and what are the devices that hold it?
- Who has access to the data?
- How do we protect the data?
- Who is accountable?
Once these concepts are fully understood, a framework for protecting the infrastructure can be designed and constructed. Nonetheless, organizations are challenged. They must take a risk assessment approach to allocate their finite dollars and resources to areas of greatest exposure. Spending 75 percent of resources on managing a firewall, but not applying appropriate patches, may not be the most practical approach. Identifying where to apply your dollars and resources is a critical step in building a solid information security program.
Another key point I heard reiterated throughout the forum was that security incidents are a matter of “when” not “if.” Since that’s the case, it’s critical that organizations create and maintain a solid incident response plan including the following key elements:
- Remediation and recovery
- Post incident analysis and lessons learned
Designing a thorough plan is critical to ensure all impacted parties have a clear understanding of their roles and responsibilities throughout the event. Specialties such as legal, compliance, human resources, and law enforcement should be involved in the plan at appropriate times to provide guidance in their areas of expertise. Panic and chaos may lead to an inadequate response– bracket the problem and prevent a crisis.
As an industry leader, servicing one-third of the U.S. mutual funds, Boston Financial understands the importance of safeguarding our environment. Under our chief information officer, Mike Rizzo and our chief information security officer, Yalmore Grant, the information security team works relentlessly on strategies to combat potential threats.
What does that mean exactly? Well, to put it in dollars and cents, the DST and Boston Financial security budget increased 100 percent from 2013 to 2015 and is expected to grow. Our program is based on the National Institute of Standards and Technology, and we leverage the expertise from companies like WhiteHat, Depth Security, McAfee, and Microsoft to safeguard our network. Our defensive in-depth layered approach is solid, with a core focus on detection and remediation.
Threat intelligence is also a major part of our program. We’re engaged with organizations like Financial Services Information Sharing and Analysis Center to improve our ability to be proactive. We migrated from a periodic assessment and testing schedule to continuous testing. We also strengthened our incident response program, which incorporates our parent companies to ensure an effective and solid plan.
Most would say the best offense is a good defense. We agree. As we progress through 2015, we’ll encounter new challenges and new threat actors. However, we’ve built a solid defense program and will continue to expand on it. As we have in the past, we’ll work tirelessly to protect what’s most valuable and most important to us– our clients.
If you are interested in this topic, Verizon produces an annual Data Breach Investigation Report (http://www.verizonenterprise.com/DBIR/) which is a fascinating analysis of threats, vulnerabilities, and actions that lead to security incidents. The information spans industries, but the themes are similar and the statistics are staggering. It’s worth checking out.