Not If, But When: How to Monitor and Manage Your Cyber Risk

digital security.jpg

GUEST BLOGGER

John Thackeray
Founder and CEO of Risk Smart Inc.

Buoyed by news and social media coverage of online threats and cyberattacks, cybersecurity is all the rage today. Indeed, whether we’re talking about the recent Iranian online assault on worldwide universities or the cyberattack on the city of Atlanta (which shut down Wi-Fi at the world’s busiest airport), cybersecurity is constantly and rightfully in the spotlight.

Cybersecurity is an all-encompassing business risk that needs to be tackled both tactically and strategically. For cybersecurity to be effective, a firm must have:

  1. A common taxonomy and lexicon, so the same language can be spoken by all business areas

  2. A clear understanding of its inventory of assets and its vulnerabilities

  3. A playbook for scenario events that can prepare the organization for readiness

  4. A cybersecurity framework that is end-to-end and shared by all business areas with regard to responsibility and accountability

Now let’s take a look at all of the factors that must be considered to monitor and manage cyber risk:

General Data Protection Regulation
Once the GDPR legislation becomes enforceable, any personal data breach impacting European Union citizens will need to be reported within 72 hours. The regulation will provide data owners with transparency about how their information is collected and used. Since non-compliance can result in a fine of up to 4% of gross revenue, this regulation will have a significant impact on companies that operate on a multi-national level.

Al and machine learning
Artificial intelligence and machine learning will certainly gain a larger presence in cybersecurity as these disruptive technologies gather momentum. Machined learning models, in particular, are advancing at an exponential pace, and are expected to more accurately identify and predict cyberattacks in short order. Conversely, these machines can also be harnessed to attack the very organizations they serve to protect.

Ransomware
Over the past few years, ransomware, a cyber-extortion tactic, has grown into a significant threat. Indeed, aided by voracious news and social media coverage, ransomware continues to claim high-profile victims. Moreover, cyber criminals interested in making a quick buck can take advantage of the variety and accessibility of ransomware from the Dark Web.

Data breaches
It may prove impossible to eradicate data breaches completely, but every organization has the power to lessen the blow by handling the aftermath correctly. Practicing scenario and response planning to data breaches can help reduce damages.

Internet of Things
The growth of cyber extortion has been greatly abetted by the common availability of anonymous payment mechanisms and by the increased usage of information sharing/gathering devices such as the Internet of Things (IOT). All too often these devices either lack basic security features or are not properly configured, relying upon outdated software that can easily be subverted.

Security practices
Inadequate security practices —including poor passwords, identity subversion, out-of-date antivirus software and antiquated systems — are prevalent. There are simply too many poor security practices to cite, but a special mention must go to the challenge of patch management. It’s important to note that endpoint security is different from IT management: while it’s easy to roll systems out, it’s tougher to take systems offline for maintenance or to prioritize what needs to be patched.

Third-party vendors
Organizations that are focused on building their own security defenses have come to realize that they are vulnerable to friendly fire. If any of an organization’s third-party partners have inadequate or lax security controls, hackers can exploit these trusted sources and tunnel into internal networks and systems. This supply chain also extends to the vendor of vendors, and third-party risk management is required to mitigate the risks posed to protecting internal devices and data.

Parting thoughts
Cyber risks pose huge threats to every financial institution. Firms that take the time to understand the threats, and that adopt the proper cybersecurity principles, can certainly mitigate these risks.

John Thackeray is the founder and CEO of RiskSmartInc consulting firm that specializes in the writing of risk documentation. Over his long career, he has held many risk positions, including CRO posts at Societe General and Penson Worldwide Holdings, where he interacted and engaged with US and European regulators. He frequently contributes articles on his risk insights to the Financial Executives Networking Group (FENG).