September 2015 SAFE Newsletter
Address Cyber Threats and Achieve Proactive Compliance
Since the introduction of the Gramm Leach Bliley Act the FFIEC has promulgated regulations, guidance, and more recently assessment tools to assist financial institutions and financial service companies in developing and analyzing controls to combat cyberattacks. Furthermore, IT service companies, throughout the nation, created various technology based services to assist in defending against cyberattacks. Many financial institutions outsource these services because they do not have the scale or expertise to incorporate them into their internal operations. Conversely, regulatory authority has dictated that financial institutions and financial service companies are ultimately responsible for protecting their customers’ confidential information. Recently, cybersecurity analysts have indicated that financial institutions are on the defensive in preventing cyberattacks because there is a prominent disconnect between the convergence of cybersecurity controls and the utilization of technology to protect against threats.
Many financial institutions want an “out-of-the-box” solution that implements required FFIEC controls and then provides the technology to monitor and identify potential attacks. The reality is that the types of threats that continuously occur at financial institutions utilize social engineering to execute the attack. In essence sophisticated attackers utilize human behavior to effectuate phishing, fraudulent money wires, and ransomware attacks. A technological device alone will do nothing to prevent social engineering attacks.
The solution: Education
Education now becomes the resolution and provides a method for proactively defending against cyberattacks. Financial institution and financial organization personnel through their Information Security Office or advisors should be regularly informed and trained on how compliance controls relate to the processes and technology implemented within the organization, while Information Technology personnel are responsible for ensuring that the implemented technological device has the capacity and capability to protect systems in accordance with information security and regulatory standards. It is important to segregate information security and information technology responsibilities to maintain internal checks and balances as well as accountability, thereby potentially thwarting inside attackers. Personnel should be trained to identify potential attacks and educated on how the technology assists in preventing attacks. There should be further understanding that the most prevalent type of attack relies on weaknesses in human behavior and can only be prevented by strengthening those human weakness. The knowledge of personnel to identify and conduct their role with great vigilance is absolutely essential in achieving a proactive response to cybersecurity threats.
Information Security Program that addresses institutional security risk, defines controls that adequately reduce that risk, and continuously trains and educates employees and consumers can provide a solid method to proactively mitigate cyber threats.
The Cloud – More than Condensed Water Vapor