Feature Article written by Bruce Phillips – SVP, Chief Information Security Officer
Protecting the personal financial information of the consumers we serve is a mandate that we are all called upon to fulfill. Doing so in a fully connected world where our firewalls and protocols are the only lines of defense against hackers driven to break through any electronic barrier can seem a daunting task. It’s not easy, but a good information security strategy will go a long way toward protecting your company and your customers.
The truth is difficult to hear, but essential if we hope to limit our risk. In spite of our very best efforts, the ability to keep the committed attacker out of a network is extremely limited. Similar to our physical homes, if someone is fully committed to getting in, he/she will find a way to do so. No amount of locks or alarms or alarm signs will prevent it. But we can be ready when it occurs.
Your Information Security Strategy
In a world where every locked door can be opened, the hacker will usually choose to go through the door that is most easily opened. When the same or similar information — the treasure that hackers seek — is located in more than one location, the criminal will seek out the easiest mark. We’re used to hearing this stated in a slightly different way: “You don’t have to be faster than the bear; you just have to be faster than the other person fleeing the bear.”
The way to be faster than the bear is to have a solid strategy for information security. This begins with a strong framework, which generally takes the form of an Information Security Management System (ISMS). The ISMS puts the company’s policies and procedures into a framework that includes all legal, physical and technical controls involved in the company’s information risk management processes.
There are several that exist. These have been developed by consortia of IT security experts. You may choose ISO/IEC 27001, NIST’s Cybersecurity Framework, the Control Objectives for Information and Related Technologies (COBIT) framework developed by ISACA, or something else. Much has been written on the benefits of one framework over another. That’s beyond the scope of this article, but the important thing is to choose one.
A good ISMS framework is important because it gives the Information Security departments metrics to measure against. Without a framework, it is very difficult to know how well the company is protecting itself from outside threats. A framework gives the IS manager a set of management-approved steps to take in the event of an intrusion.
A good framework will help the company determine what information assets will be most attractive to a criminal. This will allow the firm to layer protection and countermeasures on those online assets that sensitive or at risk and spend relatively less time on those that are not. For instance, the company’s marketing website may be targeted with a nuisance attack to render it unavailable, but without sensitive consumer data on that server, there is little reason for hackers to spend time there.
Building effective strategies for protecting sensitive information can begin once a good ISMS in in place. This work is informed by a threat assessment.
Knowing where you are at risk
When it comes to information security, our industry faces both generic risks that are aimed at any industry as well as industry-specific risks. Chief among these risks is ransomware, where an unknown entity takes control of your data and then charges you a fee to get it back.
This kind of attack can be leveled at anyone in any industry, as long as the hacker can find some information of value. This happens to businesses, but it also happens to consumers, who are attacked via vulnerabilities in their home PCs.
Another attack that is very specific to our industry involves our escrow accounts. In our business, we become responsible for large sums of other people’s money. Hackers have long tried to get access to those accounts or, failing that, to trick industry workers into sending those funds to the wrong place.
We’ve actually become much better, as an industry, at protecting ourselves from these attacks and as a result, criminals are now going after consumers with similar schemes. Today, we see them going back to the homebuyers and trying to get them to send money intended for escrow into their own accounts. They’re doing this because consumers are not as good at protecting themselves, outrunning the bear.
Finally, there are the traditional malicious software viruses that are liberally distributed through the Internet. We must remain vigilant to protect our systems from mindless code intent on bringing our systems down.
The biggest mistake you can make
A good strategy built upon a solid ISMS is the starting point but avoiding the pitfalls requires management to guard against a few critical errors. The most important of these has to do with the business person’s favorite technology tool.
Most businesspeople love e-mail. They use it all day long. But to the person charged with protecting your most sensitive data, e-mail is evil. It was never meant to be a secure method of communication. It’s easily spoofed. You don’t have to have very much technical knowledge to be able to spoof an email and make it look like it came from anyone you like. This makes it a gold mine for hackers.
Never count on e-mail and let all transaction participants know you will never send them wiring instructions via unencrypted e-mail. This is the path of least resistance for the criminal who simply sends an e-mail to the buyer with his bank account information and steals the money. Don’t let that happen.
For the company, protecting your e-mail server is a major undertaking. We see thousands of e-mail attacks hit our servicers daily, upwards of 87% of all the e-mail messages we receive are malicious!
We use sophisticated blocking technologies to protect our people and customers from these attacks, but not all companies have the resources and infrastructure to accomplish this. For these firms, it comes down to training so their people know where the dangers lie.
In the end and despite all of our safeguards, we must accept the fact that we will be hacked. It’s not a matter of “if,” it’s a matter of “when.” Knowing this, we must plan for it. Know exactly what steps will be taken when it occurs so that you can limit the damage, protect what you can and remain in business.
In the end, having a strategy in place will serve you much better than the old adage that too many seem to be holding to these days: “When in trouble or in doubt, run in circles, scream and shout.” Prepare now and leave the panic for your competitors.
About the author:
Bruce Phillips is Senior Vice-President and Chief Information Security Officer for Williston Financial Group. He can be reached at Bruce.Phillips@willistonfinancial.com.