ESRA gathers security experts together to discuss the important points that impact virtually every industry, government, and legal entity across the globe.
Data security, cyber risk, and electronic documents are topics that are always top of mind of executives across the world on a daily basis. ESRA gathered a number of industry experts together to discuss these issues and their impact on its constituents.
The participants were:
Rena Mears: Managing Director, BuckleySandler LLP
Nick Brown: Associate Director, Navigant Consulting
T.J. Parks: Senior Advisor, Treliant Risk Advisors
Brown opened the discussion by referencing a bank hacking incident. It involved cyber hacking and what he called “the old time boiler room operation, with the penny stocks and the dialing for dollars.” But this time, though, he noted that this operation was more sophisticated because the scammers were able to raise their legitimacy by getting their hands on information that would only be known by financial services companies.
“You’d think people would have learned, but they never will,” Brown said of the operation. “I’m surprised there wasn’t a Ponzi scheme running too,” he added. He noted that even though people should know better about such scams, even the ones who do realize what they’re getting into think they will outsmart everyone else and pull their money out before getting ripped off.
Brown then went on to discuss other threats the financial services industry is facing, such as external vendors who become insider threats, by which he means hackers have formed partnerships with consultants who sell them user IDs and passwords. “In one case, we were so sure the hacker was coming in under a vendor’s name that we set up a digital recorder and found the hacker coming into the account and collecting credit card data from malware stored on the machine,” he said.
Of course, even if you don’t have a turncoat vendor to deal with, Brown noted, you can be sure that simply putting a server online means it will be tested by hackers, including rogue nations. “We see brute force attacks every day from China and eastern Europe,” he said. “We also se open source code vulnerabilities out there. Hackers have scanners that detect those vulnerabilities and then they exploit those pages to plant malware and get them into the company network, or obtain credit card information, user names and passwords, and so forth.”
He continued: “We’ve seen them targeting credit unions especially this year. The hacker community has learned that as bank security is tightened, credit unions are becoming more like banks. And when all else fails, there are the traditional phishing emails. Why would people fall prey to those? That happens in not only in financial services but also doctors who are fearful they will be locked out of patient medical records if they don’t turn over a user name and password. It’s the suspension of disbelief, as psychologists say, that causes this.”
So what should you do when you have a breach in progress? Brown listed the steps:
The components of an effective risk mitigation program
Parks then took his turn. “What we’ve seen that will help mitigate the risk of these attacks is to take a three-pronged approach,” he explained. “Protecting, detecting, and responding to the attacks is the first one, and then privacy and security are the other two prongs. You need to take those three functions and move away from the internal silos to defend yourself from the attacks.”
He also listed the components of an effective program:
Risk mitigation isn’t simple
Parks then handed the discussion over to Mears, who talked about why a risk mitigation program isn’t as simple to maintain as Parks made it sound. “You think you’re through the worst of it when you’re told the hackers are gone, but you’re never quite sure they’re gone,” he said. “But equally scary are the regulators: Once there’s a high-value target for hackers, it’s high-value to regulators too, who can be inquisitive to the point of distraction.”
She added: “If you’re talking about a breach of information, you quickly get involved in state breach laws. Nearly all of them have breach notification laws. There are some commonalities, but some are far afield too. You often find yourself having to define what didn’t happen in a breach, for example. The average person in a company assumes that a breach means data left the building, but that’s not the definition in many states, which don’t see data loss as relevant.
“There are also disagreements among the states regarding how long you have to respond to the breach. So now if you can’t prove what information got out and who got in, but you also have to inform the public and talk to regulators, you find yourself having to change the facts of what happened, which doesn’t make regulators happy. You typically have multi-state investigations after that, and then federal regulators who step in.”
She continued with a list of the things regulators look for:
“You’re responsible for yourself and your vendors,” she noted. “You can’t delete cyber security.”