Thursday, January 28, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Rethink Cybersecurity to Reduce Risk of Hacks

by Alf Poor
December 10, 2015
in Risk
Rethink Cybersecurity to Reduce Risk of Hacks

Internet-based technology and services are expanding with such speed that security has been left behind. As the Internet evolves at an untethered pace, hackers are iterating just as rapidly as the innovation. This has left us with a technological void that is being all too easily exploited, leading to a lack of clarity on how to effectively mitigate the risk from a corporate governance perspective.

On November 10th, federal prosecutors announced charges relating to last year’s JPMorgan Chase hack. In what it referred to as, “the largest cyber hacking scheme ever uncovered,” prosecutors detailed how hackers stole information from over 100 million individuals and hacked into over 12 different organizations, seven of which were financial institutions.

“The breaches of these firms were breathtaking in scope and in size,” said Preet Bharara, the U.S. attorney for the Southern District of New York.  “The conduct alleged in this case showcases a brave new world of hacking for profit.”

Whether it is financial institutions, retail, health care, government or online services such as Ashley Madison, recent high-profile data breaches have shed light on a lack of understanding as to the extent of vulnerability from cyber attacks at the C-level. Any industry with sensitive information, and particularly those who collect and manage personal and financial data, is a target for hackers. With seemingly no ability to prevent the hack, or to prevent the media from sensationalizing it, big business has paid the price with damaging headlines on the one hand and fines, compensation or simply paying the hackers extortionate sums to get their data back on the other.

So, what’s going to happen now? Well, to date, the federal government has failed to provide any national cybersecurity legislation, leaving departments of government, as well as individual states, in a position where they are being forced to enact their own.

While states such as California and Massachusetts already have regulations in place regarding data leaks, New York was the first to conduct a cybersecurity audit of its banks in 2013. The findings of this audit prompted the New York State Department of Financial Services (NYDFS) to recently issue a letter unveiling potential new cybersecurity regulations for banks and financial institutions. While these regulations only apply to institutions under NYDFS jurisdiction, they are a good example of what financial institutions in other states can expect to see in the future.

“The New York State Department of Financial Services considers cybersecurity to be among the most critical issues facing the financial world today,” wrote Anthony Albanese, acting NYDFS superintendent.

The NYDFS regulations, which seem only a question of when, rather than if, they will be mandated, would require banks and financial institutions to implement a number of significant measures ranging from requiring the use of multi-factor authentication to using encryption and maintaining an audit trail. The NYDFS is taking such a position since its member institutions have not been able to sufficiently protect themselves against hackers. But with all the wealth and brain trust within the banking sector, why is that?

Like many decisions in life and business, the hardest problems are usually best solved when broken down to the lowest common denominator. While the NYDFS notification outlines very important and necessary cybersecurity measures, it doesn’t deliver any context around why these regulations have come into focus. Whether consumer or corporate Board member, we’ve become conditioned to expect hacks. We’re told, and we tell ourselves, there’s nothing we can do, the hackers have more sophisticated methods than we have tools to stop them. Actually, no. The reason we are facing this crisis is a simple one, and it involves leaving the old domain mentality in the past.

Securing Data at the Data Level

Currently, network and data security operate like a medieval fortress. The network perimeter is secured by strong castle walls, and perhaps even ringed with a moat and drawbridge. And once the fortifications (firewall, anti-virus, spam filter, etc.) are breached, the invaders have access to the treasures inside.

In the past, these defenses provided adequate protection against cyber attacks. However, these technologies are all reactive to attacks based on known previous exposures. This is where security has been well-and-truly left behind; cyber attacks are no longer limited to specific and repeated methods.  Many use a mix of programmatic and social engineering to achieve their goals.

So, the hard truth is the data within an organization’s walls is no longer safe from determined hackers under the fortress model. On top of this, since current technology is based on perimeter defense and keeping uninvited visitors out, data breaches occurring inside an organization, due to human error or malicious employee activity, are not addressed at any level.

As for the data an organization has shared and sent outside of its domain? Well, no one has ever expected that could be protected. Once the treasures have passed through the fortress gate and across the drawbridge, organizations have come to accept that their data is simply at the mercy of anyone it comes in contact with. But, there really is no reason it has to be this way.

All that is required is a change in mindset, away from the nervous acceptance of the status quo to an expectation of proper security. You can achieve this by securing the data itself. Instead of building thicker walls and a wider, deeper moat, view each piece of data as separate and valuable in itself, and then protect it accordingly.

By securing and encrypting data at the data level, organizations benefit from pervasive and persistent data security wherever that data goes, even when it travels and is sent across domain boundaries.

A System with Your Security on its Mind

So, let’s assume that your organization now has each and every file, folder and database secured by encryption. Is that enough? In a word, no. There’s still the issue of rogue employees, with legitimate access to your data, as well as the social engineering methods that hackers are increasingly using as a method to gain access to an email account or network. Put simply, on a corporate network with potentially millions — if not billions — of data files, an adequate security system still needs to monitor and enforce user access according to corporate governance, policies and procedures.

But with so many users and vast amounts of files, this does seem like a mountainous task, and certainly not something that could be tracked manually. Enter User Behavior Analytics – the monitoring of user behavior by algorithmic methodologies or, as it’s more commonly known, Artificial Intelligence (AI).

User Behavior Analytics enables organizations to monitor user behavior in real-time, recognizing the difference between typical user behavior patterns and identifying the subtle deviations that represent risk. It does this by analyzing and recording key behavioral attributes to form a data set the system then uses to determine if any anomalous activity is truly a threat to your organization.  If any activity is deemed high risk, the system would respond by temporarily revoking the questionable user’s credentials and alerting IT Administration. If the user is genuine, they can contact IT and be reinstated.

In summary, for any CIO, CISO, CTO or even CEO reviewing their cyber defense strategy, they need to think beyond the swath of latest-and-greatest versions of the familiar. For true cybersecurity, organizations must combine data encryption, identity management (using multi-factor user identification and not just username and password), user behavior analytics and tamper-proof auditing. Only then can IT Administrators and C-level leadership begin to sleep soundly at night.


Tags: CFTC
Previous Post

Oversight Annual Report: High-Risk Spending Linked to 10 Percent of Business Travelers

Next Post

CII Publishes Two Reports on Investor-Company Engagement

Alf Poor

Related Posts

businessmen in miniature studying volatile stock market

The Risk of Undervaluing Culture in a Volatile Market

January 27, 2021
RiskMap 2021: Legal and Compliance Outlook

RiskMap 2021: Legal and Compliance Outlook

January 25, 2021
silhouette of businesspeople in meeting with blue cyber background

Cyber Risk Quantification and Prioritization is the Future of GRC

January 20, 2021
man working on smartphone and laptop

Adverse Media Screening: Relying on Google Alone Can Expose Organizations to Risk

January 19, 2021
Next Post
CII Publishes Two Reports on Investor-Company Engagement

CII Publishes Two Reports on Investor-Company Engagement

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights