All Roads Lead to Risk Assessment

Christopher R. Barber, EVP & CIO, Commonwealth Business Bank

Historically institutions primarily focused on the detection and protection of possible Information Security breaches. However in today’s environment, defending against possible breaches is no longer enough. With the increase of Cyberattacks, we must be proactively seeking out where an attacker may strike next and fortify this location through active Risk Assessment. This means that you not only implement a control, but that you test that control on a regular basis and adapt as necessary.

Cybercrime is becoming more frequent than ever and it’s not just the frequency that is increasing but the intent of the attacker. In years gone by, attackers would try to infiltrate a computer system as a challenge or prank, or to impress others in the hacker community. However today, the attackers are becoming much more destructive, using Distributed Denial of Service (DDoS) attacks to bring down servers. These types of attacks can cause reputational risks and in the case of Transactional services, cause the company financial damage in lost sales. In some cases, the DDoS is just a distraction so you take your eye off the other system controls as the attacker tries to get to your data.

While most often larger institutions are the targets for these types of attacks, smaller institutions need to be vigilant as well. While smaller companies may not be on the radar of most active attackers, there are still plenty of ways they can worm their way into your network. This is most often accomplished through a process call “Social Engineering”.

In short, Social engineering is the manipulation of people, so that they give up confidential information. The types of information attackers are looking for can vary, but when targeted, the attacker is usually trying to trick you into giving them your passwords, bank information, or access your computer so that they can install malicious software without your knowledge. This can be done electronically in many variations such as Phishing, Baiting or Ransomware. They can also do it in a more personal way by calling you and pretending to be an employee, tailgating you into your office and so on.

Cybersecurity isn’t a technical issue, it’s a business issue. As such, it should be understood at all levels of the organization

While security used to be all about Information Security, today we have to put more focus on Cyber-Security. On 3rd November 2015, the FFIEC published a press release, alerting financial institutions of the increasing frequency and severity of cyber-attacks involving extortion. So how do we protect our institutions from these bad guys? To quote a colleague, “All Roads let to your Risk Assessment”. In June of 2015, the FFIEC released a Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and assess their Cybersecurity preparedness. There are two major parts to this assessment tool:

Inherent Risk Profile:

• This identifies the amount of risk to the organization based on types of volumes and complexities of technologies, connections, delivers channels, products, services, organizational characteristics and external threats.

Cybersecurity Maturity Level:

• Cyber Risk Management Oversight
• Threat Intelligence and Collaboration
• Cybersecurity Controls
• External Dependency Management
• Cyber Incident Management and Resilience

If this all sounds like a lot to swallow, it is. While the FFIEC Cybersecurity Assessment Tool is meant for financial institutions, I feel it is a good example of how diligently all institutions should be reviewing their Cybersecurity policies. We have recently begun our Bank’s Cybersecurity Assessment and it has taken us not only time, but it also required a lot of contemplation on our actual security positions. Once we worked our way through the 120+ risk assessment questions, we were able to assess our risk levels. Next we had to identify what mitigating controls we had in place to reduce that risk. Finally and perhaps a more tedious process, we had to go through each of the 120+ risks/controls and map each one back to the policy, process or committee where each control was documented and when and how it was verified.

While this was a very detailed process, it was an eye opening experience on exactly where our Cybersecurity preparedness actually was. By no means were we lacking in our overall Security Program, but it made it clear, there were areas we should improve; such as testing and documentation, things we can show the examiners. One other area that this Cybersecurity Assessment had us focus on was how we manage our 3rd Party Vender Risk. Not only should we be doing Cybersecurity Assessments on our organization, but we should also be looking at our Tier 1 Vendors Cybersecurity Programs. It is important that their programs bereviewed on a regular basis to ensure their compliance.

The last point I will make here, and an increasingly important one, is that many Boards of Directors and Executive Management feel that Cybersecurity is only an IT issue. This couldn’t be farther from the truth. Cybersecurity isn’t a technical issue, it’s a business issue. As such, it should be understood at all levels of the organization. The Board and Executive Management need understand the risks their company are facing and the controls that are in place. Only then can they can effectively evaluate the residual risk and decide whether or not they are willing to except it. Cybersecurity by itself is not the end-all solution to IT Security; however, it is another powerful tool in the overall fight against Cybercrime. Remember, All Roads lead to your Risk Assessment.