
All Roads Lead to Risk Assessment


Christopher R. Barber, EVP & CIO, Commonwealth Business Bank
Historically institutions primarily focused on the detection and protection of possible Information Security breaches. However in today’s environment, defending against possible breaches is no longer enough. With the increase of Cyberattacks, we must be proactively seeking out where an attacker may strike next and fortify this location through active Risk Assessment. This means that you not only implement a control, but that you test that control on a regular basis and adapt as necessary.
Cybercrime is becoming more frequent than ever and it’s not just the frequency that is increasing but the intent of the attacker. In years gone by, attackers would try to infiltrate a computer system as a challenge or prank, or to impress others in the hacker community. However today, the attackers are becoming much more destructive, using Distributed Denial of Service (DDoS) attacks to bring down servers. These types of attacks can cause reputational risks and in the case of Transactional services, cause the company financial damage in lost sales. In some cases, the DDoS is just a distraction so you take your eye off the other system controls as the attacker tries to get to your data.
While most often larger institutions are the targets for these types of attacks, smaller institutions need to be vigilant as well. While smaller companies may not be on the radar of most active attackers, there are still plenty of ways they can worm their way into your network. This is most often accomplished through a process call “Social Engineering”.
In short, Social engineering is the manipulation of people, so that they give up confidential information. The types of information attackers are looking for can vary, but when targeted, the attacker is usually trying to trick you into giving them your passwords, bank information, or access your computer so that they can install malicious software without your knowledge. This can be done electronically in many variations such as Phishing, Baiting or Ransomware. They can also do it in a more personal way by calling you and pretending to be an employee, tailgating you into your office and so on.
Cybersecurity isn’t a technical issue, it’s a business issue. As such, it should be understood at all levels of the organization
While security used to be all about Information Security, today we have to put more focus on Cyber-Security. On 3rd November 2015, the FFIEC published a press release, alerting financial institutions of the increasing frequency and severity of cyber-attacks involving extortion. So how do we protect our institutions from these bad guys? To quote a colleague, “All Roads let to your Risk Assessment”. In June of 2015, the FFIEC released a Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and assess their Cybersecurity preparedness. There are two major parts to this assessment tool:
Inherent Risk Profile:
• This identifies the amount of risk to the organization based on types of volumes and complexities of technologies, connections, delivers channels, products, services, organizational characteristics and external threats.
Cybersecurity Maturity Level:
• Cyber Risk Management Oversight
• Threat Intelligence and Collaboration
• Cybersecurity Controls
• External Dependency Management
• Cyber Incident Management and Resilience
If this all sounds like a lot to swallow, it is. While the FFIEC Cybersecurity Assessment Tool is meant for financial institutions, I feel it is a good example of how diligently all institutions should be reviewing their Cybersecurity policies. We have recently begun our Bank’s Cybersecurity Assessment and it has taken us not only time, but it also required a lot of contemplation on our actual security positions. Once we worked our way through the 120+ risk assessment questions, we were able to assess our risk levels. Next we had to identify what mitigating controls we had in place to reduce that risk. Finally and perhaps a more tedious process, we had to go through each of the 120+ risks/controls and map each one back to the policy, process or committee where each control was documented and when and how it was verified.
While this was a very detailed process, it was an eye opening experience on exactly where our Cybersecurity preparedness actually was. By no means were we lacking in our overall Security Program, but it made it clear, there were areas we should improve; such as testing and documentation, things we can show the examiners. One other area that this Cybersecurity Assessment had us focus on was how we manage our 3rd Party Vender Risk. Not only should we be doing Cybersecurity Assessments on our organization, but we should also be looking at our Tier 1 Vendors Cybersecurity Programs. It is important that their programs bereviewed on a regular basis to ensure their compliance.
The last point I will make here, and an increasingly important one, is that many Boards of Directors and Executive Management feel that Cybersecurity is only an IT issue. This couldn’t be farther from the truth. Cybersecurity isn’t a technical issue, it’s a business issue. As such, it should be understood at all levels of the organization. The Board and Executive Management need understand the risks their company are facing and the controls that are in place. Only then can they can effectively evaluate the residual risk and decide whether or not they are willing to except it. Cybersecurity by itself is not the end-all solution to IT Security; however, it is another powerful tool in the overall fight against Cybercrime. Remember, All Roads lead to your Risk Assessment.
Featured Vendors
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Digital Tack
Step In, Step Up, Or Step Off!
The Art of Digitalization
Bridging the Generational Gap in E-Governance
The State of K12 Student Data Privacy in the Cloud
THE ROAD TO DIGITAL TRANSFORMATION FOR PUBLIC UTILITIE
