You remember the scene. Russell Crowe as math student John Nash in the film A Beautiful Mind, is sitting with his buddies in a bar, all contemplating going after the same woman. Suddenly, Nash is struck with his “governing dynamics” theorem—that perhaps, instead of the increased competition resulting in “blocking” and nobody “getting the girl,” they would be far more successful if they all went after different “targets.”
So let’s pretend for a moment that all cyber criminals attack the same large financial institutions (because there are only so many). Rather than them all ending up gloriously rich (and hopefully in jail), the large institutions put up enough defenses to make being a criminal difficult. So what do they do next? Get a regular day job? No. They start looking at different targets. And one particular class of targets that may not result in a big score, but still provide a decent payday for the bad guys, is smaller financial institutions.
Hence, while most of the cybersecurity talk is focused toward large financial institutions, what governing dynamics theory tells us (and what I’m hearing from regulatory agencies) is that mid-size and smaller institutions are actually more attractive targets because malefactors presume that their security measures may not be as robust and they are not being pursued by other predators. So, small or mid-size institutions—this one’s for you.
What are the potential consequences of a cyber attack? The list may be short, but it is chock-full of detrimental consequences:
- Data compromise
- Identity theft
- Transactions blocked
- System crash
These consequences might actually be more disastrous for smaller institutions than for larger institutions for the same reason that smaller institutions are an “easy” target—a smaller staff or smaller budget might get completely put out by any of kind of data breach.
What’s an institution to do? Here are seven suggestions:
- Maintain a current cyber risk assessment. Based on the risks identified in this assessment…
- Implement appropriate risk-mitigation controls. Look closely at vendor due diligence to make sure that contracts, where appropriate, give you the opportunity to”
- Review the third party’s security and response policies;
- Review the third party’s audit reports and the responses they make to any findings that are described in report; and
- Ensure that the vendor will immediately notify you if there is any breach of their system.
- Create or enforce a strict password policy. It might be a good idea to have a regular schedule for creating new passwords and to ensure that passwords are not written down via unsecure methods or shared between employees when inappropriate.
- Manage patches—meaning the implementation of a timeframe that indicates when and which “patches” (security updates) should be applied to which machines/applications.
- Assess whether you have network monitoring systems adequate to mitigate risk you’ve identified in your risk assessment.
- Write cyber attack response procedures. In the event that you experience a cyber attack (and we hope you don’t) written procedures ensure you’re ready to make an appropriate and timely response.
- Practice the response procedures. Doing this will make sure your staff is familiar with them and can effectively carry them out.
The small or mid-size institution that follows this course is the small or mid-size institution that survives a cybersecurity attack—or at least, the cybersecurity exam—no matter how much the attackers seem to understand governing dynamics.