The story of the Trojan war is one of the most well-known in Greek mythology. The Spartans besieged Troy, but despite having both Achilles—the greatest warrior in Greek mythology—and a much larger army, the city stood. According to the myth, it was prophesied that Troy could not fall unless some very specific conditions (something about relatives of Achilles and arrows of Heracles) were met. It wasn’t until the Spartans built the famed Trojan Horse, and were able to sneak into the city inside the giant wooden horse, that Troy finally fell.
While it’s not likely that your institution is besieged by an army waiting to crush you at your first sign of weakness, and the oracles probably haven’t prophesied the conditions of your doom, there are some very real, and very constant threats to your institution’s cybersecurity. So what are these threats and what can your institution do to protect itself?
In light of recent cyber attacks, and in order to help mitigate some of the cybersecurity risks faced by financial institutions, the FFIEC released an information security booklet reminding financial institutions how they can best protect themselves from cyberattacks.
Before even the most well-written and all-encompassing information security program can be effective, your institution needs to have a strong security culture. The security culture of an institution starts with the board and management. They are the ones responsible for providing appropriate resources for developing, implementing, and maintaining the information security program. Their attitude about information security will trickle down to all other employees, and can help entrench a security culture within the institution.
How can you gauge how strong your security culture is? The best method is by looking at the introduction of new business initiatives (such as new service offerings or applications). An institution with a stronger security culture generally integrates information security into new initiatives from the outset and throughout the life cycles of services and applications. Another indicator of an effective culture is whether management and employees are held accountable for complying with the institution’s information security program.
Information Security Program
With a strong security culture in place, your institution’s information security program will be much more effective. That effectiveness will further increase when the program covers the identification, measurement, mitigation, and monitoring of security risks.
Here are the four areas your information security program should focus on:
No. 1: Risk Identification
Risk is generally divided into categories, and one of these is operational risk. Operational risk is the risk of failure or loss resulting from inadequate or failed processes, people, or systems. Both internal events (such as human errors, misconduct, and insider attacks) and external events (such as natural disasters, cyber attacks, changes in market conditions, new competitors, and new technologies) affect operational risk.
An effective information security program includes processes to continuously identify threats and vulnerabilities from both internal and external events. Risk identification should categorize threats, sources, and vulnerabilities to determine the institution’s risk profile.
No. 2: Risk Measurement
A good risk measurement process effectively determines how much risk a threat or vulnerability poses to an institution. Threat analysis tools also help in understanding and measuring risk information. Some of these tools include event trees, attack trees, and kill chains. These tools help to break down an event into different stages and better understand the event.
In addition to threat analysis tools, a method of categorization for security-related events can help with the following:
- Mapping threats and vulnerabilities
- Incorporating legal and regulatory requirements
- Improving risk management consistency
- Highlighting potential areas for mitigation
- Allowing comparisons between different threats and events
No. 3: Risk Mitigation
Identifying and measuring different risks is useless without a sound plan to mitigate those risks. An effective risk mitigation plan includes an understanding of the quality and extent of current control environment. Threats and events can be unique and often require case-by-case treatment. Your risk mitigation program should include procedures for how to tailor mitigation action to individual risks.
Obtaining, analyzing, and responding to information from various sources on cyber threats and vulnerabilities is also important. Compiling this information into a repository of cybersecurity information will help with conducting risk assessments and will help you establish cyber risk trends.
No. 4: Risk Monitoring and Reporting
A successful risk monitoring and reporting program tracks information about an institution’s risk profile and identifies gaps in risk mitigation effectiveness. Because threats change frequently, particularly in the way they can exploit vulnerabilities, monitoring is essential. Having a current risk profile that takes into account changing risks will help keep your institution secure.
Cybersecurity threats are constantly changing, which means your institution needs to constantly be on its toes. Troy only fell because it got careless and thought the threat was over. Don’t let the same thing happen to you. At the risk of sounding self-serving, one good tool to help keep you protected is AffirmX’s Cybersecurity Risk Assessment tool (you can see a video of it in action here). But whatever your methods, keep up on your information security program and maintain a strong security culture so you can stay protected from cyberattacks and security threats.
Eric Helfrich, CTO of AffirmX, is a seasoned IT professional with over 17 years of experience working as an architect, lead developer, consultant and database administrator developing innovative solutions for companies from healthcare to banking. He is a Certified Oracle and SQL Server database administrator and is the chief architect of the AdvisX Risk Management Platform. As Database Administrator for BillMeLater (Paypal) he managed databases, which supported real time credit-decisioning process. He built and tuned a data warehouse based on USPS Criss Cross, which implemented fuzzy logic sub-second searches to validate input addresses and rate address quality. He has worked on numerous ETL projects involving flat file data from a variety of source platforms.