Hatstand talks Cybersecurity
Following the launch of Hatstand’s Cybersecurity Risk Assessment and white paper on demonstrating cybersecurity readiness to regulators through risk assessments, we recently invited a number of leading banks, other financial institutions, and financial IT vendors to briefings hosted in Singapore, London and New York to discuss key concerns, threats, and best practices.
With the ever-evolving technological landscape and cyber-attacks becoming more frequent, everyone is in agreement that there is a growing need to protect their company reputation and data. It is fundamental that firms view cybersecurity as part of their DNA.
The briefings focused on the cyber risks that firms are exposed to today and the origination of these risks. Key themes discussed include: The surging growth of dark web and the sophistication of cyber-attacks; the importance of governance; the lack of cybersecurity skilled personnel; legacy defence capabilities; uninformed decision making; lack of staff awareness and training; internal and external threats; risk from third party suppliers; and inadequate systems.
Key Information Security Best Practice
From a governance perspective, cybersecurity is the responsibility of everyone in the firm, not just IT, with accountability ultimately lying with a firm’s board and senior management. In terms of governance, challenges discussed included analysing what firms need to do to mitigate risk within the regulatory landscape that is still evolving, the importance of employee education, monitoring, access management, and internal policies that are clear and actionable to protect against external threats.
An effective information security framework is one that is embedded into the culture of the firm and provides for business as usual through the definition of processes and controls. The typical information security framework creates layers of controls. The number and/or strength of controls should reflect the importance and/or sensitivity of the information being protected. Firms need to first identify which of their assets are most important and prioritise where they want to place controls. Once they have identified these, they can work out a set of controls and ensure that these are reflected across the whole organisation in order to mitigate the risks. Speakers raised concerns that if a firm’s Information Security standards are too complex, employees will not read them and will not know what is expected of them. Firms’ standards need to be understandable by every member of staff and digestible in a fairly short period of time.
Everyone at the briefings agreed that there needs to be a focus on employee education, monitoring, access management, and internal policies, which are clear and actionable, as these are all critical to mitigating risks and protecting against external threats.
In addition to education and raising awareness on cybersecurity, prevention from internal attacks can be enhanced by the use of strong passwords; a single identity for every user and ensuring file-based encryption is performed. Data must be encrypted in storage and in transition, and best practices include periodic Phishing exercises to test employees understanding of the current threats.
Speakers also discussed using ‘whitelisting’ techniques, allowing for only ‘good’ software to run in the firm’s environment instead of trying to prevent the “bad” ones from intruding. Anti-virus software is not able to detect new viruses introduced in the environment; statistics show that it only catches 5% of new viruses. Continuous upgrading and patching of anti-virus software is subsequently required to prevent virus attacks. However, with whitelisting, a firm has less to worry about, as only those listed in the whitelist are allowed into their environment.
Investment in cybersecurity defences is important and getting value from that investment is as equally important. Overall, speakers and participants alike agreed that there is an increasing trend and need towards spending more on cybersecurity.
Despite new security technologies being developed, the best cybersecurity approach for any organisation is an integrated plan that combines technology, technical and analytical threat intelligence, and security policies and procedures to include contingency/continuity planning and employee training. The question of cyber-insurance was brought up and whether or not it is beneficial to have in place, despite the high premium cost. Consensus was that it is not enough on its own because all it takes is one cyber breach to potentially bring down the reputation of a firm and no cyber-insurance is going to protect or compensate for this.
Firms should not wait for regulators to impose guidelines to protect themselves from cyberattacks, rather, they need to understand that data is a huge asset and the consequences of cyberattacks will erode their potentials. Otherwise, this is simply an exercise to ‘tick’ the boxes.
We would like to thank all of our speakers:
Dr. Ngair Teow Hin – Founder and CEO, SecureAge Technology
Mr Wong Loke Yeow – Director of Enterprise Security, Singtel
Lisa Norris - Security Programme Manager
Dexter Casey - Director, Security Architects
Boaz Gelbord – Chief Information Security Officer, Bloomberg
Al Berg – Chief Security and Risk Officer, Liquidnet
Marcus Prendergast – Co-Chair Cybersecurity Working Group – Fix Trading Community, CISO, ITG
The finance sector is a highly regulated industry and regulators are becoming increasingly intolerant of information security breaches. How does your firm’s cybersecurity preparedness rate against others in your industry? We’re keen to find out! Please take part in our short survey.