Stephen Scharf, DTCC Chief Security Officer
In the wake of the 9/11 attacks on New York’s World Trade Centre, firms around the world rushed to establish now-redundant data centers to protect against the potential loss of a physical location to ensure continued business operations. In the years that followed, recovery efforts have largely focused on mitigating risks to physical security. Cyberattacks have been common, but almost exclusively focused on data theft, rather than data destruction.
The November 2014 Sony Pictures hack proved to be another turning point in security strategy, bringing increased attention, including board-level focus, to the potential for financial and reputational damage from cyberattacks. Cybersecurity topped the agenda for risk management professionals globally. Many companies worked to enhance their defenses by securing firewalls, updating antivirus utilities and prioritizing cyber threat information sharing.
Two years later, the cybersecurity model is still evolving. From a regulatory perspective, more government agencies are starting to encourage best practices, while firms have moved beyond ‘perimeter defense’, with the monitoring of internal systems for anomalous behavior becoming increasingly important.
HKMA Sets Baseline
As a regulator, HKMA (the Hong Kong Monetary Authority) has recognized cybersecurity is a continually evolving issue and government agencies, companies and even individuals need to work together to entrench best practices.
To this end, the HKMA launched its CFI (Cybersecurity Fortification Initiative) at the Cyber Security Summit 2016. This will establish: a Cyber Resilience Assessment Framework for banks to assess their risk profiles against a common scale to evaluate their cyber defense needs; a Professional Development Program to train cybersecurity professionals, deepening Hong Kong’s talent pool; and a Cyber Intelligence Sharing Platform to facilitate the sharing of cyber threat intelligence among banks to enhance collaboration and raise the overall level of cyber resilience in the region.
The HKMA also announced several concrete steps aimed to jump-start implementation of the CFI, which comes into force as a supervisory requirement rather than a set of guidelines or recommendations.
Such government action – which parallels Singapore’s efforts to establish a National Cybersecurity R&D Laboratory at the National University of Singapore and its planned rollout of a Cyber Security Bill in 2017 – has the potential to ensure a solid baseline of cybersecurity defense across major economies in Asia.
However, although HKMA’s intent and the intentions of local regulators around the world are to be applauded, it is critically important they and policymakers work together to ensure everyone recommends similar best practices and frameworks. A lack of harmonization will make industry compliance and the adherence to best practices incredibly difficult at a time of growing cyber risk.
A 360-Degree Perspective
Against this backdrop, it is critically important individual firms leverage best practice across several key areas:
Cybersecurity basics: The benefits of continuing to prioritize ‘old-school’ approaches to cybersecurity, including patch management, vulnerability management, separation of duties, identity management and access management, cannot be underestimated. It is not uncommon to see companies chasing the latest cybersecurity solutions, but often these cutting-edge systems are of little use if the basics are not in place.
Information sharing: Although a robust set of internal controls is critical to a effective cybersecurity strategy, current complexities no longer allow firms to independently protect against threats. As a result, information sharing has become a powerful cybersecurity tool. Sharing details of a cyberattack allows any one institution to potentially render a new attack strategy ineffective before it has a chance to cause widespread harm. From this perspective, information sharing has the potential to create the cyber equivalent of “herd immunity,” inoculating the cyber community against the most virulent threats.
Monitoring network activity to identify anomalies: Network administrators have long recorded and analyzed daily system logs to identify anomalies that can arise from something as seemingly harmless as opening a PDF file sent from an external network or clicking on a link.
However, in recent years, automated “behavioral intelligence” has begun to supplant manual monitoring strategies. Under the new approach, internal networks are constantly monitored and compared to a baseline, raising real-time alerts of possible threats. This has the potential to identify attacks the moment they begin, dramatically reducing response time, minimizing operational disruption and potentially reducing its impact.
Best practice by institutions—combined with harmonized cyber guidance from regulators—will not only improve capabilities within individual firms, but also positively influence the wider cyber community’s level of vulnerability to attack.
This article first appeared in Regulation Asia on November 17, 2016.