Stephen Scharf, Chief Security Officer, DTCC
Cyber security was one of the most keenly discussed topics at this year’s Sibos conference in Geneva. Many of the experts who attended the event agreed that the industry has progressed significantly in the way it deals with cyber threats.
New ground-breaking technology that bolsters cyber defenses has undoubtedly contributed to the industry’s success, and, more recently, cyber threat intelligence (CTI) sharing across organizations globally has further helped to facilitate rapid response in case of a successful network infiltration by malicious actors.
Initiatives include the Cyber Threat Alliance (CTA), a group formed two years ago by security solution vendors and researchers to mount a coordinated industry effort and the Cybersecurity Information Sharing Act (CISA) a US federal law that encourages the sharing of Internet traffic information between the government and technology and manufacturing companies.
Despite these responses, cyber threat is a moving target. Cyber criminals are determined to find new and creative ways to target systems putting pressure on firms to continuously advance their cyber security program.
Over the past three years in particular, cyber security has gained more attention amongst both financial firms and regulators. We have seen many new cyber security solutions emerge to help firms counter this growing risk. Most of these are fairly interesting and could significantly add to the arsenal of tools used to help firms improve their cyber resilience. Yet while new defense technologies to obstruct cyber threats are becoming increasingly intuitive and innovative, there are a number of prevention techniques that have existed for decades which remain fundamental components of any modern security program.
Indeed, even the most innovative solutions will be of little use if a firm fails to get the basics right. Many of the presenters at Sibos 2016 emphasized that the importance of routinely resetting accounts, ensuring appropriate patch and vulnerability management and proper segmentation, cannot be overstated. These tools have been around for a long time and actually provide proportionally more uplift to an organization than some of the new and emerging technologies.
An Analytical Approach
Tracking and understanding of firms’ own internal IT traffic remains at the core of their ability to minimize cyber risk, as well as to identify and resolve cyber issues more swiftly. It is good to see that the industry is evolving from an obstructionist approach – having realized that not even the most sophisticated solution will be able to prevent all malware – towards an analytical one focusing on internal data movements that may reveal abnormalities, pointing to cyber threats. This means that the cyber risk focus is now shifting from guarding the outside walls to monitoring firms’ internal processes, and it is the internal processes that can provide useful CTI.
Cooperation amongst industry participants remains critical. The widespread use of CTI would greatly bolster the industry’s cyber defenses because it enables a collective action, which strongly complements individual in-house security measures. We discovered a long time ago that cyber criminals share their attack toolsets, learning from each other. Consequently, in many cases attacks on one organization have already been launched against another firm. Automated CTI sharing across organizations globally has proven indispensable in helping firms to facilitate rapid response, in case of a successful network infiltration by malicious actors.
Finally, it is important to accept that guarding against cybercrime is a company-wide operation and responsibility. Phishing attacks – when an attacker is trying to obtain sensitive information by masquerading as a trustworthy entity in an e-mail or another type of electronic communication – remains one of the most successful tools used by malicious actors. It is essential that all employees are aware of the importance of cyber security. However, firms also need to have robust enterprise-wide cyber security plans in place to ensure that firms have maximum protection against cyber-attacks, irrespective of the individual knowledge base of employees.
In conclusion, firms should remember that despite the rise of new cyber products, they must get the basics right first – practices established some 20 years ago remain the foundation of any successful cyber security program. Opting for new solutions alone and under-investing in core competencies such as system segregation and data classification may prove counterproductive.
As was highlighted at Sibos 2016, firms should not get blindsided by the abundance of new tools that have become available in the market and should continue to focus on the time-tried approaches that still stand true today. It will be interesting to see how cyber security strategies have evolved this time next year at Sibos Toronto.
This article was originally published in GT News on October 21, 2016.