By Buddy Doyle, Ed Wegener and Tim BucklerShare Article
Cybersecurity: Mitigating Vendor and Change Management Risks
Cyber criminals have been active and the costs of compliance or, worse, a security breach, continue to rise. Join our experts Tim Buckler, Ed Wegener and Buddy Doyle as they discuss ways your firm can mitigate cyber threats arising from your vendors and when you are changing technology platforms.
Oyster: Welcome to the Oyster Stew podcast, where we discuss what’s happening in the industry based on what we see as we work with regulators and clients. Oyster consultants are industry practitioners; we aren’t career consultants. We’ve done your job and we know the issues you face. You can learn more about Oyster Consulting and the value we can add to your firm by going to our website – oysterllc.com,
Buddy Doyle: Hi, everybody. I’m Buddy Doyle, Chief Executive Officer of Oyster Consulting. And I’m joined again by Tim Buckler and Ed Wegener, in a second part to our series where we’re talking about cybersecurity.
Tim Buckler: The last piece of data loss prevention I wanted to discuss today was around vendors. It’s very important that you make an assessment of the risk of the vendor. And it’s important to make sure that when you do this risk assessment, you’re not just making an assessment of the vendor, but also the data that you’re sharing with that vendor. You should understand how sensitive that data is and the critical nature of that data to make sure that you have the right review process, to make sure that the vendor’s risk appetite is appropriate for the data you’re sharing with them. And those risk assessments should be done, not only when you onboard the vendor, but also periodically to make sure that nothing has changed. If you do a business change, you also need to reassess your vendors in case your threat level has changed as a consequence.
Buddy Doyle: And you should really think about not just looking at your vendor but making sure that you understand their controls around their vendor. Fourth party risk is something that should be part of your cybersecurity program.
Tim Buckler: As I was going to add, GDPR has made that much easier to understand for our European friends, because GDPR requires not only the controller of the data to fill out any information, but also who they share that data with on their client’s behalf also has to be shared. Companies in the EU have much stronger requirements about reporting where their data is. If I had to guess people are going to more follow the CCPA model, which is more about selling data rather than protecting data and giving rights to data. Basically, if under CCPA, if you don’t sell data, there’s almost nothing in there. There’s like a single sentence that says, hey, protect your data.
Buddy Doyle: For a while there in GDPR, we were hearing people on both sides of the aisle, talking about US citizens being sort of second-class citizens, because they can’t own their own information, but that’s sort of settled down now. Getting into some of the other things where risk really tends to occur is when, Tim you brought this up earlier, when you’re changing your systems, whether that’s hardware or software, really that change process and controlling that can really help you manage that risk. And you want to have a pretty formal process and you’ve got to have the right one for you. And depending on how long your change process occurs, we’ll help you understand how to construct that. But there are some common principles, I think, that fall into place. One is making sure that that change is well-documented. By a well-documented change – What’s the business looking for? How is the technology being changed and controlled? There’s two different views of that. And then how is that approved and verified and tested and authorized to move forward and communicated for that matter.
We have seen clients that have an eight-hour software development life cycle process, where they’re tuning algorithms or adjusting systems overnight to get ready for the next morning’s trading. And those can go very, very fast. A back-office conversion and all the ancillary system integrations that go along with that can take many months to get through. The key, I think with change management is having a framework and a good definition of how to approach it, but the flexibility to understand that not all change is created equal. It’s a really important part though, to make sure there is a formal documented process that goes along with whatever changes that you’re making, and that they are tested. Anything bigger than a breadbox at least, and you can take a risk-based approach to this, is tested to the level that it needs to be to, to be sure that it worked as designed.
Ed Wegener: And, the testing doesn’t just end at the time you’re implementing the change. You’re going to want to, after that change has been implemented for a while, go back and test and make sure that over time that that change has, has gone the way that you wanted it to, and that you can identify any unintended issues that, that resulted over time.
Buddy Doyle: And don’t forget to have a process for dealing with legacy data. If you’re replacing a server, how are you destroying the data that existed on that server? If you’re converting from one system to another and you have to keep your old system records for record retention requirements under rules and regulations, you probably need to consider how you’re going to incorporate that into your cybersecurity program going forward. Because just because you wrote that record four years ago on a, on a trade blotter on a different system, doesn’t mean it doesn’t still exist on that system. And if those controls stay the same criminals, keep getting more professional.
Ed Wegener: They are getting better, Buddy. That’s one of the things that regulators have also identified as key component to a cybersecurity program and that’s having an incident response plan. The important thing there is to not wait until there’s a breach to start thinking about ‘what should we do if there is a breach?’. When you have a breach things move very quickly, and it’s not a good time to be considering what to do at that point. Some of the things that FINRA identified as being important components of an incident response plan are conducting threat assessments and having monitoring strategies, containment, and mitigation strategies, to make sure that you can limit the amount of damage that’s done. And again, that’s a matter of doing things quickly and making sure that things are contained and, importantly, having a plan to contact and communicate with affected stakeholders that might be impacted by the breach. And then having eradication and recovery plans so that you can get back to normal operating procedures. Again, this is something that are important steps to have, but things that you should be planning for. Nobody wants to have a cybersecurity breach, but if you do, you want to be prepared for what you need to do. And part of that is going to be potentially reaching out in advance to parties like attorneys, insurance companies, and others – technology, people that you might want to reach out to just so that you’re ready for the unfortunate circumstances that could come if you do have a breach.
Buddy Doyle: Yeah. There’s no better time to plan than in advance. And it, it really is having that incident response team already together. And understanding the tactics, and how you’re going to approach an incident, is really important. If you’ve ever had your kitchen catch on fire it freaks you out because you haven’t gone through it. You’re just going crazy. But when the fire department comes in, they’re not freaking out. They just walk in, they spray the fire down, they make a big mess and then they leave. And I think that in a cyber event can be a very scary time for organizations to go through it. And I would say, keep your head about you. As much as you can have a tactical plan, not just the philosophical plan, but a tactical plan for the things that you’re going to do and the order that you’re going to do them in to make sure that you understand the source of the threat, where that data lies. If that data is in an environment that is segregated from all the other data that you have you can really start focusing in on the real threats. And then, make sure that you really deal with it appropriately.
So I always, you know, think of crisis management and the best crisis management that you see still is probably the Tylenol case, right? Where the incident occurred, they ripped all of it off the shelf, whether they needed to or not, and replaced it and kept their clients understanding that they had integrity. You need to have a very good plan for not only dealing with the threat at hand, but dealing with the impacts of what took place. And do it in a thoughtful manner, because there is no easier time to lose client confidence than during a breach. And there can also be a time to gain client confidence during a crisis. It’s one of those things where you want to have that laid out. You want to have good advice, good advice from technologist, good advice from counsel, good advice from business leaders and make sure that you deal with this in a holistic fashion. And the way you designed your control environment can help you design your incident response.
Tim Buckler: That’s right. And one thing I’d like to add is getting cybersecurity insurance is one of the great ways you can protect yourself. Because if you get ransomware, your cybersecurity insurance may cover the cyber-attack. And so you don’t have to worry about – is this going to cost my firm 10, 20, $30,000, a million dollars, whatever it is because, you know, the insurance company is going to have your back. They also make a great resource for someone to reach out to at the time of the incident, because they have teams dedicated to supporting firms when they go through that.
Buddy Doyle: And make sure again, when you get your cybersecurity insurance, if you get cybersecurity insurance, and I would encourage you to look into that, that one, you look at the kinds of records you have and sort of some of the costs per incident type of averages, to help you decide how much insurance to get, but also make sure that you’re following your own procedures. So that should you make a claim you can collect on that claim. It’s one thing to have insurance, but if you’re not doing the things that the insurance company believes that you’re doing, because you told them you do, you may not quite have the outcome you were looking for. All right. So Ed, do you want to cover training?
Ed Wegener: Like anything with respect to a strong compliance and controls program, training is a critical part of that with cybersecurity, especially. And that’s especially the case, as Buddy and Tim both talked about. There’s a significant amount of exposure that you have from people inside your organization. And you want to make sure that you use appropriate training to make sure you’re mitigating that risk. The training, an effective training program should be tailored based on the particular role of the person being trained. If it’s a frontline employee focusing on the practical steps that they can take to protect information from their perspective, explaining the costs of a cybersecurity incident is helpful because it kind of puts that in perspective for the employees. That taking the steps really matters for them, that there’s a cost to them if there’s a cyber breach. So talking about the reputational damage to the firm, the potential loss for revenue and the potential loss for jobs, depending on the severity of the incident employee should come away from the training programs with a good awareness of the firm’s policies and what is expected of them.
Things like appropriate use of hardware and software, unauthorized software, data storage types that are prohibited. Things like thumb drives and CDs if you prohibit those. Unauthorized use of particular hardware, appropriate and inappropriate use of the internet, making sure that they understand some of the common threats, like we discussed, things like social engineering and phishing. And making sure that they understand that the controls and practices that the firm has in place. And that they should be taking things like we talked about before – password protection, updating antivirus software, patch management, all of that should be incorporated in a firm’s training program. And the training should be done regularly. At a minimum annually, but probably more often than that, just to make sure that employees really understand what’s expected of them. That they come away with practical things that they can do to help protect information so that you can help mitigate the risks that comes from your employees from those insiders.
Buddy Doyle: And I would say, don’t forget, you’re trying to change behavior with your training, right? So there’s an awareness component to training of the kinds of threats and the things to look for, but you also want to make sure that you’re driving that behavior in my opinion. That you have an environment where if somebody thinks they might have something going on, they escalate it. And that escalation process is really important. And one of the ways I’ve found to help drive behavior is storytelling during training, to try to make it as relatable to the audience that you’re talking with whether that’s social engineering. We have some clients that are very philanthropic. They do a lot of community work and a lot of service. And if you’re talking about social engineering, one of the effective ways to help them through that is to talk about a scenario where the, the organization would call up and say, hey, you know, we really appreciate your contributions. And those things are often public and out in the press. We really appreciate your contributions. We’d like you to fill out some profile information. So we can highlight you in an upcoming piece of marketing, I’m going to send you a link. And that feels so real. Next thing you know, they’ve kind of got you.
Or talk about scenarios where employees have had a piece of equipment stolen and what led to that and how they responded and what happened next. And those kinds of things can really drive people to, to make different decisions. And, Ed, I agree, the frequency with which you communicate this, even if it’s little 30 second- or one-minute conversations in routine meetings about a tip or something that you’ve seen, in addition to that annual web-based training or whatever that they get, that that might feel a little white paperish even to them, the more you can do to communicate that the more likely you are to keep your data secure, or when something happens, be able to respond really quickly.
Tim Buckler: And the one thing I want to add is that recording your training so that employees can go back at a later time to refresh themselves on your policies or the best approaches is it’s a great idea. And also you should point them in the right direction of your policies and procedures in that training. You can’t cover everything. So you should also say, please review these materials and tell them where they are and not just your internal materials. You should also have information about things in general, so they can just become more well versed in how the threat environment looks today, how they can protect themselves at work and at home, just create a better environment for them to think more about cybersecurity than just don’t click on a link. It should be is to be a much more personal than that.
Buddy Doyle: I think that you got to keep in mind that when a cyber-criminal sends a link, if you don’t click on it, no big deal. If they call you and you don’t respond to a phishing exercise, or they ask you for information, no big deal, but you have to be right each and every time. They can be wrong over and over and over, it costs them hardly anything in terms of time and money. But when you’re wrong, it can cost you a lot of time and money. All right. Thanks everybody. Hope you have a great week.
Oyster: Thanks for listening. And if you like what you heard, make sure to follow the Oyster stew podcast on whatever platform you listen to. If you’d like to learn how we can help firms start, run, protect, and grow their business, visit our firstname.lastname@example.org.