By Buddy Doyle, Ed Wegener and Tim BucklerSubscribe to our original industry insights
Cybersecurity: Tactics for Mitigating Internal and External Threats
Cyber criminals have been active and the costs of compliance or, worse, a security breach, continue to rise. Join our experts Tim Buckler, Ed Wegener and Buddy Doyle as they discuss ways your firm can mitigate internal and external cyber threats.
Transcript provided by Temi transcript services
Oyster: Welcome to the Oyster Stew podcast, where we discuss what’s happening in the industry based on what we see as we work with regulators and clients. Oyster consultants are industry practitioners; we aren’t career consultants. We’ve done your job and we know the issues you face. You can learn more about Oyster Consulting and the value we can add to your firm by going to our website – oysterllc.com.
Buddy Doyle: Welcome everybody. I’m Buddy Doyle, Chief Executive Officer of Oyster Consulting. Today, I’m joined by Tim Buckler and Ed Wegener – Welcome Tim. Welcome Ed. Cybersecurity is our topic and it’s an important topic. It is one of, not only regulatory focuses again this year by pretty much every regulator you can think of, but it’s a hot topic. As we are in the pandemic, the cyber criminals have been very, very active and the cost of compliance and the cost of a breach continue to go up in spite of the fact that there are better tools and more efficient ways of responding to these events. I noticed in some of the recent publications, particularly by IBM and the Ponemon Institute, that the average cost of a data breach in 2020 was $3.86 million and that’s a global number. But in the United States it’s higher, $8.64 million for the average breach.
So that’s been going up year after year after year for as long as we’ve been measuring it. It’s important to keep in mind that costs move around based off of the size of the breach and the type of data that’s breached. We’ve also seen a lot of increased reporting from additional regulations. Particularly GDPR in Europe has changed the behavior of a number of firms doing business in Europe. I think that in the United States, while there are still a number of unreported breaches, we are seeing more ports required by certain regulatory authorities where you at least need to go contact your regulatory authority. And obviously you want to take care of your customers. With that introduction, Tim, maybe you could talk a little bit about the threats and what you’re seeing.
Tim Buckler: Thank you, Buddy. The first thing I’d like to talk about, when we look at the 2020 threat landscape, is Solar Winds is in the news, and everyone’s talking about it. There are three points I want to focus in on, even though there’s a myriad of things we can discuss. The former CEO of Solar Winds recently came out and tried to blame the hack on an intern having a very insecure password. And that cannot be the sole issue this hack happened. You can’t blame it on an intern. So I think there’s three things on that I wanted to touch on. One is training, new hires, including interns, should it get cybersecurity training to make sure they understand how secure passwords should be. Two – you should have strong password length and complexity requirements. So they’re not as easy to guess. And three, you should have at least privileged access. So that interns do not have too much power. And your other employees also do not have too much power.
Buddy Doyle: I’ll tell you, I think in turn, it is a danger, but so are the experienced employees when it comes to cyber security. I agree that training is vitally important, but training doesn’t always stick. It’s great to blame an intern though. We see a lot of that on so many occasions.
Tim Buckler: So the next thing I want to discuss in the third environment today is there’s a constant battle between internal and external threats. And I think we get so caught up in the external threats. We kind of forget that the internal threats are just as malicious. And it’s not just bad actions we have to be concerned about, it’s just the inadvertent clicking. You just click on an email because you didn’t think about it. There’s a lot of things you need to set up in your environment to minimize the potential for error for well-intended employees. (You) need to have sandboxing of your email so that things can’t run in there as easily and used to set up your firewall. So links can’t get out if they’re going to a bad place.
Buddy Doyle: Yeah, Tim, I noticed there’s no perfect mouse trap for this passwords are wrongly part of the problem. You, you try to train people on complex passwords, and you can put in certain criteria to force folks to use upper and lower case, numeric, and special characters. And you can set up how often you recycle passwords. You can also not allow people to repeat passwords for a number of different periods of time and obviously longer is better, and these kinds of things. But nothing adds to the security profile of an organization like multi-factor authentication. If you have a complex password and reasonable control environments and you have multi-factor authentication, it’s really hard to crack a device and a password at the same time. It’s not impossible, but it is, from my perspective, the most important thing we do.
Ed Wegener: You know, Buddy, I’m seeing that become more and more the standard, not just within financial services, but in any interaction that you have online. Where if you’re entering in your username and password, you’re being texted a numeric code to put in, or you’re using tools like duo and things like that to verify not only that, you know the username and the password, but that also that you are the person who should be having the access.
Buddy Doyle: And the apps actually, from my perspective, might be a little bit more secure than the texting of the pin, because it’s harder to clone an app. I imagine people have the talent to do it, but it’s a little easier to sort of clone a phone number. People are complacent, right?
And they’re trusting. And we believe what people say, even when we know we shouldn’t believe what people say. It’s so easy to take advantage of an organization through social engineering, pretending to be someone in the know and not having a good way to authenticate that that person is who they say they are. Tim. I don’t know if you’ve seen any sort of neat tactics in social engineering
Tim Buckler: Lately, I think one of the recent things I saw that was interesting is that there’s a huge number of fake LinkedIn profiles. They chat and they try to constantly contact you and friend you, and while they’re not getting access to your login information, they’re getting a wealth of information that you post online to LinkedIn. And so it just creates an opportunity for them to figure out more information about you, because LinkedIn hides information, depending on your level of intimacy with the person. There’s a lot of people, there are a lot of fake accounts out there that are accepting that. So just be wary.
Buddy Doyle: Yeah. And I think when people use social media, they tell an awful lot about themselves and the connectivity between you and other organizations out there helps the social engineers give that sense of, of belonging to you. If you’re connected to people that help you with technology, you might get a phone call from someone purporting to be on your help desk. They’re a help desk analyst in your firm and you’re connected to them, and you get a phone call saying, Hey, this is John Smith on the help desk. I need to run a security patch on your laptop. You’re going to get a little link for me, click on it so I can take control of your machine. Well, you just gave him control of your machine. So you need to have tactics to deal with that level of threat. People also put their pets names out there and they use them as passwords. They’re connected to family. They put their birth dates out there. Think of the security questions that you’ve answered in the past – Date of birth, mother’s Maiden name. How many people have that kind of stuff out there on Facebook? It’s, it’s amazing that it’s a security control that we publicly tell the world. You might as well put your social security number out there. Realizing that these threats are out there, what are some of the things you think firms should be thinking about or considering as part of their control environment?
Ed Wegener: Well, Buddy, you had mentioned earlier, the focus that regulators have on this area, and it continues to be something that they identify as a priority. In fact, since FINRA started issuing its examination priorities back in 2008, I believe, information security and cybersecurity have been identified as priorities every year. And I don’t think that there’s any other area that they have considered a priority every year. So it’s very much top of mind for regulators and they see the risk. Well, one of the things that FINRA did in their letter this year, as they identified a number of considerations, and one area that they identified as critical is firms having an effective governance process over their cybersecurity programs. And naturally, the formality and the complexity of that governance is going to vary depending on the nature of the firm and the risks that are out there. But regardless of the formality of the governance firms should have a process in place for doing things like defining the risk appetite. Firms aren’t going to be able to address every risk that’s out there related to cyber security. They’re not going to be able to take every step that you can take. They’re going to have to prioritize and prioritize based on the risk. So understanding the firm’s risk appetite, using that to help them define and inform their decisions about that prioritization, is going to be important. Firms should be conducting risk assessments.
We talk about that all the time, just generally with respect to risks of broker dealers, but especially with cyber security. And again, this is an area that formality of the risk assessments can vary based on the nature of the firm. But you know, some of the things that every firm should do is to have an inventory of their hardware and software to map out and know where sensitive information resides. Identifying what potential threats and vulnerabilities are out there – the things that that Buddy and Tim talked about earlier – and then identifying what controls the firm has or should get in order to mitigate those risks. So risk assessments are an important part of that governance process. Firms should also consider their decision-making framework. Who makes decisions, how those decisions are made, important, critical decisions, like what types of tools should be in place or what the level of resources firms should put towards this issue.
And then finally, and again, this is something that doesn’t necessarily have to be over engineered but identifying metrics to understand and measure things like the exposure and to measure the effectiveness of the controls that the firm has in place. I think those are really important to consider for every firm, regardless of size or complexity when it comes to managing their cyber security programs. And it’s something that regulators are going to expect to see.
Tim Buckler: One thing I’d like to add there, Ed, as you discussed, knowing where your data is, and that is one of the key parts of any risk assessment. You cannot know how to protect your data if you don’t know where it’s located. And it’s more than just knowing if it’s on the server. You need to know if your employees are making local copies of that information on their laptop and then walking out the door with it. You need to know if they’re saving that data on thumb drives or CDs. You need to know if that data is being routinely sent over email or other means. You need to have a strong understanding of how your data is used and stored before you know how you can properly control it.
Buddy Doyle: It can be a difficult task, right? Because to Tim’s point, there are lots of ways to gather data and move it around. You need to have good controls around those risks. We use the NIST framework for our risk assessments, here at Oyster, and so many do. We started out with the BITs, the banking investment technology standards, from back in 2000, 2001, and kind of have rolled into NIST as NIST has become sort of the standard for many firms, but that can be a good place to look for the types of risks and kind of pick them off. But boy, it can be really hard to get started with something like that, because it can seem overwhelming as you get going. But the things Tim was talking about, downloading local copies, putting it on thumb drives or CDs, those things can be controlled if you have good control of your devices. And Ed’s point of knowing what you have and where it is, you want to have a very solid process for that to make sure that the risk is controlled and that any copy of sensitive data is in an encrypted environment, both when it’s in motion and at rest. At least that’s how I tend to think about it. Really consider locking down those USB ports so that people cannot copy data onto CDs and thumb drives. There’s really not a reason or many reasons why someone would need to put data on portable media these days. There are so many ways to transmit data electronically and securely that we see less and less of that risk.
Ed Wegener: Yeah, I think that’s critical. It’s all about knowing what information and data you have and the sensitivity of that information, knowing where it’s at, knowing who has access to it and knowing how they have access to it, that helps you identify what it is that you need to protect and then taking those steps in order to protect it.
Buddy Doyle: Yeah. And. I think, one more point on this is, it’s not just having a list of laptops. It’s making sure that that list of laptops is accurate and reconciling your asset list to what’s real on a routine basis. Laptops have a way of walking away. If you’re not keeping track of those and counting them, you could find yourself not realizing that some data has been lost.
Ed Wegener: Well, Buddy, that’s a great point too. And I think one of the things that firms really need to focus on is really limiting what people have access to and where it resides. So when you talk about things like access control and role-based access control, understanding the minimum number of people who have to have access to that information and managing that really well. But then when you talk about things like laptops and things, those are vulnerabilities. So the less amount of sensitive information that’s sitting on laptops, the better. I’ve seen firms that don’t allow anything to rest on the hard drive of a laptop and the only way you can access it is through a portal on the internet and after having entered in passwords and using multi-factor authentication. So that even if a laptop is stolen, it limits the amount of information that’s actually gone or that somebody has access to because they still can’t get into that portal without the password and without using the multifactor authentication. So I think limiting the availability of having access to things will help limit the risk as well.
Buddy Doyle: Yeah. Segregating data is important. Limiting access on least privilege access is, is important. It keeps breaches from getting as large as they could be. If you’ve ever experienced a breach, you’ll want to make sure it’s limited. So Tim, maybe you can kind of share with us a little bit about some other risk associated with cyber security.
Tim Buckler: Sure. So one of the greatest risks is getting breached or losing data through many means. One of the best ways that you can do to prevent the loss of data is just to restrict how much data any one individual can access. And generally these are called role-based access controls. So first of all, you, as an individual should have only the information that you need on a regular basis. And if you need any information beyond that, you should have to go through a formal granting process. And one important part of that process should be that a manager or some other person has to sign off on that to make sure it’s appropriate for you to have that. And if it’s for a temporary time, you should have that access removed once you no longer need it. And these access-based controls should be reviewed regularly to make sure that you still have the appropriate level of access, and you don’t carry over your previous entitlements from a other role. If you change in the organization or if someone leaves the firm, those roles should be terminated immediately. You need to make sure that you look at all the parts of how people’s move and leave and join to make sure that no one has more information than they need at any given time.
Ed Wegener: When I was at FINRA, you know, we would receive tips from former employees of firms who would let us know that they continued to have access to certain sensitive systems and data after they left, which clearly was a problem for the firm and, you know, became known to the regulators. So that’s something you definitely want to make sure that you are on top of.
Tim Buckler: And along those lines, with the role-based access controls, you want to really limit the use of group access. So there shouldn’t be one account with the same password that everyone shares. Everyone should have individual access to the same front-facing. Everyone should have individual access to the same channel, but they don’t share one username and password. It becomes very difficult to manage as people move and leave. And you don’t know who actually accessing data at that point as well.
Buddy Doyle: Yeah, I think both of those are valid points on shared passwords. Individuals should have individual passwords. Multifactor authentication is a big help with that because you have to have the device as the second protocol and sharing that device around is not as likely for that group. But Tim, to your point of knowing who accessed what, when shared passwords definitely make that more difficult.
Tim Buckler: And the phone, isn’t the only way to have multifactor authentication. It’s also very difficult to share your fingers and eyeballs with friends.
Buddy Doyle: Yes, it is. It’s uncomfortable.
Tim Buckler: So the next piece of data loss prevention we want to discuss is encryption. Everyone should understand what encryption is, but it’s very important that as much data that can be encrypted is encrypted. Nowadays with the speed of computers, encrypting and decrypting data is instantaneous. Yet end users should not be able to even understand that something is encrypted by the amount of time it takes it to load. Their internet connection is far more important to that. So it needs to understand that not only things are encrypted, but the most sensitive information is definitely encrypted. You should make sure that anything that is sensitive in any way is encrypted both in transit and when stored on the hard drive.
Buddy Doyle: Yeah. And I think just to make sure folks understand encryption, it’s not that complicated. I generally kind of equate it to the Little Orphan Annie decoder ring, where you sort of type in your numbers, and it equates to a letter. And that tells you how to descramble the secret message, not to forget to drink your Ovaltine. But I think that it is a much longer number. It’s much more complicated, but it’s very, very difficult for criminals to unravel encrypted message. Pretty much staid actors and the real professional criminals are the risks for that.
Tim Buckler: And one important thing about encryption when it comes to data breaches is that under some regulatory schemes around the world, if data that is encrypted is leaked, but the keys to that encrypted data is not leaked, then you may not have to report that breach. So it’s important to note that your risk level changes as you encrypt, not just that the data is hard to find, but even if it’s out your door, there are still protections in place around that data.
Buddy Doyle: An encrypted laptop that gets lost is largely just a paperweight.
Tim Buckler: One of the other key things around data loss is making sure that your IT is making sure that the antivirus software is up to date, that they’re making sure they’re scanning for root kits. You should have a very strong understanding of your computers and make sure that people are shutting down them on an appropriate time so that their installs are being updated. And that you make sure that if someone hasn’t restarted their computer in a certain amount time, you’re aware of that and get ahead of that potential. Patching is extremely important to make sure that you get ahead because sometimes the threat is being patched while it’s already well-known in the community. And so if you don’t get it patched immediately, you’re just sitting there exposed for who knows how long.
Buddy Doyle: And patches are kind of a double edge sword. You’ll want to test your updates before you apply them often to make sure that you don’t have any unintended consequences of those updates, but there are also emergency patches, things that you want to prioritize and get done right away. I would encourage folks to understand what those are. And, Tim, when you’re talking about monitoring laptops and things like that, endpoint protection software is also something that you should really make sure you understand and make a rational decision about investing in that. Thanks, everybody. I hope you have a great week.
Oyster: Thanks for listening. And if you like what you heard, make sure to follow the Oyster Stew podcast on whatever platform you listen to. If you’d like to learn how we can help firms start, run, protect, and grow their business, visit our firstname.lastname@example.org.
Subscribe to our original industry insights
"*" indicates required fields
Download the Capital Markets Services eBook to learn about CAT Reporting, Trade and Position Reporting, Market Access and Best Execution.Download