Ron Arden, Vice President and COO of Fasoo, Inc., participated in a panel discussion on cyber security priorities in the finance industry at FinCyberSec 2016 at Stevens Institute of Technology in Hoboken, NJ on June 1, 2016. Ron was joined by Alan Brill, Senior Managing Director from Kroll, and Michael Frank, President of Secure Business Strategies. The panel was moderated by Dr. Paul Rohmeyer, who organized the conference.
The first topic of discussion addressed the challenges of cyber security in the financial services industry. Dr. Rohmeyer asked if there are unique priorities of CISOs who are operating in different industries or if they are similar? Ron mentioned that people either want to disrupt operations or steal data when you experience a cyber security event. Regardless of industry, the general goals are the same. There are clearly unique processes in financial services that may not be in other industries, but the basics are the same.
Michael Frank mentioned how the lack of security basics is hurting the financial industry and many others. We rely so much on technology and assume that everything works that we frequently neglect simple things. Systems that use default passwords or assume that someone is who they say they are with minimal confirmation are common issues. Another example is the risk that a typical printer poses to a company if a user can print any sensitive document. Uncontrolled printing lets anyone print anything and take it out of the business. We are so focused on protecting the perimeter of our companies from hackers, that we are ignoring the trusted insider who can steal valuable information on a piece of paper.
There was also discussion on the risk posed by insider threats to unstructured data – typically files and documents. Most of the data breach headlines focus on hackers stealing information from databases, yet most of the intellectual property inside a business is in documents we work with every day. Encrypting these documents and restricting their access through persistent security policies is the best way to ensure that only authorized users can access the sensitive information inside.
Another topic for the panel was “Where are we off target?” Are companies focusing in the wrong areas when it comes to cyber security? Discussions again focused on securing the valuable data in your company and ensuring that you follow business processes. Too much emphasis is placed on technology as the silver bullet without thinking about the people side of things. One example was a major financial transaction where the person executing the transaction got an email from the CEO asking him to transfer a large amount of money to another bank. While this may be normal, there is a process to verify this through a phone call. The email looked legitimate, but was actually a phishing email that looked close to the real thing. A simple phone call verified it was bogus, but most people just accept that the technology is working.
During Ron’s closing remarks he mentioned that just because a company is compliant does not mean it’s secure. A perfect example is Target from a few years ago. Target was PCI compliant, but they still had a major data breach. Cybercriminals exfiltrated large amounts of unencrypted data that caused major problems for the company. Regulations frequently have guidelines that meet minimal requirements for data security, but do not specify technologies or processes. That is changing and newer laws are mandating encryption and permission controls as ways to ensure that sensitive information remains safe from all unauthorized users.
This conference was a very successful event and I expect it will continue as more emphasis is placed on practical approaches to increasing security in the financial industry.
