The question of whether a data system will be breached is no longer relevant — the issue is when that breach will take place. Boards, CEOs and Chief Information Officers need to accept that no data system is airtight and adopt rigorous cybersecurity measures to quickly detect and recover from a breach. Intruders use sophisticated malware that can lurk undetected for months, sometimes years. CEOs and Boards must require the use of outside professionals reporting directly to the CEO and Board to frequently test the efficacy of the CIO's information security system design and implementation.
CIOs by nature resist outside testing, review and evaluation of their security. If outside testing is done, the CIO generally wants to oversee and control it. CEOs and Boards that succumb to the CIO's pressure to control the process are simply inviting unnecessary risk. Hackers know the typical security implementations of CIOs; therefore a key element of effective IT security is to approach it from a hacker's perspective. The CEO and Board must demand this approach if they want to ensure the highest possible level information security.
Although most lenders have very good perimeter security, such as firewalls, hackers typically use a more savvy and inconspicuous approach. Virtually every breach reported publicly (including Sony, Anthem and Target) did not occur by a direct attack on traditional perimeter security. Hackers gained access through vendors, phishing emails, and other social engineering techniques such as 'spoofed' wifi access points, malware-laced USB stick drives left on company premises, etc. In virtually every case, the company had received satisfactory penetration test results on traditional perimeter security.
A robust testing mechanism is usually conducted by an outside expert company because these experts are highly knowledgeable about the current exploits attempted by hackers. They will scan company systems using a variety of techniques, including identification and activity within every network node. They will attempt multi-vector attacks on various attack surfaces, from both outside and inside the company's perimeter. This is one of the most effective ways to ferret out the "unknown unknowns" in your security infrastructure. Exploits evolve quickly, so testing must be done periodically.
In addition to insisting on outside security experts, formalized criteria, processes and policies around information security will improve information security in a cost effective and compliant manner.
Effective cybersecurity must look at unknown unknowns, such as day zero malware — code that hasn't been seen before — that has become ridiculously easy for serious hackers to create and that easily defeats signature-based malware detection. If it hasn't been seen before, it likely cannot be recognized by signature-based detection. Sony, Anthem, Target and others found this out the hard way. The honest CIO cannot be certain whether there is any day zero malware within any given system. If the CIO maintains there is no malware, information security assessment and testing responsibility should be removed from the CIO immediately, and a robust third party testing regimen begun.
Security Incident and Event Management is the way security incidents are detected, classified and elevated to appropriate executives. If the CEO is not already receiving SIEM reporting on a regular basis, the SIEM protocols in place are probably not best in class.
CIOs also need to document how the company monitors data and information exiting the company perimeter. Exfiltration tools should monitor all outgoing data for personally identifiable information (such as social security numbers) and other sensitive information in order to halt suspicious data exfiltration.
An exemplary risk management function vets and documents every vendor with network or physical access to the company's facilities. Target was breached through a vendor's known connection to the company's network. A formal review of vendor security safeguards, procedures and controls should be required and formally documented, and vendor access be limited to "need to know" areas. Vendor network access should be limited only to access authorities necessary to perform their roles. Vendors should not have access to the company's critical network functions.
Additionally, all hardware devices attached to the company's networks, and software on devices, should be known to the CIO. Mapping and monitoring every node is a must.
Resilience is attained when a company can quickly restore normal operations after an attack. CIOs should be testing company business continuity plans on a periodic basis by outside expert companies who report directly to the Board and CEO.
James M. Deitch is CEO and Co-Founder of Teraverde.