Thu, Oct 6, 2016
The story of the Trojan war is one of the most well-known in Greek mythology. The Spartans besieged Troy, but despite having both Achilles—the greatest warrior in Greek mythology—and a much larger army, the city stood. According to the myth, it was prophesied that Troy could not fall unless some very specific conditions (something about relatives of Achilles and arrows of Heracles) were met. It wasn’t until the Spartans built the famed Trojan Horse, and were able to sneak into the city inside the giant wooden horse, that Troy finally fell.
While it’s not likely that your institution is besieged by an army waiting to crush you at your first sign of weakness, and the oracles probably haven’t prophesied the conditions of your doom, there are some very real, and very constant threats to your institution’s cybersecurity. So what are these threats and what can your institution do to protect itself?
In light of recent cyber attacks, and in order to help mitigate some of the cybersecurity risks faced by financial institutions, the FFIEC released an information security booklet reminding financial institutions how they can best protect themselves from cyberattacks.
Before even the most well-written and all-encompassing information security program can be effective, your institution needs to have a strong security culture. The security culture of an institution starts with the board and management. They are the ones responsible for providing appropriate resources for developing, implementing, and maintaining the information security program. Their attitude about information security will trickle down to all other employees, and can help entrench a security culture within the institution.
How can you gauge how strong your security culture is? The best method is by looking at the introduction of new business initiatives (such as new service offerings or applications). An institution with a stronger security culture generally integrates information security into new initiatives from the outset and throughout the life cycles of services and applications. Another indicator of an effective culture is whether management and employees are held accountable for complying with the institution’s information security program.
Information Security Program
With a strong security culture in place, your institution’s information security program will be much more effective. That effectiveness will further increase when the program covers the identification, measurement, mitigation, and monitoring of security risks.
Here are the four areas your information security program should focus on:
No. 1: Risk Identification
Risk is generally divided into categories, and one of these is operational risk. Operational risk is the risk of failure or loss resulting from inadequate or failed processes, people, or systems. Both internal events (such as human errors, misconduct, and insider attacks) and external events (such as natural disasters, cyber attacks, changes in market conditions, new competitors, and new technologies) affect operational risk.
An effective information security program includes processes to continuously identify threats and vulnerabilities from both internal and external events. Risk identification should categorize threats, sources, and vulnerabilities to determine the institution’s risk profile.
No. 2: Risk Measurement
A good risk measurement process effectively determines how much risk a threat or vulnerability poses to an institution. Threat analysis tools also help in understanding and measuring risk information. Some of these tools include event trees, attack trees, and kill chains. These tools help to break down an event into different stages and better understand the event.
In addition to threat analysis tools, a method of categorization for security-related events can help with the following:
- Mapping threats and vulnerabilities
- Incorporating legal and regulatory requirements
- Improving risk management consistency
- Highlighting potential areas for mitigation
- Allowing comparisons between different threats and events
No. 3: Risk Mitigation
Identifying and measuring different risks is useless without a sound plan to mitigate those risks. An effective risk mitigation plan includes an understanding of the quality and extent of current control environment. Threats and events can be unique and often require case-by-case treatment. Your risk mitigation program should include procedures for how to tailor mitigation action to individual risks.
Obtaining, analyzing, and responding to information from various sources on cyber threats and vulnerabilities is also important. Compiling this information into a repository of cybersecurity information will help with conducting risk assessments and will help you establish cyber risk trends.
No. 4: Risk Monitoring and Reporting
A successful risk monitoring and reporting program tracks information about an institution’s risk profile and identifies gaps in risk mitigation effectiveness. Because threats change frequently, particularly in the way they can exploit vulnerabilities, monitoring is essential. Having a current risk profile that takes into account changing risks will help keep your institution secure.