Cybersecurity Resilience and Best Practices for Fraud Prevention

The CFO Leadership Council conducts professional development programs with the goal of empowering CFOs across the globe to make better strategic IT decisions. As part of this, I was moderating the seminar: Cybersecurity Resilience and Best Practices for Fraud Prevention — Why should a CFO care and what can they do about it?

Dr. Willie E. May, National Institute of Standards and Technology (NIST), and many other leaders have often stated that cybersecurity is not just an IT issue but also a business risk. Because financial executives are quantitative by nature, I would like to put the cost of cybercrime in context:

• Per CNBC: Cybercrime costs the global economy approx $450 billion per year
• Forbes: Cybercrime costs are projected to reach $2 trillion by 2019

Here are a few relevant points for the broader cybersecurity community, CFOs, and the boards in most industries and organizations of all sizes.

For Risk Analysis and Risk Management, Ask These Questions:

• Which assets, digital and physical, is the organization trying to protect?
• How is the data classified? And how is it treated differently?
• Where is the risk?
• How could that risk change over time?

After these questions are answered, then evaluate where to start. Too many companies attempt to “protect everything” and wind up not protecting much at all.

Few Points to Consider

• Trained people and processes should supplement IT tools. Consider the Equifax hack where the staff forgot to restart the system after patching. Relying solely on the technology will have adverse effects.
• Do not limit penetration testing to just one area of the company infrastructure and IT landscape. Choosing the vulnerable areas serves the organization better.
• Companies should test across the firewall, server, web applications, mobile applications, and infrastructure, for both inside and outside threats.
• Hackers don’t play by the rules. They do their homework. They are patient.
• Perform vulnerability tests to check for potential risks, and conduct penetration tests to identify if any of the vulnerable spots can be exploited.
• Ask the CISO/CIO about the current Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) in place and how the alerts are being managed?

Choosing an Intrusion Detection System that best suits the organizational needs is critical.

The options available are:

• Network-based intrusion detection system
• Host-based intrusion detection system
• Blended option (RealSecure type systems)

Three things to consider when choosing an Intrusion prevention system (IPS) are:

• Detection capabilities
• Context understanding
• Threat intelligence use

Follow all other steps, just as when any other mission-critical technology is acquired.

How to Reduce the Chances of a Hack and Steps to Take When There Is a Compromise

• Have multiple levels of authorization.
• Reach out immediately to the financial institution (if the finance systems are comprised).
• Documentation of every process is important.
• Training is critical — specifically against several social engineering attacks (Pretexting, Quid pro quo, Tailgating, Baiting, Water holing, Diversion theft, Phishing, both Phone and Spear phishing.)
• Do not shame or punish when someone opens a malicious link. Use it as a teaching moment. Create a culture where employees are not afraid to share what they did.
• Do not shame or punish when someone opens a malicious link. Use it as a teaching moment. Create a culture where employees are not afraid to share what they did.
• Acting immediately when breached minimizes the impact on the business and the customers.
• Want ROI? Act fast. Contact the law enforcement authorities.
• A cyber break is like quicksand. One doesn’t realize that the next step taken could sink.
• Pay attention to the Business Email Compromise (BEC). Often, companies are attacked through email by exploiting the target to allow malware or wire fraud.

Conquer the Easy Threats First

• Implement simple checks and balances.
• Do not leave all authority to one person.
• Audit each account and user.
• Get rid of inactive accounts/users.
• Monitor usage.
• Test the humans (Drop USB data sticks on the ground to see who will use it).
• Require training for those that fail the tests.
• Sharks smell blood: Hackers will look for patterns and wait for a vulnerable time/opportunity.

What Can Be Done?

1. Create and implement a policy: Being breached is not about if but when. Put the recovery protocols in place before anything terrible happens. When it does happen, systems are ready to deal with it.

2. On the Governance side: To determine measurements, the board and C-suite should meet with the CIO, CRO, and CISO and establish the critical metrics of how often the company systems get audited, documented, and followed-up. Cybersecurity is only as strong as the weakest link in the company (the employees.)

3. Ask these questions:

• Does the organization need a cybersecurity commitment team?
• Are the risks analyzed and understood?
• What are the investments required and the ROI?
• How the staff educated and what are they trained on? How that relates to the business?
• Do employees understand their roles?
• Is the company utilizing partners?
• How do the vendors impact the company?
• Does the company have a security policy or process in place for vendors?

4. Educational options: Many frameworks are available and specialized to fit specific industries. Some banks and merchant vendors will help with free necessary assessments.

• Figure out what data need to be protected and how those different buckets of data will be treated differently.
• Know that there is no one blanket protection policy.

5. How to best protect passwords?

• Password manager
• Biometrics
• Multi-security factors (at sign in), for example, using second tier authentication, such as enabling second level authentication, that requires to send a passcode to the mobile phone
• Use Privilege Identity Managers

How to Validate If the Policies Are Working or Not?

When developing technology, most designers/engineers use test-driven development (TDD) and similar TDD policies in cybersecurity to enhance the posture.

1. Test
2. Measure
3. Improve
4. Tabletop test
5. Monitor progress.
6. Simple clean up. Delete inactive/duplicate data.

Cybersecurity involves the processes, people, and technology. Be engaged, ask questions, document, and follow-up. If C-suite is not versed with the latest threats or aware of which questions to ask, work with passionate consultants in the industry who's expertise can fill in the gaps.

15 Items to Consider While Enhancing the Cybersecurity Posture Are:

• Pay attention to the third party vendors (Remember the Target Corporation breach where the hackers entered systems through an HVAC vendor from out-of-state?)
• Who is accessing the network from the vendor side? Are they sharing the credentials with multiple users?
• Are the vendors able to access only the components of the network that they need to conduct their business (follow “Minimum Authorization Required” rule)? Who is responsible for which part of the company systems and network?
• Ask how often the vendor systems and policies get audited
• Who audits the vendor systems? Pay attention to the answers. Is it a third party independent audit or an internal audit?
• If the third party is employed, how reputable they are?
• If the internal staff is used, who the information security/audit staff performing the audit report to?
• If they are reporting to the CTO, conflict of interests should be considered.
• Are the systems getting patched?
• What is the formal patching process? Is it verifiable?
• How often does the company perform risk assessments? Is there a malware scan in place?
• What is the formal method for interpreting the results and what actions are taken for the evaluations conducted in the past 24 months?
• How are the vendors and their systems monitored currently?