In my last post we talked about how financial firms can shift their focus when it comes to managing cyber risk, given the “slow leak” nature of many cyber attacks.
Accenture’s paper on this topic, “Making Your Enterprise Cyber Resilient,” proposes a methodology that weaves in three fundamental steps around identification, prevention and detection. My presentation during the recent RiskMinds International conference digs a little deeper into these three areas. From a prevention standpoint, building a strong risk culture and establishing controls are critical. From a detection standpoint, having the right metrics in place and building the right operating model can help.
These pieces are all important, but here I’d like to talk about three actions that could make a dramatic difference in any cyber resilience plan:
Focus on identifying your “crown jewels”
If you can’t protect everything, then identify what absolutely must be protected and put your best security around it. Think in terms of concentric circles, with your most critical data and resources at the heart of your security efforts.
Because your crown jewels are likely to be digital, this means you will be moving from physically segmenting your valuables to cyber segmentation. As noted in our cyber resiliency paper, you’ll certainly want to conduct regular penetration testing and take other measures to secure your cyber defenses. But we recommend moving beyond that, into things like advanced adversary impersonation, or hiring a group or individual to try to break in, helping you expose existing gaps.
Accept that some criminals are already inside
You may think your workforce is above reproach. But the fact is, large financial firms hire employees at scale, sometimes in the tens of thousands. It would be careless to assume not one of these could be a cyber terrorist, or a professional thief, or just looking to make some quick side money.
The internal threat is real, and it is significant. It may be time for firms to develop a dual approach to managing cyber risk—think back to the days when dual processes were built around tellers and around general ledger. Dual control approaches can be applied to the larger employee population as well. This, in tandem with building good locks to keep the outside criminals out, can help provide significant protection.
Bring in risk management
Today, many cyber security programs reside in a business’s IT department, with loose oversight from the Risk Management function. That needs to change. Attack vectors span across business processes and seek out the weakest point to gain entry. Typically people are the easiest target, with technology being compromised later in the attack, once credentials have been obtained. IT is a key part of the solution, but someone needs to unify fraud management, information process risks, conduct and security risks.
Do we need to make wholesale shifts, and move the whole approach onto the chief risk officer’s desk? Likely not. Further, other departments, such as HR and Communications, also own a piece of this challenge. But we think positioning the CRO as the “lead among equals” could bring the right focus for building cyber resilience.
My next post will focus on specific steps financial firms can take to begin building their cyber resilience strategy.