During 2011, we've seen hackers attack several major businesses. Aside from the recent attack by Anonymous on San Francisco's BART, companies like PinnacleHealth, Sega, PBS, Sony, Lockheed Martin, EA, RSA and Citi have all faced security breaches this year alone. Still, there is a long list of small and medium businesses attacked that never made it to the public eye.
As more public hacking tools with user-friendly GUIs are released every day, well-orchestrated hacker groups with niche targets have become increasingly public, gaining notoriety and inadvertently encouraging other hacker groups to flourish. Most importantly, numerous IT vulnerabilities still remain unexplored. Thus, it goes without saying that information security applications must top every company's list of urgent action items.
Security is no longer a silver bullet or a one-size-fits-all solution; companies must take a holistic approach to creating programs that work. I've seen countless companies buy very expensive and complex tools with the expectation that they will magically solve all problems. However, the same companies struggle in setting up these tools, getting them into action quickly and effectively training staff for on usage. I've also seen companies perform mundane, blanket security functions just to check a box, i.e., implement programs that barely meet security ratings but that do not offer targeted, comprehensive or effective consumer-protection strategies. Still others -- in an attempt to make security everyone's responsibility -- duplicate efforts and miss the opportunity to generate synergy and collaboration among business units.
Here are some key issues that financial institutions should consider in order to move beyond a one-size-fits-all approach and begin successfully fighting cyber attacks.
1. Adopt a risk-based approach to setting priorities and selecting tools for IT security.Before selecting an information security tool, institutions should identify their core business processes, classify the information they handle, understand how data flows, comprehend the legal and regulatory landscape they exist within, and then adopt a risk-based approach to setting priorities. This type of approach allows organizations to focus on what really matters by identifying assets, threats and vulnerabilities. The strategy also allows for both qualifying and quantifying associated consequences according to the probability of occurrence and impact.
Companies must identify threats through well-defined, predictive processes; implement ready-to-go tools; and establish training and awareness programs that combine to drive down business risks. (There are many well defined methodologies for performing risk assessments, such as OCTAVE, ISO-27001 and NIST SP 800-30, to name just a few.) As a result, organizations will be able to properly select the tools that will provide the highest value and coverage.
2. Establish a stringent identity management program.For financial organizations, the key to protecting customer information is in establishing a stringent identity management program that implements multifactor authentication, strong data encryption mechanisms to protect data storage and transmission, fraud detection and monitoring mechanisms. In addition, for those that have already included mobile devices as part of their strategy, they must at least identify all threats associated with mobile technologies before granting consumer access to sensitive functions and data.
3. Acknowledge that people are a critical component to the success of an effective information security solution.Due to the extensive list of information security domains, some organizations focus mainly on initiatives around governance, risk and compliance, identity management and access control, data-loss prevention, network and information security, and penetration testing. While these five domains set the foundation for information security programs, organizations should not forget that security processes, tools and infrastructure are defined and supported by people and not machines. Thus, effective awareness programs and a well-trained staff are crucial parts of the cyber-security solution.
4. Construct a metrics program to effectively analyze the cost-benefit ratio of security solutions.Constructing a well-established metrics program to effectively analyze the cost-benefit ratio of security solutions is paramount. This allows CIOs to articulate the value of security solutions through business cases and ROI analysis. The cost associated with the security solution can then be compared with the cost associated with the data, assets and overall value in need of protection, thus ensuring that the cost of the solution does not exceeds the cost of what you're protecting.
Technologies evolve and new threats and vulnerabilities emerge. As such, information security is not a final destination; it is a journey, which must occupy the necessary time from CIOs in today's technology-driven world.
Leonel Navarro is the Information Security Practice Manager and business leader for Softtek, as well as a certified project management professional and certified information systems security professional. Navarro's 10 years of experience in IT operations with teams based in Mexico, the United States and China, combined with critical customer-facing positions he has held, enable him to perform the overall coordination of the sales, marketing, product management and strategic alliances strategy for Softtek's Information Security Service offering while overseeing the delivery of those services with existing clients. He has participated as a guest speaker at various conferences and has published several white papers. He holds a Bachelor in Electrical Engineering & Computer Architecture from ITESM.