AWS-Cloud-Security-Consulting.jpg

CYBER SECURITY CONSULTING SERVICE AWARDS AND RECOGNITIONS

CyberSecOp's comprehensive managed security services, cyber security consulting, professional services, and data protection technology are recognized as industry-leading threat detection and response solutions by major analyst firms, key media outlets, and others.

CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Board Oversight of Cybersecurity Risk

Why CISOs and Boards Should Work Together to Improve Cybersecurity

Corporate board members often ask management specific questions that stop short of demanding metrics, It is this lack of measurable criteria which often hinder the effectiveness of cyber-security efforts.

First and foremost, it is imperative for the board to appreciate the impact that information security can have on the business. Boards should treat security as a top business risk as well as a top business opportunity. Major security events can have a significant impact on revenue, brand, and can lead to catastrophic results.

Board oversight of cyber-security has increased over the years. Even board members without technical expertise have had to become rapidly acquainted with IT risk and security concepts. In recent years, frameworks and best practices have emerged to help boards get a grip on their organizations’ cyber-security posture.

Specific Areas of Focus:

  • Improved emergency response times and evacuation management with real-time tracking of personnel movements around your site.

  • Information related to how the organization manages cyber-security, security awareness, and the enterprise risk management (ERM) program.

  • Actively monitor workers within a zone, on local or remote sites.

  • Ensure blast zones have been cleared before explosives are detonated.

  • Monitor the movement of people to a muster area during an evacuation.

  • Ensure the security control room is aware of workers who are alone on remote sites.

  • Monitor personnel who remain within a high security area at the end of a working day or shift.

Breach Response Protocol

Corporate boards should receive regular reports from executives about the company’s cyber-security risks, management review processes, overall health, and readiness to respond to an incident. Best practices include quarterly reports from firm leaders and more frequent reporting if needed.

Company leaders should carry out incident response plan tabletop exercises annually at a minimum. Board members should expect reports on the test outcomes. Details about how the plan will be updated are based on the test results.

Third-Party Risk

Regulators are increasingly targeting third-party risk. Wide-reaching laws like GDPR, industry-specific regulations such as the New York Department of Financial Services (NYDFS) Cyber-security Regulation and NERC CIP-013 in the utilities industry, provide specific requirements for managing third-party risk.

User-Related Risk

Human error can expose an organization to a wide array of cyber-attacks.. Business leaders commonly state that employee negligence is the most common cause of data breaches. Phishing for example, was implicated in 32% of data breaches in 2018. In addition, poor password practices, connecting to public Wi-Fi from company devices, and sharing files that contain malware are all examples of employee errors that could translate into huge costs for any organization.

In terms of board qualifications, 41% of companies reported highlighting cybersecurity expertise as an area of focus for new board directors. But when it came to interactions with management, only 34% of organizations mentioned the frequency of board reports, with just 11% reporting briefing the board annually or quarterly.

Recommendations for Boards of Directors

Questions to ask:

  • Has responsibility for cyber-security been formally assigned at management level (e.g., CISO) and on the board itself (e.g., audit committee)?

  • Is the board getting regular briefings on the organization’s strategy regarding cyber-security risks and cyber resilience?

  • How engaged is the board in reviewing the organization’s cyber-risk management program and security-related investments?

  • How has the organization (i.e., management) fared in recent tabletop exercises or simulations? Are directors taking part in such activities?

Vinny La Rocca

CEO

CyberSecOp.com

Read More

Risk Facing Financial Services

Risk Facing Financial Services

Financial services institutions have changed significantly over the last decade – from utilizing technology in new ways to stay competitive and drive efficiencies, to adapting business practices in light of the global financial crisis and recent narrow interest margin markets.

As these businesses evolve, they’re faced with a new range of exposures that can result in significant and lasting commercial costs, and traditional exposures come to light in a different context. Crime has also changed for these businesses, with a growing number of attacks against financial institutions taking place online and through digital means.

To better understand this changing landscape, we’ve outlined the top risks facing financial institutions today:

 

Social engineering and funds transfer fraud

Financial Services .jpg

Some of the most frequent cyber claims made by businesses in the past year involved funds transfer fraud and some form of social engineering. Funds transfer fraud is often carried about by criminals leveraging fraudulent emails or phone calls to request the transfer of funds from a legitimate account to their own. In some cases, fraudsters will pose as a senior executive appearing to give urgent instructions to a junior employee. While financial institutions have greater control processes, including separation of responsibilities, both banks and their clients are at risk of falling victim to these types of attacks, and as long as they continue to prove successful, we expect this threat to grow in both frequency and severity. Financial institutions should consider employee training on these newer forms of fraud, including how to identify phishing emails. Banks should also be concerned about their customers’ susceptibility to social engineering fraud, and should consider education campaigns where relevant.

 Adherence to post-crisis regulation

Following the mortgage crisis in 2007-2008 and the subsequent global financial crisis, the regulatory burden for banks has increased significantly. This brings additional costs when meeting these new requirements, along with higher potential penalties if an institution fails to comply. In many instances, resultant fines and penalties following regulatory failures are uninsured or uninsurable. Financial institutions should seek cover where regulatory enquiry costs and expenses are covered.

 Falling prey to predatory banking

Financial institutions have found themselves in a narrow interest margin environment, which means the pressure on banks to generate revenue from non-interest earnings is intense. In some cases, the desire to drive revenue through new or existing products has led to instances of selling inappropriate products to consumers, resulting in significant consumer claims. Institutions must ensure that their products are suitable and that they meet the needs of the consumer and the consumer’s expectations. It’s also important for institutions to ensure their remuneration policies do not inadvertently encourage the miss-selling of products. The fallout from consumer protection scandals can be costly not only from a legal and regulatory standpoint, but also in terms of damage to the brand.

 Reputational damage

Predatory banking is only one type of behavior that can bring reputational harm to financial institutions. Large institutions can suffer backlash for a variety of misdeeds made public, for instance the failure in anti-money laundering controls by Wells Fargo or HSBC, who were hammered in the media for their behavior. On a smaller scale, for regional and community-based institutions, the power of social media can mean that reputational damage spreads far faster than ever before.

 Systemic instability

Nearly a decade later, the effects of the global financial crisis are still being felt by financial institutions around the world. Recent concerns over Deutsche Bank’s operational cut backs and stock price decline have shown there is still uncertainty around the performance of even the biggest financial organizations. Additionally, recent instability in Europe – particularly in Italy and Spain, as well as the still incomplete negotiation – could have effect elsewhere, including the US, where European headquartered institutions such as Deutsche Bank, Barclays and HSBC are systemically significant institutions.

 Challenger banks and new technology

The traditional banking model is increasingly challenged by newcomers trying to use technology to replace existing processes and disrupt the status quo. In the UK and Europe, challenger banks are gaining steam and traction among younger generations and early adopters. In the US, there are few online-only challenger banks, but there is increasing competition from payment processors, online non-bank lenders and other providers who are edging their way towards areas conventionally controlled by banks. The risk for traditional institutions will not only be economic, but they will also need to provide more services to their clients to ensure they are competitive and relevant, and they may need to reassess their cyber exposure as they put more systems online.

 

Read More
Security Compliance, Security Consulting, NIST, GDPR compliance, Data Breach CyberSecOp Cybersecurity & Breach News Security Compliance, Security Consulting, NIST, GDPR compliance, Data Breach CyberSecOp Cybersecurity & Breach News

Corporate Information Security Steering Committee

Organizations are becoming increasingly aware that if they fail to implement successful security management processes, it could expose them to untenable risk.

The role of the corporate information security steering committee has become an essential tool in the quest for a coordinated corporate security strategy, for reducing duplication in security spending, taking control of complex infrastructures, and, ultimately, reducing security risk. 

One of the first steps for many organizations has been to set up a common security team and embark on enterprise-wide information security programs. However, many of these teams have struggled to align corporate business objectives with strategic security investment.

META Group's research indicates that the majority of new security teams struggle to define and establish their corporate missions, scope, influence, and power bases. Furthermore, these security teams have poorly defined executive charters and operate without effective communications plans. The unfortunate result of such poor grounding is the temptation for newly established teams to immerse themselves in technology quests, searching for elusive enterprise-wide technical solutions.

In contrast, the most effective security organizations are those with clear responsibilities and well-defined processes based upon five primary organizational roles:

  • Leadership - this is the role of the chief information security officer who deals with both the day to day management of the security team as well as continuous communication of the importance and value of security measures

  • Analysis/design - these security analysts help information owners develop meaningful security policies as well as adequate security solutions

  • Security administration - these people look after the day to day administration of access rights, passwords, etc

  • Security operations - resources that continuously monitor the organization's security status and manage incident response procedures.

  • Awareness communication - resources that design and manage ongoing security awareness and training programs. 
    Executive custody and governance -represented by an information security committee

The role of the corporate security steering committee is to coordinate corporate security initiatives at the executive level and thus enable an organization to optimize spending, manage their infrastructure, and minimize security risk. Obtaining consensus and support for corporate-wide security initiatives is especially difficult in highly decentralized and multinational organizations with devolved authority and autonomy. In this type of organization, an executive governance body becomes essential.

Corporate information security steering committees (CISSC) must have a clear charter with a range of functions that should include:

  • Managing the development and executive acceptance of an enterprise security charter.

  • Assessing and accepting corporate-wide security policy (e.g., the corporate policy on security incident response, general behavioral approach). This function's primary objective is to ensure that business requirements are reflected in the security policy, thus ensuring that the procedure enables rather than restricts business operations.

  • Assessing any requests for policy exceptions from individual business units.

  • Assessing, accepting, and sponsoring corporate-wide security investment (e.g., identity infrastructure deployment, remote access infrastructure) and requests to be excluded from common investment.

  • Providing a forum for discussion and arbitration of any disputes or disagreements regarding common policy or investment issues.

  • Acting as custodian and governance body of the enterprise security program by ensuring visible executive support and monitoring progress and achievements. The role of a permanent governance structure reinforces the message that enterprise security becomes an ongoing, long-term initiative.

  • Assessing and approving the outsourcing of common security services and coordinating investment of inappropriate relationship management resources. As the lack of skilled resources increases the need to outsource operational services, executive due diligence, risk assessment, and ongoing effectiveness assessment must be coordinated through the steering committee.

  • Initiating ad hoc projects to investigate the advantages, disadvantages, risks, and costs of common security initiatives and advising the committee with appropriate recommendations.

  • Representing the executive (board of directors) or its nominated information governance body (e.g., an information executive board) in all corporate security matters. Reporting back to these forums on the activities and effectiveness of corporate security programs and investments.

  • Acting as custodian of corporate-wide strategic security processes (e.g., role analysis, data classification) by validating process ownership, responsibilities, and stakeholders.

  • Acting as the respondent to enterprise-level audit exceptions (i.e., those audit exceptions where a specific individual cannot be found to be responsible).

  • Coordinating and validating any external, security-related corporate communications plans and activities (e.g., in the event of a high-profile, publicized security breach).

  • Tracking major line-of-business IT initiatives to identify synergy opportunities or leverage security investment.

  • Governing trust relationships with major e-business partners.

It is essential that steering committee members can make decisions at meetings. This requires the active participation of senior executive business managers, or it must be a permanent subcommittee of an organizational information board. To prevent the committee from becoming an ineffective 'debating society' or forum for driving political agendas, the committee's scope, powers, and objectives should be documented and measured.

Typical members of an information security steering committee include all line of business managers, application owners, regional managers, IT managers, the IT director, the chief security officer, the corporate risk manager, and the chief internal auditor. A clear distinction must be made between the role of the CISSC (i.e., executive custody and governance) and the leadership role (i.e., day-to-day management of the security team) of the chief information security officer.

By developing the emerging role of the chief security officer (CSO) and the security team, enterprises can foster a holistic approach to information security - one that recognizes that policy, process, and communication are as important as technology.

Read More
Security Compliance, Security Consulting, Botnet CyberSecOp Cybersecurity & Breach News Security Compliance, Security Consulting, Botnet CyberSecOp Cybersecurity & Breach News

Cyber Security Developments

Cyber Security Is The Backbone Any Online Businesses – Here Are Some Quick Tips To Keep Yourself Informed About The Latest Threats Surrounding Your Business.

                                    Cyber Security Developments

                                    Cyber Security Developments

Within a standard nine to five working day, it’s said that there are almost two million data records lost or stolen. Cybercrime has become something of an epidemic in recent years – and it’s no exaggeration to say that everyone is at risk.

Hackers operate in an increasingly complex way and are happy to target small businesses and individuals, who are most likely to be vulnerable to attack. The nature of the threat changes as technology advances and so the only way to stay safe is to stay up to date.

But that’s easier said than done, right? How do you keep up to date with the latest cybersecurity developments?

Follow The News

When it comes to cyber security, ignorance is not bliss – it’s a recipe for disaster. It’s imperative that you identify and follow a news feed that you can trust. By doing so, you can keep on top of any fresh threats that have emerged, learn lessons from other cyber attacks and pick up the latest tips and advice from influencers and experts in this field.

News from this sector really shouldn’t be seen as the preserve of IT specialists – the scale and nature of the threat suggest that this should be of interest to everyone. There’s a burgeoning band of podcasts available on the subject for people who prefer to digest content in this way too.

Bring Up The ‘Security Question’

If you think that installing an anti-virus program is enough, then you’re mistaken. Don’t just presume that you’re safe because you have this because this is merely the first line of defense to root out attacks. By adopting a safety first mindset you can ensure that the way you handle your data is less risky.

Whether it’s securing your Wi-Fi network at home, managing and updating your passwords on a regular basis or the way you collect, collate and analyze data throughthe point of sale software at work, continually ask yourself ‘is this safe?’ Just as ignorance isn’t bliss, complacency could prove your undoing. Place ‘security’ high on the list of credentials to consider when buying new software or hardware, don’t just go for the cheapest option.

Training

Even the experts are constantly having to refresh their understanding of the threat posed by cyber attacks. It pays to search out training opportunities, especially if you’re a business. You are, after all, only as safe as the people operating your software and systems and you don’t want to put the security of your business in the hands of someone who is unsure about what they are doing. Individuals and businesses alike can find free learning materials on Cybrary to help plug any knowledge gaps they have.

It’s Good To Talk

Cyber attacks are incredibly common – but people don’t often enough talk about their experiences. Perhaps you’re afraid or embarrassed to have been caught out? There’s no need to be. In fact, talking with friends and colleagues could really help you to stay safe. Pass on tips about new apps, good software, neat tips and tricks and any new cyber attack tactics you have come across and you can help to do your own bit to combat the criminals.

By keeping up to speed with security news, refreshing your training, sharing tips and tricks and adopting a safety first attitude you’ll give yourself the best possible chance of staying on top of cyber security developments and, best of all, safe.

Read More
Security Compliance, Data Breach CyberSecOp Cybersecurity & Breach News Security Compliance, Data Breach CyberSecOp Cybersecurity & Breach News

NYDFS Cybersecurity Retain a CISO, CSO -Regulation Compliance

NYDFS Logo.jpg

With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training, and controls in place in order to protect data and information systems, said Superintendent  in a press release issued by DFS, CyberSecOP helping financial organisation comply with the NYDFS manadates.  

With the New York Department of Financial Services’ (NY DFS) new terms poised to come into effect next month, banks and financial services companies operating in the state must start preparing for the change.

One of the most discussed issues in the controversial proposal is the requirement to appoint a CISO (chief information security officer). The move was met by heavy criticism at a hearing in December last year, leading to a massive backtrack from the DFS in a revised proposal.

Requirements of the CISO

The latest proposal removes any explicit requirement to hire a CISO, which is good news for many smaller or rural financial institutions that don’t currently have one in place. What this means, practically, is that the position is no longer necessarily exclusive. Banks can choose to designate someone to complete the tasks of a CISO while also performing other duties. Alongside this, the proposal does not state that the specific title of ‘CISO’ is required.

So what will the CISO (or CISO by any other name) be asked to do? The role now covers a broader set of responsibilities but in a less detailed manner. The designated person will have to provide an annual report to the board of directors (previously proposed as a biannual report) on the “cybersecurity program and material cybersecurity risks”, according to the proposal. It is now specified that the report must be “in writing” but it no longer needs to be provided to the NY DFS upon request.

The required content of the report will now also be less extensive. The CISO must identify and report only on material cyber risks rather than all cyber risks. This will involve “consider[ing]” those issues “to the extent applicable.” Additionally, the CISO will be able to tailor their focus to the issues appropriate to their organization.

Finding the right candidate

The NY DFS’ revision allowing the CISO to be an employee of the covered entity (i.e. an internal hire), or an affiliate or third-party service provider offers crucial flexibility for smaller financial institutions.

Companies with only a handful of employees – the most vocal in their frustration at the DFS’ initial plans – may look to shuffle their existing staff.

When doing that – or in making a new hire – there are certain things organizations need to look for. The CISO role is not just a tech-specific position, notes John Linkous, RSA Conference’s technology advisor, but they must now be “a trusted advisor to the business as a whole”. He adds:

“One of the most critical capabilities is simply the ability to understand the business much more intimately than his or her predecessors. Business drives the need for technology, and so security must be focused on how data is used within those business functions, across the end-to-end spectrum. Without a solid understanding of what the organization does, and how it makes money, an information security officer is going to have a fundamental disconnect with what’s needed to protect the enterprise.”

Third-party service providers or affiliates

Given the responsibility placed on the CISO, outsourcing the role to a third party can be an appealing proposition.

Going down this route presents its own set of issues, though. As TechTarget reported, third parties are “almost always” involved when it comes cyber breaches – arguing that it is either through a lack of accountability or oversight. While service-level agreements (SLAs) are always advised, the DFS has taken steps to ensure the right measures are in place. In response to the fear that financial services firms would not always have sufficient power to force third parties to accept their preferred provisions, the NY DFS now dictates that all third-party services must be performed under contractual provisions rather than by way of “relevant guidelines for due diligence.”

Source: www.itgovernanceusa.com

Read More