BreachExchange mailing list archives
Asset management must not become complacent about cyber security
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 25 Sep 2015 11:52:27 -0600
http://www.investmentweek.co.uk/investment-week/opinion/2427619/why-asset-management-must-learn-lessons-from-other-sectors-on-cybercrime The financial services sector, in particular, need to plan for when, not if, they are successfully hacked, with last month's distributed denial of service attack on one of Britain's largest banks serving as a reminder of the sector's vulnerability. Regulators in the US, UK, and recently Ireland have all warned the financial sector about cybercrime, with the Bank of England's Financial Policy Committee saying that UK firms are underestimating the threat. The ever increasing scale and frequency of breach reports has primarily been driven by US breach notification laws but there is really very little reliable and appropriate data available on the frequency of cyberattacks. There is a significant sampling bias in most cyber data reports, as they focus specifically on breached firms that have either publicly reported their breach or were assisted by the authors of the report. While there is more data than ever available, it relates to known breaches, not all breaches, although a number of groups are working to improve the quality of information available. Data breach One of the more interesting reports is the 2015 Cost of Data Breach Study from the Ponemon Institute. It estimates the average chance of a data breach over a two year period is 22%. That is a bold assertion that needs to be taken with a pinch of salt, but on the face of it the estimate suggests two inferences. The first is that 78% of firms will not be breached over a two-year period. The second is that if the probability is truly independent every two years, then there is a 71% chance of a firm having a data breach every ten years. This is not as bad as some industry experts say, but it does shows that data breach risks are hardly 'black swan' events. Importantly, cyber risk must form a key part of operational risk management, with a clear strategy in place to handle such incidents. It is worth considering that the study focuses on data breaches defined as an event that puts an individual's name and medical or financial record at risk. The 22% probability estimate is, therefore, likely to be too low if considering a wider definition of a security breach, which can also involve business interruption, reputation damage and data integrity issues. Many firms have already stepped up their approach to identifying data breaches and security incidents, leading to improvements in the speed of detection and reaction. However, professional experience suggests those firms which detect attacks faster than their peers have either previously handled a major breach or have an active regulator focusing on cyber security. Those that remain unaware of the threat are commonly slower to detect and react to a breach and there will be many firms currently suffering breaches that remain blissfully unaware. Some will never find out. Just because you do not know you have been breached, unfortunately does not mean you have not been breached - and what you do not know certainly can hurt you. Identifying attacks The 2015 Cost of Data Breach Study identified an "upper-sloping linear relationship" between the time taken to identify an attack and the average cost of a data breach. A similar relationship exists with the time taken to contain a breach. Reducing the time to identify and contain attacks directly reduces costs. And if we accept cybercrime as a normal operational risk that is likely to occur on a reasonable time horizon, we should be thinking about reducing the cost of occurrence. The asset management sector has recently been accused of complacency around cyber security by The Cerulli Edge, published by Cerulli Associates. While it is true many firms have not been leaders or early adopters of new practices or technology in this space interest has recently picked up. The lessons learned by the wider financial services sector can be used by fund managers and investment firms to accelerate the improved management of cyber risk, by reducing the time taken to identify and contain attacks. There is a new determination to improve detection through deployment and maturation of security operations centres, improving incident readiness through formal planning and tabletop war gaming exercises and early glimmers of interest in advanced techniques, such as pro-active threat hunting. Fund managers have a long journey ahead of them in improving their cyber risk strategy. While it is not all black magic and black swans, considerable challenges remain in safeguarding the assets and reputations of firms and clients alike.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Asset management must not become complacent about cyber security Audrey McNeil (Sep 28)