financial services are a prime target.
^ click to stream video
^ download and subscribe to the podcast on itunes here
with steven sacks
the new fundamentals: thriving in disruption
with cyber-crime growing by leaps and bounds, accountants are caught in the cross-hairs, cyber-security professional jill cagliostro tells steven sacks for 卡塔尔世界杯常规比赛时间.
more: effective networking is an art | business development activities shouldn’t be a chore | cpa’s best role: leveraging knowledge, not just process | avoid last-minute deal making | five common negotiating mistakes | the myths of performance management | business is about relationships | reaching for authenticity in client service |
exclusively for pro members. log in here or 2022世界杯足球排名 today.
cagliostro, senior product manager with splunk, a data management and security company, says “cybercriminals are getting more advanced. they’re finding new avenues and new ways to get in every single day.”
“and beyond that,” she says, “they’re also communicating with each other. so they’re able to share these new tactics and techniques amongst each other to become more proficient together.”
key takeaways
- bad actors are communicating in places like the dark web and in forums to share their ideas and to plan to breach private and government entities.
- third-party vendors must go through security questionnaires before they are onboarded as a partner with a private entity.
- the questionnaires are employed to ensure that the third-party vendor has the necessary security mechanisms in place, such as two-factor authentication, encryption, and comprehensive policies that must be followed.
- there are key metrics to use to assess the risk of cyberattacks. kpis that indicate how secure something is or how good the security team is doing at protecting the organization can be difficult.
- clients are looking for different kpis that they can show the level of success that they’ve had with identifying threats in their environment.
- companies that experience security breaches will find it more difficult to attract future security talent because security professionals will not want to have on their resume companies that were victimized by a security breach as it will imply that they allowed a breach to occur.
- the most common way that companies get hacked is through phishing emails, which doesn’t always go to the executives. security should really not just inform technology decisions, but business decisions as well.
- one of the best ways the it team and security teams monitor for behaviors is by tracking activity on employees’ work computers. by connecting to a corporate vpn allows the it and security teams to see what is going on internally.
- in addition to external threats, there are internal threats that could be very costly. company employees can have access to trade secrets, confidential information, and insider trading information.
- there are a couple of different ways to monitor this behavior using data-loss prevention tools that can monitor files going in and out of a company’s network.
transcript
cybersecurity issues in the financial services industry
speakers: steven sacks, jill cagliostro
steven sacks 00:01
today, i’m very pleased to have jill cagliostro talking to us today about cybersecurity concerns in the financial services sector. jill is a senior product manager with splunk, where she’s in charge of the splunk security cloud solutions. welcome, jill.
jill cagliostro 00:36
thanks for having me, steve, i’m glad to be here.
steven sacks 00:39
there’s been increasing concern with employing effective cybersecurity systems in various industries, some of which we’ve never considered to be potential victims of cybersecurity attacks. and recently, the government has been one of those victims of a cybersecurity attack. to begin, what are some of the factors that have been giving rise to this growing threat of cybersecurity attacks?
jill cagliostro 01:08
yeah, so for starters, security, cybercriminals are getting more advanced. they’re finding new avenues and new ways to get in every single day. and beyond that, they’re also communicating with each other. so they’re able to share these new tactics and techniques amongst each other to become more proficient together; just makes it a little harder to play defense. and so, you know, we see actors communicating in places like the dark web and in forums as ways to share their ideas and how they’re able to effectively breach private entities as well as government entities. and so, we’re seeing a rising trend on the capabilities of the bad guys out there.
steven sacks 01:48
well, our audience comprises a cpa community, most of which work in the public sector, but there are those who serve, who work in the private sector. and both cohorts deal with third parties, which pose risks. so, what has been done to manage risks, vis-a-vis, vendors who assist companies in terms of cybersecurity?
jill cagliostro 02:14
yeah, so we’ve seen a lot of third-party vendors where they go through security questionnaires before they’re onboarded as a partner with a private entity. and so these security questionnaires serve as a checkpoint, for the one who’s procuring the services as a way to say: are you secure enough for us to work with you? and they can include questions like, what is your security policy? do you encrypt data at rest? you know, do you have two-factor authentication enabled? in questions like this give you a good idea of the security practices of a third-party organization, which can be a little tricky for them. third-party organizations or you know, can sometimes be smaller entities that may not have a whole security team, right? it may be one or two people as the whole third-party company. and so, confirming that at a minimum, they have a security policy and other following industry best practices can help ensure that you’re working with a partner who’s not going to lead to your next breach.
steven sacks 03:09
so, i imagine there are different vendor capabilities. so, the differentiators between them are those that can answer some of the questions that you’ve asked in terms of their security protocols and compliance with regulatory rules and regulations. so for that matter, are those actually the differentiators? or are there some more that you take into consideration?
jill cagliostro 03:36
yeah, so we often see that among when, when companies are selecting third-party providers, they’ll often ask questions about compliance, like you mentioned, like soc or soc-2 compliance, to understand that they’ve met some of the industry standards of secure practices. and so we have seen in the recent future, in the recent past, where security is really starting to impact by decisions on which partners you’ll work with. and so even if a third-party solution has the best solution, if they are not conducting their business in a secure fashion, we’ve seen companies choose to go with other vendors because the risk that it creates for your organization is very high. we’ve seen a lot of public breaches in the last few years have originated from third-party vendors, right? getting into a third-party vendor and then pivoting into their clients. and so, customers are becoming more aware and more cautious about who they choose to work with.
steven sacks 04:33
are there particular metrics involved in assessing the risk of cyber-attacks? what are the key elements to measure?
jill cagliostro 04:40
yeah, it’s a highly contended topic, right? cybersecurity is an industry that has been around for a relatively long period of time. but compared to how long business has been around, it’s inconsequential. and so, developing these kpis, right, that, that tells you how secure something is or how good your security team is doing at protecting your organization can be difficult. now one of the more common metrics that we hear is the number of block connections on the firewall, which is usually on the order of hundreds of millions, right. which is great. that means your firewall is keeping out hundreds of millions of attempts to get in. but that’s almost the norm. it’s very expected today. that number is no longer impactful. and so what we see a lot of clients doing is looking for different kpis that they can show the level of success that they’ve had with identifying threats in their environment. so, some of the things you may track are, you know, a number of instances of malware identified in your corporate environment. the different kinds you’ve seen. you know, how early in its, in its execution were you able to catch it? was it just downloaded? did it run? did it take data out of your environment? being able to provide that kind of information. and then at the more advanced side of the house, we see clients starting to track things around threat intelligence, which is the concept of sharing information about the known that. and so if you’re a financial services organization, for example, there are particular bad guys or actors, as they’re more commonly called, that are going to target you. and one of the most common names you’ll hear is apt 28, who also goes by “fancybear.” sofi group they have i think over 20 different aliases, they go by it’s all the same group. and so if you’re a large financial services company, you may want to report to your board, what activity you’ve seen from that group. are you as an individual entity, a target within the sector that they target? if you haven’t seen any activity, why do you think that is? and trying to get inside the head of your adversaries is starting to become more and more prevalent to be able to present metrics on how many actors are you tracking them? maybe a risk to your org, and metrics such as that.
steven sacks 06:53
today, more corporate executives and their boards are being held responsible for cyber incidents. it seems there would be a hit to the company’s bottom line in addition to tainting its brand. can you speak to these issues?
jill cagliostro 07:07
yeah, so when you have a security breach, it’s much more expensive than just the cost to remediate, which can also be very high. right. so when you have an incident, you may have to take down your services for a bit to be able to remediate whatever issues you found. so you have downtime. you have the cost to your brand, your brand reputation, which usually will impact your bottom line. home depot experienced it after the big breach back in the day where lowes on the uptake in business shortly after, because consumers didn’t trust them. right. and it also impacts your ability to attract future security talent. right? once you’ve been breached, it becomes scary almost for a security professional to come work for you. the scariest thing you can have on your resume is working at a company when it’s breached, because it seems as if you were part of the failure, right? you missed something as an individual, which can create a hard time attracting good talent and preventing it from being breached in the future. not to mention fines, right? if you have pii, healthcare data, your financial services company, you can be hit with a variety of different kinds of fines from the government as well, which can add up very quickly.
steven sacks 08:20
for larger organizations, why should executives inform their boards about how risk is being managed? now, is there a way that they should inform them of their frequency? how much in the weeds do they, should they be going in terms of explaining the issues to their board?
jill cagliostro 08:40
yeah, so you, you want to try and explain it in terms they can understand, right? you can, you should never expect your executive board to be security experts because that’s just an unreasonable expectation. the same way they don’t expect security professionals to be cpas. and so one of the ways we’ve seen clients start to communicate what they’re seeing as threats, as well as what they are doing to prevent them is mapping to a framework called miter attack. and so the miter attack framework allows you to model the adversaries that are attacking you; how they’re going to attack you. but it also allows you to model your mitigating controls. and so when you overlay those two heat maps, you can see exactly where not only are you vulnerable, but are you likely to be breached through. so what vectors should you be concerned about? and this is a very impactful way to present to your board because it allows you to not only show the risk but what your mitigating controls are and how to marry these two together. so you can make more informed decisions about where to focus your resources.
steven sacks 09:44
today, you know, with organizations facing bad actors from different directions, is there one particular person within the organization like the cio or the chief risk officer to be tasked with the overall responsibility in terms of a data breach, or is the responsibility dispersed throughout the organization?
jill cagliostro 10:10
my professional opinion, security responsibility should be held throughout the company down to every employee. the most common way that companies get hacked, right, is through phishing emails, which doesn’t always go to your executives. sometimes it’s, you know, a low-level entry-level employee who clicks the link they’re not supposed to. and security should really not just inform your technology decisions, but your business decisions. which vendors you choose to work with, right? your vendors are not all security vendors; they’re going to be in every component of your organization. and there should be a sense of responsibility throughout your company that everyone should be looking at, not only how they do their jobs, but who they choose to work with, from a secure mindset. and that’s the only way you can really implement effective security is when you use it to make all of your business decisions, not just your technology ones.
steven sacks 11:01
because financial service companies deal with data analytics and money, what should they be thinking about in terms of security metrics? and which metrics are important? and how can they be tracked?
jill cagliostro 11:15
oh, there’s so many to track, right? with security, it can include concepts such as fraud. it can include insider threats to people within your organization conducting bad activities. you have external threats, right, which is the most common talked about avenue, where you’ve got the bad guys trying to get in. and some of the metrics we can use are, you know that we can go back to the original old school way of number of blocked firewall attempts. but the more interesting thing is, how many successful phishing campaigns did you see against your organization? and those are things that security teams can create metrics on? how many, how many instances of malware as i mentioned earlier, and going back to that threat actor tracking as well. especially once you’re in the financial services industry, you are considered a high-risk target. you contain, you know, you house all of the money in the world. and so that is very compelling for cyber criminals. and it’s very easy to become a cyber criminal these days. all you need is a laptop and an internet connection and a quick google search. and so there’s just so there’s so many potential bad guys out there that really you have to be prepared for everything and anything.
steven sacks 12:25
well, 2020 was a really challenging year on multiple levels. you know, we had concerns about cyber attacks on our presidential election. and now we’re dealing with implementing the distribution of vaccines to the states. are there any concerns about how cyber attacks may insinuate themselves into the supply chain of distribution to the states of these vaccines?
jill cagliostro 12:57
thankfully, so far we haven’t seen too many or any that i’m aware of cyberattacks related directly to the supply chain, although the risk is there. these vaccines are very temperamental. they have to be stored in a very precise temperature in order to remain, to retain their integrity. and so you could see advanced cyber attacks like we had with stuxnet, where in iran where they had the centrifuges running too high, which is causing them to burn out. an advanced piece of malware, in theory, could raise the temperature of the fridge and cause the vaccines to go bad. fortunately, we haven’t seen anything like that, yet. but the other component where cybercrime could come into the supply chain is through the marketplaces that they run. and these are marketplaces for goods that you’re not supposed to sell. given the high sensitivity around the vaccine and how hard it is to get unless you are within certain groups, we could potentially see the vaccines being sold in the dark web on those marketplaces for listed activities.
steven sacks 13:56
that’s, that’s a risk that i don’t think right now people are thinking about the black market and the dark web. they just want to get into the states and get it into the arms of the citizens. we’ve been talking about, for the most part, external threats to organizations. let’s talk a little bit about internal threats. what types there are? their level of detection? what’s the potential damage that they can do to organizations?
jill cagliostro 14:29
yeah, their potential damages. it’s unimaginable, right? they, your internal employees, depending on where they sit in your company could have access to your trade secrets, to confidential information, to insider trading information, right? and so all of these different avenues of taking advantage of a company are what, what create what we call an insider threat, right? someone who has access to your network and is permitted to but may do malicious things anyways. and so one of the most people common things we see is people taking data from their company and doing something nefarious with it. and there’s a couple of different ways you can monitor and check for this, right? there’re data-loss prevention tools, dlp tools, that can monitor files going in and out of your network. you can, your it team can lock down your usb ports, which now can be a little annoying from trying to work for home. but the reason that they can they implement these controls is to prevent someone from putting all the secret sauce on a flash drive and walking out of there, right? completely untrackable once it’s off the machine. and so those are some of the things you can check for. one of the other big leading security vectors that’s come about as a way to monitor for insider threats, are user behavioral analytic tools, uba. and what these do is they essentially baseline what’s normal for your user. you know, me, joe cagliostro, i log in every day from 8am to 6pm, east coast time. and i don’t usually log in in the middle of the night, and i’m always logging in from the us on the east coast. if i log in, at three o’clock in the morning from mexico, a uba tool would trigger and say, hey, this is abnormal behavior. this may be either someone doing something malicious, and trying to cover it. or, maybe you do have a true malicious external threat in your environment. but uba tools can be great ways to identify an insider threat because they look for deviations from the norm. and that’s how you find a true insider threat is when they start doing things that they wouldn’t traditionally do, or user like them would never do. so if they’re, you know, a cpa and all of a sudden they’re bumping around in human resource files that they’re not supposed to have access to, uba tool is something that would identify that kind of behavior, and alert the security team for investigation.
steven sacks 16:45
well, during the pandemic, a lot of cpa firms have shifted to remote working environments. so, i would imagine that that threat internally has been exacerbated exponentially. what are some of the it heads of companies starting to look at professional service firms as well as organizations when they have a workforce that’s dispersed throughout the country?
jill cagliostro 17:12
yeah, so one of the great ways a part of how the it team and security teams monitor for behaviors, they track the activity on your work computer, right? and so by connecting to corporate vpn, it allows the it and security teams have visibility into what’s going on. so that’s one of the ways that it professionals are protecting their employees, is by requiring them to use vpn, when conducting their work, which can be a little slower, but it’s much more secure and safer for everyone involved. the other component of what we’re doing to keep everyone safe is continuing to monitor for those changes from the norm. although the new, the new norm has to be set. we have to kind of retrain the uba models because the employees aren’t working in the same way as they were before. so those models can be retrained to just for work from home hours or from work from home lifestyles, to identify what the new abnormal activities.
steven sacks 18:07
so, as we close up, what type of a service opportunities do you think that cpa firms can avail themselves of in terms of service opportunities in the cybersecurity area?
jill cagliostro 18:22
yeah, so security can be a bit of a beast to take on. it takes a lot of expertise and time and money. and not everyone wants to dedicate those kinds of resources, especially if you’re a smaller shop, it might not make sense. and so what you can explore our mssp offerings, and these are managed security service providers. and these are service providers that essentially allow you to outsource your security to them. they have a full staff of security professionals that have seen it all who can analyze your logs for you and alert you if there’s an issue. and that would be the best, most secure way to handle it if you don’t have the resources to bring it in house.
steven sacks 19:01
and lastly, since we would been talking more about highbrow issues within the cybersecurity area, what are your thoughts about some of the basic concepts of managing passwords?
jill cagliostro 19:15
yeah, so passwords are tricky. the best advice i can give you is to make it long. if you have to choose between complexity and length, choose length because it’s much harder for a computer to crack a long password than a complex one. and so, you know, i like to use it is one of my favorite sentences. you can choose you know, maybe a lyric from a song. but getting over 16 characters is really where you get that password security. and don’t store your passwords in excel with a password on it. use a password manager or make it a sentence you can remember
steven sacks 19:46
or a post-it note on your computer, on the top there. supposing that nobody has access to your computer.
jill cagliostro 19:56
it is much more secure for you to keep it — yeah your password on a post-it on your computer than it is for you on an excel file. the odds of a bad guy getting into your house and seeing that post-it are pretty low, but a hacker is probably going to find that file on your machine.
steven sacks 20:10
absolutely. well, jill, i appreciate you taking the time today to share your expertise in the area of cybersecurity concerns for the financial services industry. and we know it’s a growing area and perhaps we’ll have to have a revisit this issue or other issues in the future. so i thank you for sharing your expertise today.