Okay, so you may have noticed that I’m writing up my notes from Sibos 2016. Given the SWIFT related hacks, Cybersecurity was obviously hot, and there were plenty of sessions covering the topic. I know that this is a couple of weeks late, but I think the following cybersecurity list is really useful and simple to digest for the regular reader. Here goes…
- Cybersecurity is all about understanding 3 key areas: People, Process and Technology
- Perpetrators of cyber attacks have various motivations: financial gain, personal disagreement, ideological (political, religious), nation state, revenge, the buzz, blackmail, debt…
- Common forms of cyber attacks include: data breaches, phishing, business email compromise, ransomware
- Physically act out all of the possible cybersecurity threats that might occur at your organisation and see how your teams react. Based on the exercise build procedures around how to react in a real life cyber-attack situation
- Malware is Malicious Software – Its a big deal! You click a link and BANG the malware infects your machine in many cases without you even knowing
- Malware can be used by the attacker for a variety of purposes – from recording keystrokes on a keyboard to physically recording and watching you at your workstation
- When it comes to cybersecurity you need a corporation wide strategy and visibility, not a siloed approach
- You need to understand normal, so that you can detect and respond to the abnormal
- You need to respect privacy laws and ensure that you treat people in your organisation with respect
- There is software available that can see you’re in the UK office (by your user-id), and raise a red flag if you’re also showing up in another location
- Two factor authentication helps to drastically reduce the cyber crime threat
- Cyber crime is a professional operation, with online marketplaces where you can buy/sell stolen data
- Cyber criminals collaborate to such an extent that they fix each others software bugs!!
- Cyber crime awareness should NOT be an annual exercise, you need continuous cyber crime education
- Regularly spear-phish your employees, and educate the ones that fail
- Cyber-crime is an evolving and ever changing threat, you need to constantly fine tune your whole security environment
- Create layers of security at your organisation, so that in the event of a breach the attacker(s) are continually facing one barrier after another – and therefore being slowed down
- Create events or notifications so that you proactively know when one fence/layer has been breached
- Hackers are often able to breach networks by exposing weak passwords
- In many cases hackers sit inside target environments (for up to 2 years!) just watching whats happening, collecting data and getting ready to pounce
- You need to understand the risk points across your organisation? What are your crown jewels, and are they adequately protected?
- How you react, response and time, to a cyber-security threat is critical – plan for it
- LinkedIn is increasingly being used by hackers to build up an understanding of organisational structures (particularly finance related departments), who works where, what do they do, who reports into who…?
- Facebook is then used to understand more about specific individuals – what they like, dislike, where and when they go on holidays, business trips
- Your workforce needs to be ready to question, and say NO to your leadership team – including the CEO
- Your employees need to understand the importance of controls, and sticking to them even if they are under pressure from senior leadership folks
- Your third party vendors need to be vetted – for example, see how your third party support teams react by pretending to be the CFO (as part of a pre-agreed exercise with the CFO, of course – hehe) and demanding something like a password reset and start getting angry at the support desk analyst if they refuse to do so by asking verification details
- Industries need to collaborate and share information about any attacks – often hackers will attack bank A, and then immediately attack bank B – you can help each other out by looking out for early signs, similarities in approach
- SWIFT have launched a Customer Security Programme
- Recurring simple cybersecurity themes that you need to be mindful of:
- Governance – does your leadership team recognise the importance of cybersecurity, and the risk of not doing anything about it
- Culture – does your team have a culture of sharing passwords, do they understand the importance of a strong password
- Awareness – do you know about spear phishing, how to spot a suspicious email?
- Data – could somebody tailgate into your company building and steal confidential reports from the printer, or written passwords on some PC workstations?
- Legacy – are your legacy systems adequately protected?
- Cybersecurity is everyone’s responsibility
The post 31 Really Simple Kick-Ass Things I Learnt About Cybersecurity appeared first on SEPA for Corporates.
This post first appeared on SEPA For Corporates - SEPA Payments News And Views, please read the originial post: here