Make sure these six elements of cyber defense are in your arsenal.
When Canada’s largest credit union experienced a massive data breach in December 2018, the story quickly gained momentum. As the press reported on the incident, it was discovered that the breach was larger than initially expected, impacting all 4.2 million customers. Although the credit union took decisive action, they had to combat months of fallout from press coverage and work overtime to regain consumer confidence.
The highly sensitive nature of financial information makes credit unions an attractive target for malicious actors, and vulnerabilities within a credit union’s operations can allow unintentional privacy violations as well as identity theft. To counter threats to your members’ data, you need more than cybersecurity policies. You need good cyber defense.
Many businesses look to regulations like the Gramm-Leach-Bliley Act and such security requirements as Payment Card Industry Data Security Standard for guidance in safeguarding sensitive information. While certifications like these are extremely important, businesses also need to actively prevent, detect and respond to security incidents. To mount an effective cyber defense, make sure these six elements are in your arsenal: threat intelligence and risk assessment, incident response, continuous monitoring, access control, security awareness training and communication.
Threat Intelligence and Risk Assessment
You can’t defend against threats to your IT systems unless you know your vulnerabilities. The Gramm-Leach-Bliley Act is a U.S. federal law that requires financial institutions to identify internal and external risks to the availability, confidentiality and integrity of customer information. The risk assessment must address employee training and management, your information systems and incident response. To stay current, you must perform a risk assessment at least once a year and whenever your organization has a significant change to its technology or operations.
In addition to regular risk assessments, bi-annual penetration testing should be performed by a certified independent security consultant as well as carrying out vulnerability scans at least quarterly and applying critical security patches at least monthly. Required for PCI DSS compliance, scanning for vulnerabilities and penetration testing help you identify potential issues with your IT systems before they become problems. Threat intelligence resources, such as the Financial Services Information Sharing and Analysis Center, leverage intelligence platforms and peer-to-peer networks to notify members of known threats.
To prevent and mitigate data breaches and other security incidents, you need to have a plan. A good incident response plan includes procedures for responding to a diverse array of security incidents, including data breaches. Your plan should also identify a chain of command and include contact information for incident response team members.
The incident response team should include stakeholders from critical business units, key IT and security personnel, and at least one sponsor from the executive leadership team. Make sure team members have a chance to work together before an incident occurs by testing your incident response plan at least annually. Tabletop exercises and other test activities give team members a chance to identify gaps in the incident response plan and develop a corrective action plan for mitigating any vulnerabilities.
What you don’t know really can hurt you when it comes to data security. Your IT team should be logging every event that occurs within your systems, from user log-on and application authentication attempts to server connections. Designate someone who knows your specific systems to configure software for proper logging, validate those configurations on a regular basis, manage devices and connections, and respond in real time to notifications and events. It’s also vital to consolidate the logs on a single server to allow someone to review them for out-of-the-ordinary activity.
When you’re dealing with sensitive information, you want to make sure the right people have access to data when they need it—and that the wrong people don’t. Classify data in order of sensitivity, restrict data access to the minimum necessary to perform critical functions and train staff on security policies and procedures. Review these policies every year and update as necessary. Implement technical safeguards like multi-factor and biometric authentication and monitor access using CCTV and other available resources.
Security Awareness Training
Effective cyber defense isn’t restricted to a few designated IT and security personnel. Even staff who aren’t directly responsible for security oversight should receive training on password management, social engineering scams and clear-desk policies.
Personnel directly responsible for maintaining your IT systems should receive additional specialized training. Investing in an intrusion defense system to look for internal threats or a unified threat management device is a good start, but these tools won’t do much good unless your IT staff knows how to properly configure and monitor them.
While online training modules cover the basics of security awareness, you don’t want to rely on recycled annual training sessions to keep employees informed. Your training program should address recent security issues and include a phishing simulation to give your team hands-on experience responding to security incidents.
Distributing contact information to your incident response team is just one element of a good communication plan. Make sure you have contact information for applicable regulatory bodies and law enforcement, your cyber-insurance carrier and internal business units. Train your staff on how to report security incidents and to whom. Having prepared internal and external communications that can be customized for each incident is another way to ensure that your entire staff is ready to respond when an incident does occur.
Many businesses don’t realize the value of robust cyber defense until something goes wrong. By the time a data breach is discovered and contained, it may be too late to recover from lost member confidence. Compared to the damage of a high-profile data breach, cyber defense is a sound investment that will reap dividends for your business and your customers.
Scott Stephens is president of DATAMATX, Atlanta, Georgia, one of the nation’s largest privately held, full-service providers of printed and electronic billing solutions. As an advocate for business mailers across the country, Stephens is actively involved in several postal trade associations, including the National Postal Policy Council and the Major Mailers Association,