Here is an article that is useful for readers both professionally and personally and is fitting for Cybersecurity Awareness Month. The best way to prevent cybercrime is by improving knowledge and awareness, and that can done right now. Cybersecurity Awareness will help at home, where hands-on experience can be gained by applying cybersecurity principles to protect family—including children and seniors.
These improved skills can be applied in the workplace. Understanding cybersecurity threats helps in spotting them, turning one into a valuable sensor for the organization, not simply a vulnerability to be exploited. Malicious emails, social engineering and sophisticated cybercrime fraud attempts are now the norm. Organizations are grappling with how to improve their overall information security posture, and should realize this starts with knowledge and awareness at all levels. From the new hire to the CEO, trained and aware employees help protect the organization. Individuals should respond to threats appropriately, policies and procedures should be written wisely, and management should allocate sufficient resources to security. In sum, cybersecurity is now a responsibility for everyone, not just for experts or the information security department.
The financial sector faces cybercrime risks, which affect:
- The institution itself, including funds and data,
- The institution’s customers,
- The institution’s potential use as a tool by cybercriminals to transmit and store funds.
This is not simply an Eeyore’s view of the criminal threats—it is reality. The cybercrime and identity theft economy is global and adaptable, with thousands of criminals running lucrative schemes and inventing new scams to make money through theft. Aside from theft, there are other risks to the safety and privacy of individuals and their families, and if all of this is not enough, there are increased legal and regulatory requirements. Fortunately, improving knowledge and skills empowers and protects individuals.
Cybersecurity, Information Security and CIA
Cybersecurity is no longer a buzzword—it has been written into regulations and frameworks. Realize that cybersecurity focuses on internet-based threats that attack digital data and is part of the broader discipline of “information security” which also includes physical security, environmental controls, business continuity, disaster recovery and data governance. There is no need to spend hours debating the difference between “cybersecurity” and “information security,” simply address them comprehensively. Information security contemplates disasters such as floods, earthquakes, fires or even terrorist attacks. Such planning is not only required by regulation but is what can enable an organization to survive such events.
Consider three basic principles of information security, known by the initialism CIA:
- Confidentiality: Keep information and systems secure from unauthorized access (including “hacking”). Keep data safe, keep email accounts from being compromised.
- Integrity: Keep data from being tampered with. Keep a criminal from sending emails from a compromised account, as if they were impersonating the owner. Stop a criminal from manipulating account balances or trading data.
- Availability: Ensure data and systems remain accessible. Ransomware, hurricanes and other disasters could affect the ability to continue business operations.
There are a number of reputable information security frameworks to guide large organizations, including the NIST Cybersecurity Framework and the Critical Security Controls from the Center for Internet Security. For those getting started at home, consider the following simplified framework from the book, Cybersecurity for the Home and Office, The Lawyer’s Guide to Taking Charge of Your Information Security,1 which sets forth four pillars of cybersecurity.
- Knowledge and awareness
- Networks (and internet)
Each will be addressed in turn.2
Knowledge and Awareness
Knowledge and experience are what develop “common sense.” Watch for malicious emails, realizing that they can compromise computers and an organization’s information systems. Have a healthy respect for the creativity and resources of cybercriminals, and their capacity for social engineering trickery. As controls are implemented to reduce one type of fraud, criminals adapt, improvise and experiment.
Ensure that any bank wiring instructions—and changes to the instructions—are verified with a “call-back” to the customer or vendor. Customers of an institution probably have no training with respect to fraud or money laundering, so use this call-back conversation to educate the customer about wire fraud schemes known as “business email compromise” or “CEO fraud.” These scams account for the theft of billions of dollars, devastate the victims and damage the client relationship. After confirming the customer’s identity and the authenticity of the client’s instruction, ask the client the following question:
“Did you speak with the person who sent you the wiring instructions?”
If the client has not had a verbal conversation with the person who sent them the bank wiring instructions, ask them to do so and explain why. In addition, remember that this call-back is an opportunity to improve the personal relationship with the client.
What computing devices are being used?3 Employ a device password, keep them malware-free and patched, disable or uninstall software or features that are not needed, and check security and privacy settings. Think about physical security—do not lose a phone or laptop, and control access to the office and server room. When devices are no longer needed, decommission them securely to remove stored data and access to cloud accounts.
Know what data is accumulated, where it is stored, and when it should be purged. Make sure data is backed up periodically to a secure location and is recoverable in the event of ransomware attack, fire or flood. Evaluate if data should be encrypted—such as sensitive data that leaves the office.
Keep control of email accounts and other important cloud accounts with strong passwords and two-factor authentication—also known as two-step login.
Networks and Internet
Network routers should be kept updated and require unique usernames and passwords to access the administrator portal—not the default passwords that cybercriminals know and will use. Avoid connecting to public or untrusted Wi-Fi networks, consider that data transmitted through the internet is visible to computers in the current network and along the way—unless the data is encrypted.
From Home to Enterprise
At home, one is the chief security officer, trying to protect information systems, home and family. In the workplace, things are more complicated—but all of the learned and practiced concepts will benefit readers and their organizations.
A financial institution’s written policies need to comply with laws and regulations pertaining to information security, privacy, and the reporting of incidents and suspicious activity. Of course, conduct must conform to policy. Cyber-enabled crime needs to be reported to the Financial Crimes Enforcement Network through suspicious activity reports,4 and institutions must comply with the privacy and information security requirements of the Gramm-Leach-Bliley Act.5 If an institution is regulated by the New York State Department of Financial Services, they need to comply with their Rule 500,6 which includes having a comprehensive written information security program and reporting cybercrimes to the state. Further, states have their own laws with respect to data breach notification, information security and privacy. Remember the spirit of these regulations and the harms they seek to avoid, reduce high-priority risks while considering efficiency and business needs.
Whatever the current knowledge and security posture is at home and work, resolve to continually improve them. This is good for compliance, business—and most importantly for family.
- John Bandler, Cybersecurity for the Home and Office, The Lawyer’s Guide to Taking Charge of Your Information Security, 2017.
- Resources paralleling the book are available online at https://cybersecurityhomeandoffice.com, including forms you can use at home or in the small office while reviewing and improving security for your devices, data and networks. These forms are available at https://cybersecurityhomeandoffice.com/book/forms
- For organizations, a device inventory is the first step towards implementing the critical security controls. For your home or small office, forms for this and the next steps are available at https://cybersecurityhomeandoffice.com/book/forms
- “Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime,” Financial Crimes Enforcement Network, October 25, 2016, https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber Threats Advisory - FINAL 508_2.pdf
- Gramm-Leach-Bliley Act (GLBA) is also known as the Financial Services Modernization Act of 1999. General information on GLBA and the Privacy Rule and Safeguards Rule within it is available at the Federal Trade Commission (FTC) website. FTC, Gramm-Leach-Bliley Act, https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act. Your regulator will have more detailed information.
- Rule 500 is titled “Cybersecurity Requirements for Financial Services Companies,” cited as 23 NYCRR 500, and is available at https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf. Frequently asked questions are available at https://www.dfs.ny.gov/industry_guidance/cyber_faqs.