On Tuesday, September 15th, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert as they ramp up their second phase of examinations designed to bolster cyber security in the financial industries. The first phase kicked off in In April 2014, when OCIE published their initial announcement on the program as part of their vision for improving cyber security for the securities and financial markets.
The main topics highlighted in the alert are:
- Governance and Risk Assessment
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
- Training
“It’s an agenda we’ve been talking about with our clients for years, but it is great that the SEC is formalizing it a bit more for the securities and financial markets, because they are certainly prime targets, not just for “typical” hackers, but also for deep-pocketed and sophisticated players like organized cybercrime rings and nation-state actors,” says Joe Caruso, founder and CEO/CTO of Global Digital Forensics (GDF), a premier national provider of cyber security solutions headquartered in New York City. “But the idea whistles true for every organization plugged into the digital world; every one of those areas needs to be considered, planned for, and implemented post haste.”
It’s not about sophistication, it’s about readiness and constant vigilance
“Most cyber attacks on large institutions, financial and otherwise, aren’t normally quick in-and-out types of scenarios, they are longer term, with initial access being gained sometimes months, or even years in advance of the actual “job” being executed. All it takes is one successful phishing or spear phishing attack on someone on the network, or some clever social engineering to con someone into giving up access information, or even finding a way to get infected physical media plugged into a network device, like leaving an infected USB stick in the lobby or the smoking area and counting on natural human curiosity to do the rest. Everybody has to be up to speed, form vendors to employees, but to find the weak links, it will take a comprehensive cyber threat assessment as the first step, which will not only significantly help identify areas to boost data security, but also go a long way in satisfying examination requirements.”
One size does not fit all
“Every organization’s needs, based on their current strengths and weaknesses, are unique. So the first step is to have a competent and knowledgeable vendor like Global Digital Forensics perform a thorough cyber threat assessment,” says Caruso. “This will give the client a baseline to start with and aid in the decision making process to take the most efficient and cost effective steps to secure organizational cyber assets, from thorough network scans and penetration testing, to social engineering testing and policy, training and procedural review. The most important thing to remember is the cyber threat landscape is highly fluid and always evolving, so resting on yesterday’s laurels is certainly a dangerous and foolhardy approach to take. What may have been a relatively secure cyber environment yesterday could be turned on its ear, for instance, when employees start using their own non-secure devices. Like smartphones and tablets, to increase work efficiency and connectivity. They may be great for boosting production and accessibility, but if they are not considered in the big cyber security picture going forward, it could be just the springboard a hacker needs to get into the network and stay in, just waiting for the right time to strike.”
So don’t wait to become a victim of data exfiltration, identity theft, embezzlement, Denial of Service attacks, cyber warfare, or any one of the myriad of potential threats lurking in the dark places of the cyber realm, take a proactive approach with trained cyber security professionals which fight in the cyber trenches every day, know what’s going on and know how the enemies operate. Pros like the seasoned vets at Global Digital Forensics can help banks and other financial institutions plug the holes before they make headlines for all the wrong reasons, not to mention help in satisfying the tightening regulatory requirements that will only keep getting stricter as time goes on.
*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.