Security

09:15 AM
Becca Lipman
Becca Lipman
Commentary
Connect Directly
Google+
Twitter
Facebook
RSS
E-Mail
50%
50%

Former FBI Agent Talks Cyber Security With Deloitte

Vigilance can take security only so far. It's time to focus on resilience.

Your organization has been breached. Now what? According to Mary Galligan, retired FBI agent formerly in charge of cyber and special operations and director in Deloitte and Touche’s security and privacy practice, that question is rarely given due consideration.

Try as it might, it is economically unfeasible for a corporation to lock down everything in its system. And many of the things that businesses do in order simply to grow and innovate, including expanding third-party relationships, M&A, and hiring additional employees, will exasperate risks.

The traditional multi-faceted approach to data protection -- security, vigilance, resilience -- has been given a skewed budget, largely allocated to security. This has left resilience, or the ability to respond to increasingly inevitable attacks, rather underdeveloped.

Galligan says today's definition of "resilience" has evolved from simply how to recover systems to full-on crisis management. At the Cybersecurity in Financial Services event hosted by Deloitte and BITS, she explained that proper communications, legal consultations, and increasingly cyber insurance have become prominent elements of resilience.

"Companies need a cyber incident response plan with detailed processes for coordinating efforts among different front-line functions, such as the general counsel's office, public relations, and the office of the CIO," she said. In the event of a data breach, the first course of action should be to alert the general counsel's office to limit legal and investigative issues down the road.

Business continuity plans "should have a far-reaching scope," she said, "and it should include follow-on scenarios that could result from an attack."

Fear corruption, not destruction
"The financial sector is also increasingly concerned about, not just the destruction of infrastructure and data, but also the corruption of it, and how that might play out differently," says Ed Powers, national managing partner of cyber risk services at Deloitte. "In this scenario, the systems are intact but unreliable. It's a question of if we can we trust the integrity of financial institutions." This raises the question of what degree of corruption is permissible in an organization, and when it stops being negligible.

Economics are also at play here, Powers says. Being able to back up a system is relatively easy, but actually reverting to that backed-up system is difficult and comes with cost and reputation ramifications.

These are undeniably important resilience issues to address in advance of a threat or disruption. After all, in the moment of attack, having executives run around in a confused panic rarely does any good.

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/30/2014 | 4:18:27 PM
Re: Rise of resilience
Becca, It sounds like firms need to have a meeting with the general counsel's office to know that is their first call to make after a cyberattack incident. In the heat of the moment, it's not always easy to think calmly and strategically or as you say, people tend to panic. Without those internal legal protections, firms can fail to take certain steps which regulators or customers can question later on.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/30/2014 | 3:54:31 PM
Re: Remember the Back Ups
I've been burned a few times by not backing up my own laptop. But, Time Machine, really makes it easy. It reminds you every 10 days if you haven't backed up, and recovery is simple.


Obviously, on a larger scale for enterprise systems, backups are a much larger challenge, but it can be done...efficiently, reliably and easily.
Kelly22
100%
0%
Kelly22,
User Rank: Author
6/30/2014 | 2:34:43 PM
Re: Remember the Back Ups
Good points, seems like many companies don't realize the shortcomings of their security strategies until it's too late and they're forced to allocate time and resources towards recovery. Backing up the system, and regularly testing it, takes a small fraction of the time that it would take to recover from a security breach. 
Becca L
50%
50%
Becca L,
User Rank: Author
6/29/2014 | 1:10:41 AM
Remember the Back Ups
 
I've read some chilling reports about how many companies regularly back up their system, not to mention the percentage of companies that check to see if their backup is working. And even worse, many times companies who are successfully backing up their system have no idea/no experience in how to use it in a restore. Once all that is taken care of, Powers made an interesting point about the economic reality of restoring a system from a backup; Lost information, opportunity cost, repetitional damage, etc.   Geez, you just can't win!  Just another reason Galligan is absolutely right; more attention needs to be put towards "resilience." 
Becca L
50%
50%
Becca L,
User Rank: Author
6/29/2014 | 1:02:23 AM
Re: Rise of resilience
Ivy, Mary Galligan touched upon this point as well, it was very interesting to know a lot of companies still struggle with these first steps. The reality is still that when the news of an attack is broken internally, people panic. She mentioned the advice to first "alert the general counsel's office to limit legal and investigative issues down the road" is still new information for many firms that perhaps should know better.
Becca L
50%
50%
Becca L,
User Rank: Author
6/29/2014 | 12:58:38 AM
Re: Rise of resilience
Agreed, very interesting discussion. Firms have had decades to build defenses against the physical attacks (material theft, natural disasters), and yet floods still put a stop to business for weeks. Those events are as debilitating to workflow as cyber attacks.

Reputation-wise, natural disasters garner a lot more sympathy from investors and consumers than cyber attacks. A Hurricane Sandy or terrorist attack may be excusable, but nobody has patience when they hear their transactions are halted because of a hack. Businesses need to know how to react in a way that not only restores the businesses, but soothes the clients.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/27/2014 | 4:38:31 PM
Re: Rise of resilience
The term 'resilience' is interesting. I think companies are spending a lot on cybersecurity technology to prevent an attack and to handle one if it should penetrate their firewalls. But resiliency can also mean getting back online after an attack brings down a system.  If a financial system is compromised, the company wants to call up the back up system. What if hackers break into a customer database? Does the firm communicate with the public? We saw these questions raised in the Target breach. Having a cybersecurity response team to handle such an event would make a company stronger and more prepared to manage the aftermath of an incident.
Kelly22
50%
50%
Kelly22,
User Rank: Author
6/27/2014 | 12:34:55 PM
Rise of resilience
Galligan and Powers made some excellent points in that discussion. Financial services execs need to have the same approach to cybersecurity breaches as they would to a natural disaster. Today, cyberattacks can be expected, and companies can decrease the impact on their business and reputation with a strategic response plan. 
More Commentary
Is There a Watson in Your Financial Future?
How artificial intelligence might affect financial services.
Survey Shows an Urgency to Automate the Back Office
Confluence reports numbers are trending up across the board when discussing the need to automate back-office processes.
7 Pillars of Market Surveillance 2.0
Compliance officers are facing flash crashes, insider trading, market manipulation, and more. Here are seven market surveillance and risk management steps that will help compliance officers sleep better at night.
Stop, Rethink & Recalibrate: A View From Asia Pacific
Technology has made the human element of high- and low-touch trading almost indistinguishable. Brokers can no longer compete on price. Instead, they should build toward user experience and value of outcome.
The Sentient Enterprise: Data Driven as a Strategy, Not a Tactic
Can capital markets take a tip from front-to-back-office customer execution efficiencies and apply it to the investment process?
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video