Security

09:15 AM
Becca Lipman
Becca Lipman
Commentary
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

Former FBI Agent Talks Cyber Security With Deloitte

Vigilance can take security only so far. It's time to focus on resilience.

Your organization has been breached. Now what? According to Mary Galligan, retired FBI agent formerly in charge of cyber and special operations and director in Deloitte and Touche’s security and privacy practice, that question is rarely given due consideration.

Try as it might, it is economically unfeasible for a corporation to lock down everything in its system. And many of the things that businesses do in order simply to grow and innovate, including expanding third-party relationships, M&A, and hiring additional employees, will exasperate risks.

The traditional multi-faceted approach to data protection -- security, vigilance, resilience -- has been given a skewed budget, largely allocated to security. This has left resilience, or the ability to respond to increasingly inevitable attacks, rather underdeveloped.

Galligan says today's definition of "resilience" has evolved from simply how to recover systems to full-on crisis management. At the Cybersecurity in Financial Services event hosted by Deloitte and BITS, she explained that proper communications, legal consultations, and increasingly cyber insurance have become prominent elements of resilience.

"Companies need a cyber incident response plan with detailed processes for coordinating efforts among different front-line functions, such as the general counsel's office, public relations, and the office of the CIO," she said. In the event of a data breach, the first course of action should be to alert the general counsel's office to limit legal and investigative issues down the road.

Business continuity plans "should have a far-reaching scope," she said, "and it should include follow-on scenarios that could result from an attack."

Fear corruption, not destruction
"The financial sector is also increasingly concerned about, not just the destruction of infrastructure and data, but also the corruption of it, and how that might play out differently," says Ed Powers, national managing partner of cyber risk services at Deloitte. "In this scenario, the systems are intact but unreliable. It's a question of if we can we trust the integrity of financial institutions." This raises the question of what degree of corruption is permissible in an organization, and when it stops being negligible.

Economics are also at play here, Powers says. Being able to back up a system is relatively easy, but actually reverting to that backed-up system is difficult and comes with cost and reputation ramifications.

These are undeniably important resilience issues to address in advance of a threat or disruption. After all, in the moment of attack, having executives run around in a confused panic rarely does any good.

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Kelly22
50%
50%
Kelly22,
User Rank: Author
6/27/2014 | 12:34:55 PM
Rise of resilience
Galligan and Powers made some excellent points in that discussion. Financial services execs need to have the same approach to cybersecurity breaches as they would to a natural disaster. Today, cyberattacks can be expected, and companies can decrease the impact on their business and reputation with a strategic response plan. 
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/27/2014 | 4:38:31 PM
Re: Rise of resilience
The term 'resilience' is interesting. I think companies are spending a lot on cybersecurity technology to prevent an attack and to handle one if it should penetrate their firewalls. But resiliency can also mean getting back online after an attack brings down a system.  If a financial system is compromised, the company wants to call up the back up system. What if hackers break into a customer database? Does the firm communicate with the public? We saw these questions raised in the Target breach. Having a cybersecurity response team to handle such an event would make a company stronger and more prepared to manage the aftermath of an incident.
Becca L
50%
50%
Becca L,
User Rank: Author
6/29/2014 | 12:58:38 AM
Re: Rise of resilience
Agreed, very interesting discussion. Firms have had decades to build defenses against the physical attacks (material theft, natural disasters), and yet floods still put a stop to business for weeks. Those events are as debilitating to workflow as cyber attacks.

Reputation-wise, natural disasters garner a lot more sympathy from investors and consumers than cyber attacks. A Hurricane Sandy or terrorist attack may be excusable, but nobody has patience when they hear their transactions are halted because of a hack. Businesses need to know how to react in a way that not only restores the businesses, but soothes the clients.
Becca L
50%
50%
Becca L,
User Rank: Author
6/29/2014 | 1:02:23 AM
Re: Rise of resilience
Ivy, Mary Galligan touched upon this point as well, it was very interesting to know a lot of companies still struggle with these first steps. The reality is still that when the news of an attack is broken internally, people panic. She mentioned the advice to first "alert the general counsel's office to limit legal and investigative issues down the road" is still new information for many firms that perhaps should know better.
Becca L
50%
50%
Becca L,
User Rank: Author
6/29/2014 | 1:10:41 AM
Remember the Back Ups
 
I've read some chilling reports about how many companies regularly back up their system, not to mention the percentage of companies that check to see if their backup is working. And even worse, many times companies who are successfully backing up their system have no idea/no experience in how to use it in a restore. Once all that is taken care of, Powers made an interesting point about the economic reality of restoring a system from a backup; Lost information, opportunity cost, repetitional damage, etc.   Geez, you just can't win!  Just another reason Galligan is absolutely right; more attention needs to be put towards "resilience." 
Kelly22
100%
0%
Kelly22,
User Rank: Author
6/30/2014 | 2:34:43 PM
Re: Remember the Back Ups
Good points, seems like many companies don't realize the shortcomings of their security strategies until it's too late and they're forced to allocate time and resources towards recovery. Backing up the system, and regularly testing it, takes a small fraction of the time that it would take to recover from a security breach. 
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/30/2014 | 3:54:31 PM
Re: Remember the Back Ups
I've been burned a few times by not backing up my own laptop. But, Time Machine, really makes it easy. It reminds you every 10 days if you haven't backed up, and recovery is simple.


Obviously, on a larger scale for enterprise systems, backups are a much larger challenge, but it can be done...efficiently, reliably and easily.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/30/2014 | 4:18:27 PM
Re: Rise of resilience
Becca, It sounds like firms need to have a meeting with the general counsel's office to know that is their first call to make after a cyberattack incident. In the heat of the moment, it's not always easy to think calmly and strategically or as you say, people tend to panic. Without those internal legal protections, firms can fail to take certain steps which regulators or customers can question later on.
More Commentary
One Size Fits Nobody in End User Services
How building profiles from employees' roles and behaviors can help optimize your end user services.
'Enlightened' Non-IT Execs More Likely To Run Secure Organization
Do senior executives understand their role in data security? On the whole, unsurprisingly, no.
No Screwups, Please, We’re Banks
Changing a bank's culture is not going to happen overnight, but having the right tools and levers in house will surely make a big difference over time.
You’re Doing BYOD Wrong: These Numbers Prove It
Almost 40% of users who connect personal mobile devices to corporate networks have no lock-screen mechanism set in place.
Citibank Brazil Deploys Award-Winning BPM Solution: Now What?
Citibank Brazil automated commercial customer onboarding and reduced cycle time by 70%. But how can a global organization harness the successes of its islands of solutions?
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video