You are here

As you open Verizon's 2015 Data Breach report, you are greeted by a statistic: The estimated financial loss from 700 million compromised records is $400 million. A significant portion of that $400 million is lost because of human error - a misplaced (and unencrypted) USB drive, a lack of due diligence or outdated IT systems, just to name a couple of examples.

From June 14-16, Wolf & Company will be at the Financial Managers Society's Finance and Accounting Forum for Financial Institutions, where we will present on the current regulatory expectations surrounding cybersecurity. The Verizon Data Breach report is indicative of what regulators will look for when they come to visit your organization, including many of the issues currently facing financial institutions.

With that in mind, we've compiled five points that we feel are the key takeaways of the report, especially as they relate to CFOs and CEOs of financial institutions. 

Here is our list:

1. Third-party management

One of the biggest takeaways from the report is the importance of third-party management. The recent Target hack is a fantastic example of what not to do.

The Target breach happened in four broad steps:

  1. Target begins relationship with HVAC firm
  2. Target grants access to HVAC firm
  3. Hackers breach HVAC firm
  4. Hackers now have access to Target's customers' data

It is possible that with improved vendor management, Target would never have been exposed in this way. In addition, hackers typically have multiple motives for targeting (no pun intended) a company. And, they are willing to use more than one channel to accomplish their goals - such as going after a vendor to get to the real victim.

Third-party management is critical because a business without it is as vulnerable as any firm with no cybersecurity measures at all.

2. Information sharing

The second key takeaway from the Verizon report is a dearth of information sharing. While cyber-threat sharing has improved substantially over the years, it is still lagging behind where it needs to be. This is especially true when looking at information-sharing between organizations.

For example, one person/business could spot a specific threat, but it will take a while for that finding to disseminate across a network/industry. This leaves room for the hacker to adapt and evolve - or simply attack - staying one step ahead of risk management.

At the moment, it's the bad guys who know how to communicate better than the good guys, and this will have to change - specifically, the ability to digest and distribute information. There is almost too much data at this time, and financial institutions have to be more adept at consuming, reporting and collecting information. The key is not just receiving data, but figuring out how to use it.

3. Phishing

The third takeaway is the constant prominence of phishing attacks. The concept of phishing may feel like a remnant of an older, less-tech savvy Internet era. However, phishing remains one of the most common routes for a hacker to gain access to your data.

The reason for this has to do with targeting. Phishing emails were once effective due to sheer volume - hackers would send out thousands of emails, all in the hopes that a tiny fraction would be opened. Now, they know exactly what they want. This means a shift from broad, massive phishing scams to targeted, focused ones. Hackers can build an email that looks real and only send it to the few select people who have access to what they want.

From a business perspective, the goal is to constantly test and improve security awareness programs. Then, you'll have more educated employees who are less likely to fall for a phishing attack.

4. Patch management

The fourth takeaway is patch management. One unfortunate (or fortunate, depending on your perspective) statistic is that 99.9 percent of all cyber attacks could be prevented with quality patch management.

Our recommendation is that you patch your systems at least once per month. Most hackers target vulnerabilities in your existing business. It is common knowledge that older, outdated systems are weaker. Even so, many firms don't have proactive patch management. Too many rely on an automated system, not because an automated system is inherently bad, but because the organization assumes that automation is synonymous with security.

While a well-crafted system will simplify the process, it is the people who make it safer. You can't set it and forget it; you have to constantly update and evolve the automated system to address current security risks.

Above all else, make sure your patch management is timely, frequent and well-monitored by your staff.

5. Multi-factor authentication

The fifth takeaway is multi-factor authentication. The Verizon report outlined the importance of this level of security. And, it makes sense. Your systems are weaker with only one authentication method.

For example, a hacker could easily acquire sensitive data if they gain access to unencrypted web-based applications, such as a cloud platform. However, if access to the cloud is protected with multi-factor authentication, they'll have a much harder time breaking in.

This is the multi-factor approach - protect your systems with two of the following factors; something you know (the PIN or password), something you have (such as a token) and something you are (biometrics, like a fingerprint). This multi-pronged approach is more secure and effective risk management.

This is just an overview of the Verizon report and our key takeaways. If you'd like to learn more, contact Gerald R. Gagne, CPA, CISA, at 617-428-5455 or ggagne@wolfandco.com