NEW YORK—The “inevitable march to the cloud” poses cybersecurity threats for banks and financial institutions that might not be able to adapt quickly enough during the transition, Jerry Archer, chief security officer at Sallie Mae Inc., said at a recent conference here.
“[Translating] our current security models and our current threat models into a cloud-based environment is extremely difficult,” Archer noted. But not being able to do so will “open doors to the guys who want to attack us,” he told attendees of the Sept. 25, 2013, Cyber Security Summit.
Archer said cloud providers are “obviously looking to leverage existing infrastructure” to make the transition; but, in many cases, adapting financial services companies’ demands concerning security and regulation is difficult. Even so, the migration to cloud services is moving quickly.
“My concern consists of staying in front of that wave … so we have security models that could transition over to the cloud and have the same level of security,” explained Archer, a founder and board member of the Cloud Security Alliance, a nonprofit that recently completed a free, open standard that includes protocols to help organizations make sure cloud computing data are reliable and uncompromised.
The industry is confronting myriad cybersecurity challenges. Organizations and transactions are complex, he said. “Finding every vulnerability, and being able to close that hole in every single instance, is a very difficult problem.”
HR, too, faces challenges when it comes to cybersecurity, since there is a talent shortage in the field. An analysis in the first week of October 2012 revealed that more than 1,828 companies in Maryland had nearly 20,000 open cybersecurity jobs, according to the Cyber Security Jobs report, a January 2013 joint report from The Abell Foundation and CyberPoint International.
And HR professionals’ role in managing, or at least being aware of, their company’s cybersecurity helps protect their crucial business and customer information.
Common threats to business data include intruders hacking into a computer system or network, remotely installed malware, lost or stolen laptops or data-storage devices, insider threats, accidents and natural disasters.
Regulation ‘Basic Need’ but Not Best Practice
Panelists at the conference debated the effects of regulation on financial services’ security. Archer said that while he’s somewhat of a cynic about regulation, from a practical standpoint, it’s a necessity and “sort of builds the muscle for security.”
“Compliance and regulatory concerns are a basic need, but they don’t represent best practice,” he said. Companies should begin by addressing compliance and build a program from there.
His organization is audited about 60 times a year on some portion of its security program. Archer said more mature programs use tools to automate compliance, thereby significantly reducing compliance costs.
Panelist John Prisco, president and CEO of malware-detection company Triumfant, said information security should be “knit” into an organization’s fabric, but that doesn’t always happen. Chief security officers often report to chief information officers or someone else on a technical level and don’t always get the ear of key decision-makers, he noted. Some companies that have suffered breaches seem to forget about them six months later.
“At some point they have to take it seriously, they have to fund it properly, and there has to be enough governance on the part of the chief security officer’s organization to properly protect the company,” Prisco stressed.
Other Security Concerns
In addition to cloud computing, panelists addressed other challenges, such as:
*Accumulation of cyberweapons. Bounties are being paid for “zero-day attacks,” or novel attacks that exploit software or systems in a way that’s hard to detect and mitigate. Countries, nation-states and cybercriminals are accumulating cyber-weaponry and are prepared to use it in “a pointed way,” Archer said.
*Movement toward pervasive and peer-to-peer computing. This includes activities like one person’s iPhone “talking” to another person’s iPhone to carry out a transaction with a third party. “It will be difficult to figure out how to defend in these kinds of environments where you’re seeing this totally new paradigm in computing,” Archer said.
*Third-party vendors. Hudson Valley Bank relies heavily on vendors for data storage, processing and reporting, according to its chief information officer, Howard Bruck. Regulators say it’s the bank’s responsibility to ensure that data and transactions are secure.
“If [the vendors] can’t convince us to a very high degree that we’re obtaining the data protection as if we were doing it ourselves, that brings them down to an almost certain unacceptable level,” Bruck noted. Third-party auditing standards, such as the SAS 70 or SSAE 16, are helpful when choosing providers, he added.
Assume Data Will Be Breached
Prisco said it all boils down to “cyber-Darwinism”—meaning, the bad guys will go after companies that are vulnerable. Businesses, therefore, should assume that their data will be breached and that having all the perfect software won’t protect them.
“Assume that there is going to be a spear-phishing attempt and it is going to get through,” Prisco advised. “The idea is to detect it very quickly and to get rid of it very quickly. And I think that would be your most sound approach to defending yourselves.”
Pamela Babcock is a freelance writer based in the New York City area.
KPMG: Five Most Common Cybersecurity Mistakes, SHRM Online Safety & Security, May 2013
Dueling Cybersecurity Proposals Center Around Standards, Threat Sharing, SHRM Online Safety & Security, February 2013
Protect Your Business from Cyberthreats, SHRM Online Safety & Security, December 2012
Cybercrime 2012: Malware Threatens Social Media, Cloud Services, SHRM Online Safety & Security, December 2012
Employer Beware: Spyware Comes to Mobile, SHRM Online Technology, December 2012
Company Data Endangered by Lack of BYOD Security, SHRM Online Safety & Security, August 2012
SHRM Online Safety & Security pageKeep up with the latest Safety & Security HR news