Knowledge and Insights

Assessing Your Cyber Security Risks and Preparedness

Conceptual digital image of lock on circuit background

Technological security is not only increasingly important today, but also undergoing a directional shift due to the prevalence and ingenuity of cyber-hackings. The true statistics about these are more alarming than may be realized from the handful of high-profile corporate incidents in the news. The risks associated with IT security alone apply to and reverberate throughout an entire organization’s systems and operations.

For financial institutions, increasingly dependent on information technology and telecommunications to deliver services to consumers and businesses on a daily basis, every automated and confidential customer process, from loan applications to deposits to statements to ATMs and compliance reporting, is affected. Disruption, degradation or unauthorized alteration of information or systems that support these services not only adversely affects the institution, but also undermines confidence in the nation’s financial services sector.

Focusing on this, Mercadien recently hosted a presentation about a new cyber security development applicable to all organizations. It is micro-virtualization, a state-of-the-art security enhancement designed to allow all computer end-users to more securely access the internet, embrace mobile options, and adopt new applications, while better protecting the entire enterprise, its networks, clouds, desktops, technology infrastructure, mobile devices and endpoint applications. Such micro-virtualization technology is included in Microsoft’s newly-released Windows 10 operating program.

Why and how is cyber security technology changing and what’s the impact on your financial institution? Here’s a picture of the current landscape, according to Verizon’s 2015 Data Breach Investigations Report:

  • The majority of institutions in almost every business sector have been hacked. The manufacturing, public and professional/financial services sectors were the targets of 27%, 20% and 13% of the attacks, respectively.
  • Attacks are targeted. 70-90% of malware is unique; that is, created for a single organization. Flash-based ads are the leading source of malware today. Of the top 10 causes of infections or espionage, the top two are people opening an email attachment and clicking on links in emails. These accounted for over 75% of incidents.
  • The costs of physical property loss or business interruptions are considered low by some due to the existence today of numerous outlets from which information may be recovered. More devastating are financial losses from stolen intellectual property, trade secrets and public sector information, such as IRS taxpayer records.
  • Most computer security breaches could have been stopped if already-existing system protections, such as anti-virus software, were utilized. However, many IT providers and/or end users do not install or update them as they interfere with operating systems. Many employ the “fix it after it breaks” methodology. In addition, not all protection software works adequately against rapidly-evolving attacks. As a result, some industry sources believe that an estimated 47% of all end-point computer users have been comprised. If you are a bank with 1,000, 10,000 or 20,000 end-point computer users, your IT risks and remediation challenges compound at an incredible rate.

Fortunately, detection technology has experienced key innovations. It has moved from:

  • traditional hardware isolation, where the operating system (OS) protects by isolating corrupted files to
  • desktop virtualization (i.e; sandboxing, where software isolates OS processes or applications) to
  • micro-virtualization, which currently is the only technology that can hardware-isolate all untrusted activity of an application at a granular level. The OS hardware isolates critical system components, data and application tasks using CPU features for desktop virtualization. The OS distributes advanced threat analysis as a protective measure, so even if the system is compromised, key data files cannot be stolen. It enables real-time enterprise-wide protection that doesn’t interfere with the end-user experience. In a nutshell, micro-virtualization is technology that abstracts applications and sub-processes from hardware and runs them in isolated environments.

It’s critical to be informed about cyber security, which the National Institute of Standards and Technology defines as “the process of protecting information by preventing, detecting, and responding to attacks.” In June of 2013, the Federal Financial Institutions Examination Council (FFIEC) announced the creation of the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. In addition, the FFIEC began assessing and enhancing the state of the industry preparedness and identifying gaps in the regulators’ examination procedures and training that can be used to strengthen the oversight of cyber security readiness.

As part of technological security, institutions should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from cyberattacks. For help assessing your financial institution’s cyber security risks and preparedness, contact me at szerilli@mercadien.com or 609-689-9700.