Everbridge Software: "poor communications are your biggest security threat"
Vincent Geffray is Senior Director of Product Marketing with a focus on IT service alerting, IT team collaboration and process orchestration at Everbridge. He has over fifteen years of experience in the IT operations and service management space, with expertise in critical communications, IT service alerting, application performance management, IT process, runbook, and workload automation. Here he shares his advice on managing cybersecurity.
When it comes to cybersecurity, way more focus is given to prevention than management.
Of course, it goes without saying that the security of critical systems and data is the primary concern for any Chief Information Security Officer and InfoSec team. So, everything from firewalls to intrusion detection systems to end-point security and IT monitoring continuously and effectively will be in play.
Yet, the inconvenient truth is that organisations are playing defence while hackers are playing offence. To win, the hackers only need to get an attack right once. To win, you need to get your defences right every time. Unfortunately, technologies like automated botnets that can launch thousands of attacks a second – not to mention users who click on malware-filled or phishing emails – mean that the odds of an attack getting through at some point are against you.
The biggest challenge faced by today’s organisations is the lack of effective internal and external communication before, during and after an attack.
Let’s take a closer look.
Before an Attack
Remember, if your employees are not fully trained on security awareness, then all the technology in the world will not protect your business from an attack. They are your first line of defence. Make sure that your security team is trained periodically. It is also recommended that the best practices around spear phishing (the use of fraudulent emails aimed at specific users to launch an attack) so that your people know how to recognise suspicious emails, links and attachments which can harm your systems.
A trusting work environment coupled with busy people can easily lead to poor split-second decisions around opening emails and exposing your most critical systems to attack, regardless of the sophistication of security technology you’ve deployed. 91 percent of cyberattacks start with a spear phishing email, according to research from TechWorld. So, proactive and sustained education around security risks is critical. Hackers are constantly refining their “phishing” techniques to trick users and you need to not only alert them to the latest threat but remind them to keep security top-of-mind on top of all their other work.
Protecting users from making such damaging mistakes is a big win. So, make sure the C-suite understands the business risks and the significance of developing a proactive strategy. CISOs should also lobby for them to back education programs – financially and personally, by setting the best example of safe computing themselves.
During an Attack
During an attack, a lack of communications can really hurt. A breach of security is also a breach of trust, and it’s a vital component in customer and partner relations. Every headline about privacy and data breaches, any failure to protect your systems and data will damage your organisation and brand.
The difference between a breach being a minor bump or a major impact to your organisation and its market value, is communication.
Think for a moment, about the impact of proactive and prescriptive notifications for example, to all employees drastically increasing the damage from an attack by compromising even more IT equipment as employees link their laptops to the company network.
Alternate communications platforms, out of band, from the company’s infrastructure, for use during an attack may need to be established, especially if the regular telecommunication network and email systems are compromised, just like in the Sony Pictures hack. While quick and targeted communication with the relevant IT experts will be key, don’t forget you may also need frequent updates with management, legal, marketing, key stakeholders and partners to comply with regulations governing data privacy and security reporting.
After the Attack
History dictates that those organisations that handled communications well after a breach suffered only small fluctuations in stock price and customer confidence. Those that couldn’t get the message out, or bungled the message, suffered far greater and longer-lasting damage. Don’t leave this to chance in a crisis.
A sound post-attack communication plan must describe what happened as honestly and completely as possible. It will explain correction steps taken for all affected parties, and (as soon as possible) what is planned to prevent a recurrence. This is difficult to do in the middle of a crisis, so have a response plan in place. Also have a tested communication system to alert all stakeholders.
- Knowledge is power when it comes to protecting against cyber attack says DynaRisk
- Shieldpay: Putting the security of real-time payments under the spotlight
- Tectrade: Forget cyber-attacks, simple IT outages could be your downfall
- Read the latest issue of FinTech Magazine
All Hands, on Deck
A culture of security will help to prevent breaches. It requires input and engagement from IT, HR, marketing, facilities, and anyone else regularly involved in managing your systems. In the event of a breach, you need to be sure all these players (and more) are clearly identified along with their skills, location and availability and are ready to perform critical functions. They shouldn’t be just names on a contact sheet.
While you can’t control how hackers will try to defeat your technology and deceive your users, you can swing the odds in your favour with fast, effective, coordinated communications before and after the event, to limit the damage and return to a normal state of operations faster.
Reimagining operational risk management for business value
The events of 2020 and 2021 have fundamentally changed how we do business, upending every industry, including investment banking. Once bustling trading floors went silent as the switch to work from home led traders to disperse locations – and gave rise to new operational risk challenges.
Today’s dynamic regulatory landscape coupled with ongoing technological innovations have made legacy approaches to operational risk management ill-suited to tackle current challenges and complexity. And while many financial institutions have turned to digital automation and transformation projects to adapt traditional ‘revenue generating’ functions to meet their challenges and help drive growth, they must now do the same with their Operational Risk Management (ORM) functions - or risk being left out in the cold.
The Basel Committee defines operational risk as the “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” Unfortunately, many financial institutions still view ORM as a regulatory and compliance necessity rather than a business function that delivers real value. That means executives and risk management departments must now change their risk approach to ensure they are dynamic and flexible, can guide their organizations through complex situations, and can readily meet the evolving expectations of regulators and their clients.
Operational Risk Management is still a young field compared to other risk sectors in the financial markets, but it has always been viewed under a broad umbrella that encompasses risks and uncertainties difficult to quantify and manage in traditional manners. ORM has also been the convergence point where corporate governance issues overlap with revenue-generating business activities, causing potential confusion between departments.
Investment banks have too often placed undue emphasis on creating governance frameworks designed to ensure they meet Basel Committee on Banking Supervision (BCBS) standards instead of recognizing that a sophisticated ORM function can bring quantifiable value. Their desire to merely meet BCBS standards and avoid historic risks has in effect led to an outdated, analogue approach in an increasingly digital world. Savvy investment banks have grasped the value potential of ORM and begun to drive a shift in awareness about the importance of a comprehensive risk identification, measurement, and mitigation program.
Embracing a data-driven approach
Market players now recognize that adopting a digital strategy will allow them to deploy diverse and agile risk management mechanisms. It will also empower them to develop a strong and dynamic understanding of risks while adding real value to the business. This value goes beyond meeting regulatory and compliance mandates introduced as part of the Standardized Measurement Approach developed under Basel 3. A robust approach to risk allows the ORM functions to provide actionable intelligence to support business decision-making and assume a more commercial role that supports the various business units’ day-to-day activities. And that requires an intelligent, data-driven approach with a mandate to match, one that is championed at all levels of the organization.
This type of aggressive approach and embrace of digital transformation can also strengthen how ORM functions handle ambiguous and/or improbable events, especially as traditional methods of risk analysis prove unable to manage the ever-increasing volume of data. In 2010, the total amount of data created, captured, copied and consumed equaled about two zettabytes, compared to 2018 when volumes reached about 33 zettabytes. This 26% compounded annual growth rate means that if the rate of growth steadily continues by 2024, we can expect 149 zettabytes of data created per annum.
Available data levels will make it difficult for analogue ORM functions to successfully meet the executive expectations, however organizations that adopt a data-driven approach will find increased data volumes provide them the insights to gain a competitive advantage and ability to proactively manage their risk.
Leveraging AI and advanced analytics for high impact
Cognitive computing technologies like artificial intelligence (AI), data mining and natural language processing (NLP) can supplement a data-driven approach and help financial institutions confidently automate decisions, optimize processes and provide a deeper insight into available data. These cognitive computing technologies can help reduce or eliminate time-intensive and repetitive tasks, often related to data collection, handling and analysis which are better suited to automation. That in turn can free up critical employees to deploy their experience, knowledge of policies, and powers of assessment to support ORM functions and achieve their goals and focus on high-impact, high-value deliverables.
Cognitive computing can teach computers to recognise and identify risk, which is especially useful to handle and evaluate unstructured data – the kind of data that doesn’t fit neatly into structured rows and columns on a spreadsheet. Natural language processing (NLP) can analyze text to derive insights and sentiments from unstructured data, which a 2015 study by the International Data Group estimates accounts for 90% of all data generated daily. When combined with the estimated future data volumes, cognitive computing functionality presents an immense opportunity for ORM functions to add additional business value in ways previously impossible. A detection model built on cognitive analytics can manage risk on a near real-time basis and can also unlock organizations’ historic datasets that have been compiled for internal, regulatory, or compliance purposes. These datasets often contain free text descriptions that contain a potential wealth of untapped, institution-specific information and could provide valuable insight into historic operational risk losses, providing data to augment employee’s qualitative experiences.
Teaching an old dog new tricks
There are certainly challenges to launching digital transformation projects, implementing new data-driven approaches, and introducing cognitive computing technologies, including employee uncertainty and ethical considerations. That means financial institutions must preemptively address and prepare for potential challenges before they adopt a technology-enabled approach to Operational Risk Management. They must also secure employee buy-in to ensure stakeholders use these new technologies to their full potential and to assuage any concerns that technology diminishes employees’ important role in the organization.
It’s critical that investment banks now shift their Operational Risk Management functions and focus on becoming more adaptive and agile in an increasingly volatile, complex, and uncertain world. Over 66% of banking executives report that adopting new technologies like AI and NLP will be a key driver in IBs development through to 2025. Yet for many investment banks, their ORM functions do not leverage the powerful new tools available to them – including increased computing power, digitization, advanced analytics, and data visualization techniques – much less harness the power of cognitive computing technologies. Until ORM functions leverage these tools, executive leadership cannot allocate resources and solidify ORM’s role in business strategy, performance, and decision-making processes.
Old habits die hard, but it’s time for ORM functions to keep pace with these new technologies, methodologies, and approaches to position themselves and their organizations for success in today’s ever-changing world. If they do not adapt, there is a real risk they may stifle the wider organization, impede new opportunities and inhibit paths to valuable business growth.