Booz Allen Hamilton recently produced an interesting research paper looking at the cyber threats faced by financial services. As an organisations focusing on vertical segments that have the fastest infrastructure and the most to lose if as and when it all goes wrong, it’ll be of no surprise that we’re very interested in banks.

The report suggests that 2012 is likely to be a ‘pivotal year’ for banks and investment firms as they try to stay ahead of the IT security curve. At the heart of the report is a recurrence of the idea that companies need to work on the assumption that they are already infected and learn to live with it. This concept isn’t new, but it certainly seems to be gathering a following. Exactly what this means and exactly how organisations are supposed to learn to live with it is a little unclear and will no doubt be the subject of much discussion during 2012. From our perspective, it highlights the need to monitor what’s leaving your network as accurately and as diligently as what’s trying to get into it and to put appropriate network recording capabilities in place.

Of the 10 threats listed below most are reasonably well understood. The one that stands out is the last point 10 (increased scrutiny from the regulator). It’s clear from recent very public incidents during 2011 that organisations haven’t been as transparent as they perhaps should have been – possibly because they don’t have good answers to some very basic questions. Whatever reason, the fact remains, people have a right to know when their data has been compromised and if the industry best practice of network recording isn’t adopted universally, then the SEC needs to step in and mandate the requirement.

Booz Allen identify the Top 10 threats to be:

1. The exponential growth of mobile devices drives an exponential growth in security risks. Every new smart phone, tablet or other mobile device, opens another window for a cyber attack, as each creates another vulnerable access point to networks.
2. Increased C-suite targeting. Senior executives are no longer invisible online. Firms should assume that hackers already have a complete profile of their executive suite and the junior staff members who have access to them.
3. Growing use of social media will contribute to personal cyber threats. A profile or comment on a social media platform – even by the CEO’s son or sister — can help hackers build an information portfolio that could be used for a future attack.
4. Your company is already infected, and you’ll have to learn to live with it – under control. Security should remain a priority, but today’s risks and threats are so widespread that it will become impossible to have complete protection – the focus of cyber security tactics increasingly must be to analyze, detect and expunge threats inside your system.
5. Everything physical can be digital. The written notes on a piece of paper, the report binder and even the pictures on the wall can be copied in digital format and gleaned for the tools to allow a hacktivist-type of security violation, and increasingly this will be a problem.
6. More firms will use cloud computing. The significant cost savings and efficiencies of cloud computing are compelling companies to migrate to the cloud. A well designed architecture and operational security planning will enable organizations to effectively manage the risks of cloud computing.
7. Global systemic risk will include cyber risk. As banks and investment firms continue on the path to globalization, they will become increasingly inter-connected. A security breach at one firm can create negative ripple effects that greatly impact systemic risk in financial markets.
8. Zero-day malware (malicious software) and organized attacks will continue to increase. Like a vicious, insidious virus that mutates, the tools of cyber criminals adapt and change constantly, rendering the latest defenses useless. Firms need to be prepared to adapt quickly as well to zero-day malware and the tactics of organized crime and foreign adversaries that are increasingly used today.
9. Insider threats are real. The accidental insider breach will continue to be the primary source of compromise for the Advanced Persistent Threat (APT) and other attacks. Organizations need to focus on security awareness training and internal monitoring to detect intentional and accidental insider access.
10. Increased regulatory scrutiny. Recently, the Securities and Exchange Commission introduced guidelines that require companies to report incidents that result, or could possibly result in, cyber theft or a risk of compromised data considered material.

This entry was posted on Wednesday, December 7th, 2011 at 7:42 am and is filed under Cyber Security Monitoring, Financial Services. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.