Data Security has become increasingly important in today’s business environment when businesses use and store significant amounts of personally identifiable information (PII). The Equifax breach has highlighted the impact to consumers when a business mishandles data. If your business uses and stores PII, you need to have a strategy for securing that data and a plan to keep your security program up to date over time.
It’s important to constantly be looking forward to best understand the security threat landscape. Threats are constantly evolving and changing. As technology changes new risks and vulnerabilities are introduced. Threat actors are ever increasing in skills. The tools, once available only to nation state actors, are now in the hands of cyber criminals. And now the cybercriminals are commercializing these tools making them available for sale at prices novice hackers can afford. These tools turn the novice hacker, or “script kiddie”, into a formidable attacker. If you believe you are not a target of nation state attackers or cyber criminals, but only script kiddies – be aware, their capabilities have risen such that your defenses may no longer be adequate. And if you fear cyber criminals, their capabilities are now very advanced so you must have excellent defenses.
As organizations have improved their security posture, the hackers have not given up, but have looked for new opportunities to attack. They have found creative ways to monetize their efforts. As it has become more difficult to break in and steal data, the new approach is to simply hold data hostage and disrupt your business so that you’ll pay. Thus, the term ransomware has been created – malware that is created to hold your data for ransom. This new form of attack requires us to think about the specific defensive techniques required to prevent it from occurring.
How do you stay ahead of this when the landscape changes so rapidly? You can’t do it alone because there’s too much information to digest. You must find organizations that provide cyber intelligence, and identify which ones best align with your industry. Different industries have different cyber concerns so you want to find this alignment, otherwise you may be focusing on the wrong issues for your company. For example, financial services companies are concerned about protecting financial assets and PII, but manufacturing companies may be more concerned about disruptive malware. You want an intelligence organization that focuses on the same cyber issues you care about.
At Genworth Mortgage Insurance, we utilize organizations such as Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Financial Services Roundtable BITS organizations. These groups are sponsored by financial services companies to specifically monitor and address concerns of the financial services industry. As such, these groups stay on the forefront of cyber issues directly related to Genworth. FS-ISAC focuses on cyber threats and the technical landscape. Through the information sharing program, we are provided the latest indicators of compromise (IOCs) to make changes in firewalls and our monitoring tools in near real-time. The Financial Services Roundtable focuses on the regulatory environment, also in a state of flux as government attempts to address issues faced by the public. From a business perspective, we must deal not only with technical threats, but regulatory changes that may impact how we must secure our data. This relationship provides insight on proposed legislation at the state and federal level so we understand what new regulations are being proposed. This allows us to be participants in the process and shape new regulations so they can achieve the desired goal without being too burdensome on business.
Unfortunately, there will never be a permanent solution for cyber security issues. For every new technique we implement to protect our data and systems, the bad guys discover or create a new way to attack us. This means we are in a continuous process of monitoring the environment for threats, identifying new techniques for protection, implementing them, and then monitoring for the next new threat. Everyone must be doing the same to protect customers’ data.