This week marks the first deadline of the New York State Department of Financial Services cybersecurity regulations , and the end of the 180-day transitional period from when the regulations went into effect.
As of August 28, 2017, each covered entity must:▪ Designate a Chief Information Security Officer responsible for overseeing, implementing, and enforcing the institution’s cybersecurity policy
▪ Establish a risk-based cybersecurity program “designed to protect the confidentiality, integrity and availability,” of an institution’s information systems
▪ Implement a cybersecurity policy setting forth “policies and procedures” for the protection of the organization’s network and sensitive information;
▪ Appoint a board member or senior officer to approve the cybersecurity policy
▪ Limit user privileges to information systems that provide access to nonpublic information
▪ Ensure that “qualified cybersecurity personnel” are used to “perform or oversee” core cybersecurity functions
▪ Establish a “written incident response plan” to enable the institution to respond to a data security event, including procedures to inform the state regulator within 72 hours of such an event
Overall, the New York state regulations are considered to be the most far-reaching and comprehensive, already serving as a model for other states to follow. But compliance along isn’t enough to stop a cyber attack. Many large financial services institutions are already following this formula for complying with cybersecurity regulations, yet 3 out of 4 companies surveyed admit they aren’t resilient against cybersecurity threats.
Cybersecurity Regulations Don’t Address the Real Cyberthreat
Preventing cyber attacks goes beyond being in compliance with cybersecurity regulations, and it’s a much more complex problem to solve. Part of the challenge is that it’s difficult to get inside the mind of the hacker; it’s impossible to know where the next threat will come from and oftentimes, who the attacker is.
Organizations and individuals end up in a cat-and-mouse type situation and it’s dangerous to think that simply complying with new cybersecurity regulations, like that of New York’s, will take care of the problem. In fact, this couldn’t be farther from the truth.
Checking the boxes can lead to complacency. Truly solving the problem and protecting employees, customers and assets starts with thinking about simple actions that can result in a major cybersecurity issue. For example, how do you stop the person in your company who clicks on a link in an email and inadvertently installs malware on their machine? A malware can be designed to hide in the background and spring into action only after the innocent clicker has logged on to the company’s bank account to manage receivables. It could be an automated script or it could enable a fraudster to piggyback on a login and change routing and account numbers in the background while payments are being set up.
The problem can be the person who gets an email from the CEO instructing them to make a money transfer and thought they were doing their job by carrying out the order. The growing threat of business email fraud shows how easy it is for an employee to be lured into providing their credentials to a fraudster.
Imagine being the chairman of a political party and getting an email saying that their password needs to be reset. Their IT department tells them it is OK to proceed. They login to a website designed to look like it’s part of their network, but its sole purpose is to capture credentials so that at another time, the hacker can login, circumvent encryption mechanisms, and update provisioning and steal content.
These are all situations that cannot be stopped by cybersecurity regulation alone.
Yet these are the scenarios that should keep us up at night, repeating themselves every single day, According to Verizon’s 2016 Data Breach Investigations Report, 30% of phishing messages were opened by the target across all campaigns and about 12% went on to click the malicious attachment or link, thus enabling the attack to succeed. In these instances, the user would have authenticated themselves and all existing fraud prevention measures would have been bypassed. And you guessed it - most likely, the institution or organization attacked would have been in compliance with applicable cybersecurity regulations.
Cybersecurity Requires Resilience, Not Just Checking the Boxes
Defending against cyberattacks requires more than just complying with cybersecurity regulations. We need to think about how to define digital identity. What does it mean when a person has the correct information on an individual but is not that person? What happens when a hacker obtains someone’s credentials? If fraudsters are able to login, how can the system recognize that it’s not really the authorized person?
As threats like social engineering, malware and account takeovers become more recognizable in risk assessments that are required to be conducted as part of the cybersecurity regulations, a change in the way the problem is looked at is sure to emerge. By looking at things like the way people scroll, how they type, toggle between fields and use shortcuts, solutions like behavioral biometrics can help provide an answer to an otherwise vexing problem. That is, how to passively figure out who is behind a session the entire time, not just what device or password was used to login.This may not be explicitly spelled out in cybersecurity regulations, but this is how to get to real security, not just checking the boxes.