Tuesday, 26 May 2015

Financial Firms Grapple With Cyber Risk in the Supply Chain

In a connected world, business survival depends on communicating with partners. But increasingly those same partners, which include technology services providers and suppliers, can prove to be a company’s downfall if the systems they share are compromised. With large financial firms often retaining hundreds or thousands of such connections, federal and state financial services regulators are now looking more closely at this issue, requiring firms to better understand and test the security of third-party providers.

“Everything is interconnected, probably more than most people realize, and regulators have begun to increase scrutiny,” said Vickie Miller, former chief information security officer of Fair Isaac Corp., known as FICO for its trademark credit scores. The company works with many financial services firms and has recently been asked to provide more details of its security practices. “If we have a data circuit between us and a bank, anything that compromises us should be on the radar,” said Ms. Miller, who moved to another role within the company this year.

Routinely, banks will ask for the list of servers used for the bank’s needs and information about patch and vulnerability management programs. Now they may want screenshots of the last time servers were patched, periodic testing of the patching status of those servers and information about the work that Fair Isaac outsources to others. Some financial institutions have even asked for credit scores and drug testing of employees with access to those servers. The company tries to be as transparent as it can while still preserving the privacy of its employees, said Ms. Miller.

The extra steps come as cyber criminal activity increases. In 2014 there were 783 data breaches, a record high, according to the Identity Theft Resource Center. As companies have increased security in certain areas, attackers have switched methods. Last year, hacking incidents were the top cause of data breaches, accounting for 29% of breaches tracked by ITRC. Access to targeted systems through compromised third parties or subcontractors was the second-leading cause of breaches in 2013 and 2014, up from fourth in 2007. Attackers in the 2013 Target Corp. breach, for example, gained entrance to the company’s systems through a connection to a heating and air conditioning contractor.

Both federal and state regulators are paying attention to banking third party providers. In a report last month, the New York State Department of Financial Services said it was considering, among other regulations, cybersecurity requirements for financial institutions that would apply to their relationships with third-party service providers. These providers may include check and payment processors, trading and settlement operations or data processing companies.

When cloud service providers are added to the mix, there can be hundreds or even thousands of these connections within a single company. For example, in the first quarter of 2015, the average company across all major industries, such as financial services, healthcare, retail and manufacturing used 923 distinct cloud services, according to a report from Skyhigh Networks, which tracks usage of over 10,000 cloud services.

Some regulators are also considering applying similar standards beyond providers to banking business partners. One Fortune 500 bank, for example, knows that several of its servers have not been patched for a serious bug called Heartbleed. If it patches those servers, though, it will break continuity with several European banks that have not upgraded their systems, said the chief information security officer of the bank, who declined to be name for security reasons. The bank must be able to share data with its overseas partners so disconnecting is not an option.

It can be daunting to assess the cybersecurity posture of thousands of partners and providers, said John Haller, an infrastructure and security expert at the CERT Division of the Software Engineering Institute at Carnegie Mellon University. It’s best to start with the basics and identify and prioritize the critical few vendors and other external entities that support important business services, he said. “The importance of a third party doesn’t always relate to its visibility or the size of the contract,” he said. There may be a smaller company which provides a critical service that could hamper business operations.

Also, while a company can spell out the security requirements in contracts, to get best results it’s important to collaborate and build relationships with vendors and business partners, he added. Building those relationships is important so companies can understand the level of risk their partners are willing to accept and how it matches up to their own, he said.

View the original content and more from this author here: http://ift.tt/1SyP1ZD



from cyber security caucus http://ift.tt/1SAHc5B
via IFTTT

No comments:

Post a Comment