Millions of Canadians got a message from Capital One after a reported hack: their personally identifiable information (PII) was breached when a cyber criminal accessed bank servers through a third-party vulnerability.
Canadian financial-services companies need to get a message after the Capital One hack, too: they are vulnerable. They will be hacked. Cyber-resilience is critical. It's the next step.
Ninety-five percent of all businesses had a cybersecurity program in place in 2017, according to Statistics Canada.
Forty-seven percent of banking institutions in Canada have been breached, according to the same data set from Canada's national statistical agency.
“In our day-to-day work, almost all businesses operate with products from third-party providers… all it takes is one small vulnerability for a hacker to get in,” notes Vivek Gupta.
“Are you doing everything in your control to protect your customers? Are your strategic partners, third-party providers, and vendors part of your cybersecurity framework? Are you able to respond effectively to a breach? Is your company cyber-resilient?”
Cyber-resilience
“Cyber-resilience is having the capability to deliver and provide an intended outcome despite unforeseen adverse cyber events,” explains Vivek. “Organizations are currently focused on strengthening their information security, cybersecurity, and business continuity-management policies. During a cyber attack the impact is on availability, confidentiality, and integrity of information, in turn affecting the systems, operations, infrastructure, network, and processes of the organizations. The cyber-resilient business continues operations and delivers intended outcomes―despite the breach.”
Cyber-resilience strengthens your company's abilities to resist attacks and enables it to continue to function if―or when―an incident takes place.
To become cyber-resilient, you need to identify and eradicate vulnerabilities that hackers could use, following seven steps.
7 steps toward cyber-resilience
The first step is to develop and implement IT security policies, risk assessments, company processes, and company-critical systems. IT teams then decide how to configure solutions that bolster resilience and ensure regulatory compliance.
A current-state cybersecurity assessment helps organizations understand their current security posture. A vulnerability scan determines weak points in the infrastructure and where they differ from the new configuration specifications. Any outdated information leaves systems vulnerable to the latest attacks.
Information should be classified based on policies and procedures defined in the organization.
Identified vulnerabilities should be prioritised, with critical gaps closed first.
This is the process of eliminating the vulnerability. The procedure should specify who should be notified once a vulnerability is discovered, how quickly they should be notified, who is responsible for any next steps, and what those steps should be.
Continuous monitoring should be performed to ensure that vulnerabilities are closed, and potential risks and threats are covered.
A playbook should be maintained and all vulnerabilities identified should be listed in it—the document is helpful in the analysis of security incidents and provides evidence of compliance with company processes and sector-wide regulations.