When October rolls around each year, millions of people in the U.S. and other parts of the world turn out in droves to buy costumes, decorations, pumpkins and candy for a fun and scary Halloween. But October also happens to be a time when financial institutions and businesses prepare for situations much scarier than ghosts and goblins in search of tricks or treats.
Since 2004, October has been observed as National Cyber Security Awareness Month by the Department of Homeland Security (DHS). To mark this annual occasion, DHS holds a campaign to raise awareness of cybersecurity issues and to help companies and financial institutions take steps against the type of threats with consequences significantly more serious than perpetrating a Halloween prank.
Cybersecurity, of course, is top of mind for many businesses and individuals year round, but the events leading up to this year’s DHS campaign were more extraordinary than usual. In September, the consumer credit agency Equifax reported that the personal information of roughly 143 million Americans was compromised in a data breach of epic proportions. Meanwhile, the recently released PYMNTS Global Fraud Index, produced in collaboration with Signifyd, found that instances of global fraud increased by 5.5 percent from Q2 2016 to Q2 2017. The Index also reported that global fraud can cost merchants in eight different industries $57.8 billion each year and that account takeovers have seen a sharp spike of 45 percent in Q2 2017. The bottom line is that cybersecurity threats have costly consequences and are a year-round, round-the-clock concern.
Some organizations are taking steps to make sure that the financial services industry is prepared to respond quickly and appropriately to cybersecurity threats whenever they emerge. One such organization is the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit group established by the financial industry to provide information on financial security for the broader industry. PYMNTS recently caught up with FS-ISAC CEO Bill Nelson, who reflected on the events that helped create the organization and spoke about the ways that FS-ISAC helps companies better prepare for the next cyberattack.
A brief history of FS-ISAC
FS-ISAC was launched by different players in the financial services industry in 1999 in response to a Presidential directive issued the previous year. As Nelson explained, the organization, which operates as a nonprofit, was formed to serve as a resource to enable the financial services industry to highlight and share information about physical and cybersecurity vulnerabilities.
Nelson joined the organization in 2006 after previously serving as the executive vice president of NACHA- The Electronic Payments Association. He told PYMNTS that during his early days at the organization, he saw little information-sharing about cyber threats between member organizations taking place. However, a few years after joining the organization, Nelson said he saw an uptick in cyber threat activity in the late 2000s.
Nelson said the organization was alerted by the FBI in 2009 regarding a rise in corporate account takeovers. In an account takeover, a fraudster can take over a corporation’s financial account using phishing, spyware or malware.
“At the time, they were seeing about 80 cases a week,” Nelson said. “It was becoming an epidemic.”
Recognizing the growing threat of account takeovers, Nelson said, FS-ISAC started collaborating with law enforcement and the business and financial community to develop a strategy to help various organizations secure their online banking environments.
“We hadn’t done that before,” Nelson said. “The whole industry pretty much just said, ‘Hey, don’t click on that link.’ But obviously, that was not good enough.”
To better protect themselves against account takeover attacks, FS-ISAC recommends organizations update their cyber risk assessments, stay informed about potential cybersecurity threats through information-sharing and follow FS-ISAC’s good “cyber hygiene” suggestions, including locking down an organization’s IT environment using multiple security layers and evaluating the strength of primary and secondary controls in case one is overridden.
To protect payments from cyberattacks, FS-ISAC also recommends that companies keep their operations that are connected to initiating payment transactions at a safe distance from the rest of the company’s network. “Do not allow email to go to that computer or other types of web browsing, so malware can’t get on it,” Nelson said. “It’s very simple.”
Cyberattack fire drills
Nelson explained that providing information and outlining recommendations between members is one of the ways FS-ISAC works to help its members prepare for cyberattacks. Getting members to practice their responses by running cybersecurity drills is another.
Since 2010, FS-ISAC has also invited members to participate in the organization’s Cyberattack Against Payment Systems (CAPS) exercises. During a CAPS exercise, IT professionals take part in an immersive exercise that simulates an attack on an organization’s payment operation.
In a recent CAPS exercise, a group of IT professionals from several different banks and FIs participated in a simulation that took place at IBM Security’s Cyber Range in Cambridge, Mass., that was featured on NBC’s Today Show. During the simulation, participants reacted to different types of hacks, including leaked CEO emails, compromised financial and health records and infrastructure attacks that left some employees stuck in elevators.
The purpose of the CAPS exercises, said Nelson, is to help IT professionals be better prepared to react to a cyberattack in real time. By practicing a simulated ongoing scenario, senior IT professionals responsible for keeping a company or FI’s data safe get the opportunity to think outside their own job functions and gain a better understanding of how their company or institution should respond in the event of a breach.
“It’s practicing and getting the muscle memory of what happens — if this does happen — to you as a company,” Nelson said. “The exercises are key to making sure people know what to do when it happens.”
The exercises can also encourage IT professionals to understand the roles of different professionals within their organization — who controls and manages the various aspects of an organization. These simple introductions among co-workers can go a long way if they are made before a crisis hits, Nelson added.
“During a crisis is not the right time to pass out business cards,” Nelson said wryly.
This year, Nelson said the CAPS program had 2,000 participants, which is the program’s highest single participation to date. Given these numbers, he added, he’s encouraged by the engagement of the financial sector to stay on top of emerging threats, keep fellow organizations in the loop and give them the groundwork necessary to prepare for and respond to the next cyber threat.
“The great thing about the private sector is that we always seem to find solutions to problems,” Nelson said.
Based on recent activity, it’s clear that online thieves and criminals have no intention of slowing down and that there is likely to be another major data breach or cyberattack in the future. But being better prepared can at least potentially make the next cyber incident slightly less daunting. And having a resource devoted to helping businesses and FIs stay informed and respond quickly to threats is something many players in the financial sector can be thankful to have available.