It’s 9am — Do You Know Where Your Data Are?
The following is an excerpt from Rogues of Wall Street- How to Manage Risk in the Cognitive Era by Andrew Waxman.
External Cyberthreats
Of late, cybersecurity threats have been a greater concern than ever, including allegations of election hacking from all sides. Although sovereign states are now deploying powerful tools of cyberwarfare, the threat posed by small but well-organized attackers can pose just as much danger to banks.
Malcolm Gladwell, in his book David and Goliath, highlighted the somewhat counterintuitive idea that in a clash between a David and a Goliath, the odds are generally stacked against the bigger, more highly favored opponent.1 Goliath is slow and lumbering, blinkered in his vision and rather hard of hearing. He has also has a rather outdated weapon at his disposal. Like Goliath, the modern large enterprise is slow — slow to react to changes in the business environment. It is also hard of hearing, and updated information from clients and employees may not reach the ears of senior managers who can influence decisions made by the company. Furthermore, a combination of sunken investments and conservative thinking may delay decisions to invest in modern tools. Now contrast that with a small attacking force, the David in this encounter that has but one objective, to bring down the larger one. It dedicates its energies to that one goal and can take full advantage of modern weaponry to do so. This small opponent can change the message and have it understood by all its network members instantly. Today, banks find themselves under siege from organizations dedicated to steal data, individual identities, and account information and disrupt customer services. Vast entities — businesses, organizations, countries — find themselves outmatched by relatively tiny organizations.
It is unusual these days for a week or even a day to go by without publicity of a security breach at a large bank or retailer, and it feels like this game has changed both in terms of the significance and the nature of that risk. The greater significance attached to data security can be seen in two ways. First of all, the publicity surrounding recent data breaches has been richly deserved. There have been massive breaches, and they have upended the assumptions made by customers when they transact in the most basic, everyday ways. Second, in “yesterday’s world,” the security of a bank’s IT network was generally the domain of IT security chiefs. Today, however, it is the CEO who owns it and is publicly responding to it. The issue of today is not just compliance with the regulatory control compliance framework but the loss of real assets, customers, data, and revenue.
The elevation of the significance of data security has been brought about by the revolution in the ways we transact, conduct, and manage business. Customers access their accounts online as a matter of course, often on-the-go via a bewildering array of devices. The same is true of employees. We already take this for granted, but it is a massive change, and it has taken place in the blink of an eye. Large US enterprises, on the other hand, have typically designed their IT security strategies around the paradigm of employees accessing a single IT network from enterprise-compliant computer devices. Although the network was frequently breached by viruses, worms, and the like, such breaches incurred limited damage and created minimal reputational damage. This was because online customer transactions and account data were far less ubiquitous and thus harder for an intruder to locate and steal from. Companies nevertheless started to make bigger investments to shore up their networks. Robust firewalls were erected and virus software was installed. These investments focused on a view of the enterprise as a single network with a centralized command-and-control center. Today, those seeking to infiltrate a company’s information assets, customer accounts, sales information, and so on have many potential points of entry from unwitting customers and employees that can easily bypass a central firewall. Focusing on the firewall is rather like focusing on a missile defensive shield when terrorists are leveraging civil airliners. The Goliaths of today need to get a slingshot.
The key to turning the tables in this battle revolves around two key components: data and education. Companies need to go through a process of identifying which of their data and their customers’ data are critical to protect. Once identified, analytics should be built around how, when, and who accesses the data. For instance, when does a customer typically access his or her account, from what device,what type of transactions are executed, how much for, and so on. For an employee, the analysis is similar: Which employees touch this customer’s account information and to perform which function? Understanding these normative patterns helps identify unusual activity that could indicate a breach has occurred. Investment in tools, people, and processes that can detect deviations from such patterns of behavior is critical if companies are to move from defense to offense on this issue.
