Other parts of this series:
In my previous blog, I discussed the disparity between (1) the confidence many banking institutions have in their cybersecurity defenses; and (2) the reality of how many breaches per month they are actually suffering from. View our full report on cybersecurity and the banking industry.
So, now: What to do?
Accenture recommends a two-pronged defense—focused on cybersecurity assessment on the one hand, and attack simulation on the other.
Each of these activities on its own provides valuable insights into an organization’s security program. However, when they are coupled and performed in parallel, the assessment results are seen in the context of a successful attack, not just a theoretical problem. This way, it becomes much easier to prioritize actions and to demonstrate where funding should be applied.
Traditional assessments have been audits that are based on checklists. Today, such an analysis needs to be a true risk assessment that identifies the controls needed to mitigate each risk.
The controls should be managed against an agreed risk appetite with a set of metrics that measures the risks against the scale of the problem. For example, rather than measure unpatched systems, track the number of unpatched systems that contain sensitive information or that are publicly exposed.
Pressure-testing company defenses can help leaders understand whether they can withstand a targeted, focused attack. Organizations can engage a “Red Team” in sparring matches with their cybersecurity people and systems to assess preparedness and response effectiveness.
This Red Team method tests the security infrastructure in a way that no mere assessment can. It moves from asking people if they “think” their security capabilities are effective to “demonstrating” that they are (or are not).
The testing method moves beyond penetration testing or threat and vulnerability assessments, which just produce lists of issues that need to be closed. A Red Team tests if the crooks can achieve their objective from start to finish, and then it determines if the organization is able to prevent these kinds of focused attacks.
Red-Teaming is not for the fainthearted, however.
A security sparring match is similar in effect to military live-fire training programs. The Red Team enters into the actual production environment. Although that means they could accidentally cause substantial damage, Red Team members follow strict protocols and controls. They have made significant investments in tools that emulate the latest techniques of the bad guys but which have been pre-tested to cause no damage. They follow a careful playbook and are the opposite of lone-wolf hackers who just want to show everyone how clever they are. An effective Red Team demonstrates just enough to prove what they have done (and the potential damage they could have caused) so that organizations can learn and improve.
For more information, see slide 6 of our summary presentation on cybersecurity and the banking industry, which explains the benefits of concurrent maturity assessments and attack simulations.
In my next blog, I’ll focus more on becoming truly cyber-resilient—able to bounce back quickly from an attack.