People will defend their right to privacy to the end. Yet, they love their technology and so willingly share personal information online that they’re part of a coalition of malicious and legitimate cyber-actors that threaten it. Nevertheless, with legal ramifications growing, CISOs must now secure personally identifiable information (PII) and intellectual property (IP) while protecting its owner’s privacy.
“Data privacy is just as important as cybersecurity, so we’ve connected the two practices at the hip,” said Don Anderson, SVP and CIO of the Federal Reserve Bank of Boston, in his 2018 CyberCrime Symposium session. With a prime vantage point to draw on, Anderson delved into cybersecurity and privacy challenges facing one of the world’s most powerful institutions, and how it’s responding.
In its capacity as the nation’s central bank, the Fed processes $20 trillion in electronic transactions daily and collects voluminous data. “We collect data on our organization, employees, banks we do business with, and consumer subsets for research, so we have to be able to separate privacy data,” said Anderson.
They also have to secure it all. For the Fed, data’s both paydirt and privacy risk. On one hand, it fuels the massive, complex machine that oversees the nation’s economy. The Reserve’s district banks and its network of outside economists crunch data on employment, pricing, and countless other factors to maximize stability.
On the other, it intensifies the cyber-threat activity targeting the institution. Drawn to the $20 trillion it exchanges electronically every day and its rich stores of sensitive information, cyber-actors use every available byte of data to conduct reconnaissance and develop attacks that exploit vulnerabilities.
Privacy By Design
Given its responsibilities, the Fed has spent the last couple of years overhauling its privacy program. Based on the overlap between its cybersecurity and privacy practices, it grouped them under a single model. “The two have so much in common,” said Anderson. “It’s all about data — collecting, aggregating, analyzing, understanding, and protecting it.”
Same Story, Happier Ending?
Fed info-sec officers oversee controls, policies, and practices designed to minimize their attack surface and by extension, the personal information available to adversaries. For instance, they don’t disclose the names of vendors, and contractually prevent them from identifying the Fed as a customer. If they do — and some major tech players have — Fed attorneys take action.
As for employees, it’s the same old story, desperately seeking a new ending. Targets or instigators, employees at every level are the biggest risk to cybersecurity and data privacy. Organizations and employees post a lot of personal and brand-identity information on websites and social networks. Cyber-actors comb these sources, as well as PII disclosed on the dark web, for ammunition.
“The amount of data out there for reconnaissance is incredible,” said Anderson. “Cyber-criminals want to solve that puzzle, using all available pieces, that lets them crack an organization or take down an individual.” The Fed’s own website, he said, lists executive and economist bios and contact information.
In many phishing cases, cyber-criminals send weaponized email to everyone in the organization and hope someone takes the bait. The far-bigger concern, said Anderson, are sophisticated spear-phishing attacks targeting specific Fed employees.
Recent examples: a new hire was spear-phished by cyber-actors using information — including the department employing them and their user ID — they’d posted on LinkedIn. The email, which included this ID to up the authenticity factor, requested additional personal information so HR could initiate the benefits process. In another attack, an adversary, after completing their social-engineering homework, emailed an executive to say they knew he was cheating on his spouse, and attempted to blackmail him.
To protect the brand, Fed officers educate employees on policies for engaging with the public on social networks — and the ramifications of violating them. “We want employees to use social media to promote work the Fed does, but we’re very careful about what we communicate,” said Anderson. They recently fired an employee who disclosed research that wasn’t yet public on their personal Twitter feed.
After experiencing several employee-related security incidents, the Fed launched an insider risk program. Cybersecurity, HR, and legal officers meet monthly to review insider indicators of compromise (IOCs) — such as data policy violations, poor performance reviews, and online behavior anomalies — that might land an employee on a confidential risk list.
Back to Basics and Beyond
When used in combination, basic security controls contribute a lot to a strong cyber-defense. “It comes back to the simple things — spam blockers, web filters, firewalls, 24x7 detection monitoring, and up-to-date operating systems and software,” said Anderson.
In addition, teams should leverage security features built into operating systems and applications, such as two-factor authentication and access controls.
Also critical: Cybersecurity awareness training for all employees, covering not just best practices for the work environment, but while they’re at home or on the road. The Fed’s program includes frequent phishing tests, whose results they track and review with employees. According to Anderson, first-time victims have to retake security training, while a second failure gets them a meeting with the security team. If they fail three times, they may be fired.
Beyond training, the Reserve employs an in-house red team, whose exercises include targeting specific user groups with different threat types and educating those impacted. Their findings, in turn, help officers improve training and policies.
Eye Toward the Future
From a privacy standpoint, said Anderson, “we’re concerned about anyone who needs access to applications tracking personal data.” That includes vendors, who, like the Fed itself, are exploring data-masking tools that obfuscate private information. “That’s huge, because we can expand access to privacy data without sacrificing confidentiality,” Anderson added.
With privacy now in the CISO job description, many, pressured by higher-ups, will question whether the cost of privacy compliance outweighs that of a potential breach. That means the time’s come to get serious. ”Cyber-breach fines should be based on the number of users impacted and the business value of that data,” Anderson argued. “When a billion-dollar company gets fined $500,000 for losing the PII of 10 million users, it’s nothing.”
This is the fifth in our series of posts presenting key takeaways from our 2018 CyberCrime Symposium, held November 1-2, 2018. The program — “ The Future of Privacy and Security” — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, this is a not-to-be-missed series!