Cybersecurity Q&A Series with Michael Marrano Part2

Part 2: Cybersecurity Regulators and How They Help You Avoid Cyberattacks

published
March 2, 2021
News

Welcome to the second installment of a three-part series on Cybersecurity. Protecting your sensitive data from theft or unintentional leaks continues to be a top risk to companies and governments alike. Aside from good cybersecurity hygiene, many cybersecurity best practices are also regulatory requirements, and security gaps can have dire consequences.

To explore this topic further, we sat down with Michael Marrano, the founder of Riskigy, a Certified Information Systems Security Professional (CISSP)and a member of 4THBIN's advisory board, to talk about cybersecurity regulators, their priorities, and the latest in cyber fraud attacks.

 

Q: So, how can the regulators help you avoid cyberattacks?

A:  It has been over five years since the SEC found registered investment advisor RT Jones violated Rule 30(a) of Regulation SP and issued a $75,000 Penalty.  RT Jones failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information. RT Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server and maintain a response plan for cybersecurity incidents. It was the first in many disciplinary actions related to cybersecurity in years to come.

But the regulators do more than discipline member firms. More recently, during the start of the COVID-19 pandemic, FINRA warned member firms of a widespread, spear-phishing campaign that involved fraudulent emails claiming to be FINRA officers. These emails had a source domain name, "@broker-finra.org," and requested immediate attention to an attachment relating to the firm. 

Regulators provide valuable alerts and guidance, such as the FINRA published Regulatory Notice 20-13, reminding firms to "beware of fraud" during the pandemic. FINRA warned of the increase in these four scams: 

  1. Fraudulent account openings and money transfers
  2. Firm imposter scams
  3. IT Help Desk scams
  4. Business email compromise (BEC) schemes

 

Q: What are some examples of the latest cyberattacks?

A:  The NY Department of Financial Services (NYDFS) recently issued an industry letter detailing "a systemic and aggressive campaign to exploit cybersecurity flaws in public-facing websites to steal Nonpublic Information (NPI)" and steps that can be taken to secure your data.  The campaign is focused on stealing NPI from public-facing websites that display or transmit consumer NPI, including websites that provide an instant quote.  The NYDFS was made aware of auto insurers whose websites that offer instant online automobile insurance premium quotes were being targeted to steal unredacted driver's license numbers. NYDFS has confirmed that, at least in some cases, this stolen information has been used to submit fraudulent claims for pandemic and unemployment benefits. 

Examples of methods used to steal NPI from Auto Quote Websites included: 

  • Taking unredacted NPI from the Auto Quote Websites' Hypertext Markup Language ("HTML") that was not displayed in the rendered webpage but visible in the HTML.
  •  Using developer debug tools to intercept and decode unredacted NPI.  In some cases, developer tools were used on the public-facing website to access the HTML code and reshape website frames to view hidden NPI.
  • Manipulating the technology used to redact portions of NPI by using web browser developer tools to access the parts of the websites that redacted data, therefore fully revealing the NPI on the public-facing website.

 

Q: How do the regulators determine their priorities? 

A: Regulators' top priorities are protecting clients and customers.  Current events are a source of priorities, and there is never a shortage of cybersecurity incidents and attacks in the news headlines. There is no rest for the wicked, and the fraudsters are taking no time off during COVID-19. Instead, they are increasing cyber-attacks on organizations across many industries but most noted are financial services such as banks, credit unions, broker-dealers, investment advisors, schools, universities, edu-tech, and healthcare services such as hospitals, pharmaceutical companies, and vaccine supply chain.

For the first time ever, employees are being told they must stay home and telecommute. To avoid exposure to the Coronavirus, almost every organization is telling employees to avoid the office and work from home. It may not seem complicated, but for many employees, it's going to be the first time they have ever worked from home. 

What do you think happens when organizations scramble to configure employees to work from home quickly? Mistakes happen when we rush, don't plan, and do not have enough resources (we never have enough Tech and Cybersecurity resources). Imagine this highly likely scenario - An employee working in Human Resources receives an email from the "CFO" requesting the Social Security Numbers (SSN) of all employees so they can hurry to update and distribute W2s. Maybe throw in a couple of lines of urgency and a complaint about the system being down because of the "IT Issues." This is a common social engineering tactic during tax season (right now!) and may be under normal circumstances, a phishy request might seem irregular and be diverted.

 

Q:  What about working from home?

A:  While most companies allowed some workers to work from home from time to time, few organizations were prepared to have a large portion, if not all, of their workforce, doing it at one time.  In addition to ensuring your company had the hardware and software to support this massive change, establishing and enforcing compliance with security guidelines for remote work is just as critical. Believe it or not, some firms still do not have a work from home or telecommuting policy or train employees to work remotely for Business Continuity.

Working from home (WFH) poses many challenges for cybersecurity, including the use of personal devices, sharing wifi with your kids, or the temptation for using unauthorized apps or freeware.  In May 2020, FINRA published a special alert to help businesses transition to a remote workforce by sharing practices implemented by firms during COVID-19. 

FINRA's guidelines included: 

  • How to transition to a remote environment 
  • Maintaining supervision in a work environment
  • And preserving compliance for the archiving of all customer communications

 

Q: What can organizations do to prepare for Regulatory requirements?

A:  A company practices good data protection hygiene by developing and implementing data governance. A company data governance program focuses on the confidentiality, integrity, and availability of the company data and information. The data governance program encompasses the physical, technical, and administrative (operational) control areas of data protection. Developing strong physical, technical, and administrative controls shows that a company has taken reasonable due care for the activities that take place within the company and has made the necessary steps to protect the company, its customers, and employees from possible threats.

The increased security risk of remote work reinforces the need to have a plan in place if something goes wrong and things will go wrong over the coming weeks and months of telecommuting. 

Your plan should include:

  • Review of data breach and incident response plans (IRP) to ensure that your organization is prepared to respond to a data breach or security incident. 
  • Business Continuity Plan review and maintenance should coincide with IRP updates. 
  • Update the plans if necessary, review contact information for the incident response team and outside advisors. 
  • Define the roles and responsibilities of team members. 
  • Maintain the location and health status of team members. 
  • Cross-train the team to avoid key-person risk and single points of failure.

To help companies, FINRA recently released their “2021 Report on FINRA’s Examination and Risk Monitoring Program.” The report highlights effective asset management such as - "Asset Inventory – Creating and keeping current an inventory of critical information technology assets—including hardware, software, and data—as well as corresponding cybersecurity controls."

These new recommendations are similar to FINRA’s 2018 Cybersecurity Report "Creating processes and selecting firm-approved vendors for the secure disposal of hard copy records and firm computer hardware (e.g., hardware listed in the firm's inventory) that may contain sensitive information." 

 

Final Words

Companies now know that security incidents involving unauthorized access to their customer, employee, and business data are inevitable. A lack of due diligence and due care in data protection can result in significant financial and reputational damage to a company. 

There are resources and companies available to help companies navigate the changing landscape of cybersecurity. A proactive "breach ready" security program combined with a positive security-focused company culture will help build and maintain a strong reputation and clients' trust. Remember, it is not IF, it is WHEN an incident is going to occur. Hope for the best but plan for the worst!

----------

About Michael Marrano:

Michael Marrano is the founder of Riskigy and a cybersecurity professional focused on providing Virtual CISO and Cybersecurity services for clients. With his boutique cybersecurity consulting and advisory firm, he provides high-quality services to organizations of all sizes. Michael has been honing his skills as a real-world technology and information security practitioner over the last three decades. Michael is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA) with extensive experience in consulting, audit and business leadership roles. Michael is the author of “The Human Firewall Builder – Weakest Link to Human Firewall in Seven Days”, a Cyber and Homeland Security master’s scholar at Fairleigh Dickinson University (NJ) and previously held roles such as Senior Principal Cybersecurity Consultant, Managing Director, a former Chief Technology Officer (CTO) and Chief Information Security Officer (CISO).  Connect with Michael today on LinkedIn.

More News

News

4THBIN 4GOOD - We Care Act NYC

We are excited to announce our partnership with We Care Act NYC, a nonprofit organization dedicated to engaging students in community service and increasing social mobility.
We Care Act NYC and 4THBIN share a common goal of spreading awareness of e-waste and promoting healthy e-recycling habits among our communities in the New York area.

News

4THBIN 4GOOD - Guatemala's The Parish School 3

We are honored to announce that the laptops we provided to the Parish School of San Andres Sajcabaja at Santa Cruz del Quiche have arrived and are already helping transform the education of many students. We annually partner with the United Association for Life’s education program for disabled students, and we most recently were a 2021 Sponsor with Guatemala’s The Parish School. We aimed to provide underprivileged students with the opportunity to experience the advantages of learning hands-on with technological assets, and we are excited to share the success of our mission.

News

Summer is Here!

At 4THBIN, we believe the summertime should be the best of both worlds - environmentally friendly and fun! This summer, we will be participating in the seasonal activities that the summertime brings, while still honoring our commitment to creating a sustainable environment.

News

4THBIN and PS 29 PTA Team Up for an Earth Month Neighborhood Recycling Event

Our Earth Month collaboration with PS 29 resulted in an ecologically impactful and fun afternoon with members of the community. We teamed up with PS 29 to host an electronic recycling collection event, as well as spread awareness on the growing issue of e-waste.

News

4THBIN 4GOOD - Transforming the Educational System - Guatemala 2

When it comes to education, technology has become a foundational component in the classroom. Technology is changing the way students collaborate, communicate, create and critically think. In a world deeply impacted by digital innovations, technology makes learning much more enjoyable for both teachers and students.

Event

4THBIN-BGA-Event E-Waste Recycling Spring
June 1, 2022
Drop-off Event

4THBIN and Broadway Green Alliance Team Up for a Spring E-Waste Drive

We are excited to announce our collaboration with environmental innovators, Broadway Green Alliance (BGA), for a Spring E-Waste Drive.

Celebrate Earth Day and clean up the Murray Hill neighborhood with 4THBIN!
April 30, 2022
Drop-off Event

Earth Day Celebration - Vartan Park: Murray Hill neighborhood

We are excited to announce our collaboration with the Murray Hill Neighborhood Association for an Earth Day Celebration! We aim to provide the Murray Hill community and beyond with the opportunity to securely and sustainably recycle their old electronics. 

4THBIN-PS 29 Rummage Sale-Neighborhood recycling event
April 10, 2022
Drop-off Event

PS 29 Rummage Sale - Neighborhood Recycling Event

We are excited to announce our collaboration with PS 29 for an Electronic Recycling Event. We aim to provide members of the PS29 community and beyond with the opportunity to securely and sustainably recycle their old electronics.