Cybersecurity Q&A Series with Michael Marrano Part2

Part 2: Cybersecurity Regulators and How They Help You Avoid Cyberattacks

published
March 2, 2021
News

Welcome to the second installment of a three-part series on Cybersecurity. Protecting your sensitive data from theft or unintentional leaks continues to be a top risk to companies and governments alike. Aside from good cybersecurity hygiene, many cybersecurity best practices are also regulatory requirements, and security gaps can have dire consequences.

To explore this topic further, we sat down with Michael Marrano, the founder of Riskigy, a Certified Information Systems Security Professional (CISSP)and a member of 4THBIN's advisory board, to talk about cybersecurity regulators, their priorities, and the latest in cyber fraud attacks.

 

Q: So, how can the regulators help you avoid cyberattacks?

A:  It has been over five years since the SEC found registered investment advisor RT Jones violated Rule 30(a) of Regulation SP and issued a $75,000 Penalty.  RT Jones failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information. RT Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server and maintain a response plan for cybersecurity incidents. It was the first in many disciplinary actions related to cybersecurity in years to come.

But the regulators do more than discipline member firms. More recently, during the start of the COVID-19 pandemic, FINRA warned member firms of a widespread, spear-phishing campaign that involved fraudulent emails claiming to be FINRA officers. These emails had a source domain name, "@broker-finra.org," and requested immediate attention to an attachment relating to the firm. 

Regulators provide valuable alerts and guidance, such as the FINRA published Regulatory Notice 20-13, reminding firms to "beware of fraud" during the pandemic. FINRA warned of the increase in these four scams: 

  1. Fraudulent account openings and money transfers
  2. Firm imposter scams
  3. IT Help Desk scams
  4. Business email compromise (BEC) schemes

 

Q: What are some examples of the latest cyberattacks?

A:  The NY Department of Financial Services (NYDFS) recently issued an industry letter detailing "a systemic and aggressive campaign to exploit cybersecurity flaws in public-facing websites to steal Nonpublic Information (NPI)" and steps that can be taken to secure your data.  The campaign is focused on stealing NPI from public-facing websites that display or transmit consumer NPI, including websites that provide an instant quote.  The NYDFS was made aware of auto insurers whose websites that offer instant online automobile insurance premium quotes were being targeted to steal unredacted driver's license numbers. NYDFS has confirmed that, at least in some cases, this stolen information has been used to submit fraudulent claims for pandemic and unemployment benefits. 

Examples of methods used to steal NPI from Auto Quote Websites included: 

  • Taking unredacted NPI from the Auto Quote Websites' Hypertext Markup Language ("HTML") that was not displayed in the rendered webpage but visible in the HTML.
  •  Using developer debug tools to intercept and decode unredacted NPI.  In some cases, developer tools were used on the public-facing website to access the HTML code and reshape website frames to view hidden NPI.
  • Manipulating the technology used to redact portions of NPI by using web browser developer tools to access the parts of the websites that redacted data, therefore fully revealing the NPI on the public-facing website.

 

Q: How do the regulators determine their priorities? 

A: Regulators' top priorities are protecting clients and customers.  Current events are a source of priorities, and there is never a shortage of cybersecurity incidents and attacks in the news headlines. There is no rest for the wicked, and the fraudsters are taking no time off during COVID-19. Instead, they are increasing cyber-attacks on organizations across many industries but most noted are financial services such as banks, credit unions, broker-dealers, investment advisors, schools, universities, edu-tech, and healthcare services such as hospitals, pharmaceutical companies, and vaccine supply chain.

For the first time ever, employees are being told they must stay home and telecommute. To avoid exposure to the Coronavirus, almost every organization is telling employees to avoid the office and work from home. It may not seem complicated, but for many employees, it's going to be the first time they have ever worked from home. 

What do you think happens when organizations scramble to configure employees to work from home quickly? Mistakes happen when we rush, don't plan, and do not have enough resources (we never have enough Tech and Cybersecurity resources). Imagine this highly likely scenario - An employee working in Human Resources receives an email from the "CFO" requesting the Social Security Numbers (SSN) of all employees so they can hurry to update and distribute W2s. Maybe throw in a couple of lines of urgency and a complaint about the system being down because of the "IT Issues." This is a common social engineering tactic during tax season (right now!) and may be under normal circumstances, a phishy request might seem irregular and be diverted.

 

Q:  What about working from home?

A:  While most companies allowed some workers to work from home from time to time, few organizations were prepared to have a large portion, if not all, of their workforce, doing it at one time.  In addition to ensuring your company had the hardware and software to support this massive change, establishing and enforcing compliance with security guidelines for remote work is just as critical. Believe it or not, some firms still do not have a work from home or telecommuting policy or train employees to work remotely for Business Continuity.

Working from home (WFH) poses many challenges for cybersecurity, including the use of personal devices, sharing wifi with your kids, or the temptation for using unauthorized apps or freeware.  In May 2020, FINRA published a special alert to help businesses transition to a remote workforce by sharing practices implemented by firms during COVID-19. 

FINRA's guidelines included: 

  • How to transition to a remote environment 
  • Maintaining supervision in a work environment
  • And preserving compliance for the archiving of all customer communications

 

Q: What can organizations do to prepare for Regulatory requirements?

A:  A company practices good data protection hygiene by developing and implementing data governance. A company data governance program focuses on the confidentiality, integrity, and availability of the company data and information. The data governance program encompasses the physical, technical, and administrative (operational) control areas of data protection. Developing strong physical, technical, and administrative controls shows that a company has taken reasonable due care for the activities that take place within the company and has made the necessary steps to protect the company, its customers, and employees from possible threats.

The increased security risk of remote work reinforces the need to have a plan in place if something goes wrong and things will go wrong over the coming weeks and months of telecommuting. 

Your plan should include:

  • Review of data breach and incident response plans (IRP) to ensure that your organization is prepared to respond to a data breach or security incident. 
  • Business Continuity Plan review and maintenance should coincide with IRP updates. 
  • Update the plans if necessary, review contact information for the incident response team and outside advisors. 
  • Define the roles and responsibilities of team members. 
  • Maintain the location and health status of team members. 
  • Cross-train the team to avoid key-person risk and single points of failure.

To help companies, FINRA recently released their “2021 Report on FINRA’s Examination and Risk Monitoring Program.” The report highlights effective asset management such as - "Asset Inventory – Creating and keeping current an inventory of critical information technology assets—including hardware, software, and data—as well as corresponding cybersecurity controls."

These new recommendations are similar to FINRA’s 2018 Cybersecurity Report "Creating processes and selecting firm-approved vendors for the secure disposal of hard copy records and firm computer hardware (e.g., hardware listed in the firm's inventory) that may contain sensitive information." 

 

Final Words

Companies now know that security incidents involving unauthorized access to their customer, employee, and business data are inevitable. A lack of due diligence and due care in data protection can result in significant financial and reputational damage to a company. 

There are resources and companies available to help companies navigate the changing landscape of cybersecurity. A proactive "breach ready" security program combined with a positive security-focused company culture will help build and maintain a strong reputation and clients' trust. Remember, it is not IF, it is WHEN an incident is going to occur. Hope for the best but plan for the worst!

----------

About Michael Marrano:

Michael Marrano is the founder of Riskigy and a cybersecurity professional focused on providing Virtual CISO and Cybersecurity services for clients. With his boutique cybersecurity consulting and advisory firm, he provides high-quality services to organizations of all sizes. Michael has been honing his skills as a real-world technology and information security practitioner over the last three decades. Michael is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA) with extensive experience in consulting, audit and business leadership roles. Michael is the author of “The Human Firewall Builder – Weakest Link to Human Firewall in Seven Days”, a Cyber and Homeland Security master’s scholar at Fairleigh Dickinson University (NJ) and previously held roles such as Senior Principal Cybersecurity Consultant, Managing Director, a former Chief Technology Officer (CTO) and Chief Information Security Officer (CISO).  Connect with Michael today on LinkedIn.

More News

News

4THBIN 4GOOD - 4THBIN Partners with Up Transport to Redefine Logistics and Community Betterment

In a significant stride towards environmental sustainability and community betterment, 4THBIN is proud to announce our partnership with Up Transport! Up Transport is a Fine Art shipping and crating company that has been providing services to galleries, artists, and museums since 2012. This collaboration not only underscores our shared commitment to excellence and sustainability but also opens doors to innovative solutions that redefine industry standards.

News

4THBIN 4GOOD - Auriea Harvey: My Veins Are the Wires, My Body Is Your Keyboard at The Museum of the Moving Image

We are excited to announce our sponsorship with the Museum of the Moving Image (MoMI) for the exhibition of "My Veins Are the Wires, My Body Is Your Keyboard," a survey of the pioneering net-artist and sculptor Auriea Harvey! The exhibition will be on display from February 2, 2024 - July 7, 2024 and will feature more than 40 of Harvey’s works, including her groundbreaking net-based interactives, video games, and augmented-reality sculptures from a career spanning nearly four decades.

News

4THBIN’s Role in the e-Stewards Performance Verification Program during Data Privacy Week

As we observe Data Privacy Week, 4THBIN takes center stage in championing environmental responsibility while prioritizing data privacy. Our active participation in the e-Stewards Performance Verification (PV) Program not only underscores our commitment to the highest standards of environmental health and safety but aligns seamlessly with the principles highlighted during Data Privacy Week.

Media Alert

4THBIN and Ecotech Management Unite to Redefine Sustainable Solutions

We are excited to announce the merger of New York City’s first e-Stewards Company (The 4THBIN, Inc.) with Long Island’s first e-Stewards company (Ecotech Management, Inc.).

News

Navigating E-Waste Recycling and Data Destruction with 4THBIN in 2024

In the rapidly advancing world of technology, the demand for responsible e-waste recycling and secure data destruction has never been more urgent. As we step into 2024, the need for secure and sustainable e-waste recycling has become not just a choice but a necessity. As a leading e-waste services provider, 4THBIN is here to provide innovative solutions for a more ecological and secure digital era in 2024 and beyond. 

Event

4THBIN's sponsorship of Climate: Make That Change at St. John's University
December 2, 2023
Event

Climate: Make That Change at St. John's University

We are excited to announce our sponsorship with St. Johns University for Climate: Make That Change, an event dedicated to understanding climate change issues and the impact they have on the community in Jamaica, Queens.

4THBIN-BGA-Event E-Waste Recycling Fall 2023
November 15, 2023
Drop-off Event

4THBIN and Broadway Green Alliance Team Up for a Fall 2023 E-Waste Drive

We are excited to announce our collaboration with environmental innovators, Broadway Green Alliance (BGA), for a Fall E-Waste Drive. We aim to provide members of the Broadway community and beyond with the opportunity to securely and sustainably recycle their old electronics. 

4THBIN -PS 29 Rummage Sale Fall 2023-Neighborhood Recycling Event
October 22, 2023
Drop-off Event

PS 29 Rummage Sale Fall 2023 - Neighborhood Recycling Event

We are excited to announce our collaboration with PS 29 again this fall for an Electronic Recycling Event. We aim to provide members of the PS 29 community and beyond with the opportunity to securely and sustainably recycle their old electronics.