The key to a successful cyber security management system is to prepare well and expect incidents in the system, writes Scott Yang, Cybersecurity Manager, Taiwan Stock Exchange.
Under the crossfire of system vulnerabilities, human behaviours, and task schedules, it is perhaps inevitable that a financial organisation will have cyber security incidents.
For example, look at First Bank`s ATM hacking incident. The root cause was that a bank`s operator left a trail in the internal network to remotely complete the regular duties in an isolated environment. The hacker group took time to spot this subtle defect, planned a flawless ambush, and then broke the security system at the Achilles` heel. This targeted attack resulted in the theft of over $2.5 million from First Bank in a single weekend. However, an aimed attack is not the only hacking technique out there.
An opposite example is the recent and notorious ransomware attack, named WannaCry. The attacker simply spread the ransomware without a specific target. A victim may have 'just' postponed a Windows update, or 'just' browsed a website that had been inserted with the malicious add-on, resulting in them automatically downloading this particular ransomware. The accumulation of lots of these ’just’ scenarios resulted in the market having a huge reaction to WannaCry.
When facing such a variety of security incidents, an absolute shield against cyber threats may only exist in Wonderland. Best practice may, therefore, 'just' involve good preparation against different types of cyber security threats.
In general, there are three aspects to good preparation: framework, countermeasures, and perspective. Preparing a framework and countermeasures can be completed by introducing information security management systems such as ISO 27001, or following the guidance on cyber resilience for financial market infrastructures published by CPMI-IOSCO. Both provide directions on how to complete security policies, asset identification, risk assessment, threat protection, instruction detection, event response, disaster recovery, security drills, and others, all of which must be considered in the cyber security mechanism.
However, the key part of preparation is having perspective. In the modern cyber security war, the most important point that we must accept the possibility of the failure of the prevention system. Therefore, the number of security incidents should never be the primary criteria to evaluate a system. Instead, we need to ask ourselves: how do we transform an incident from impact to assistance, and improve our security management systems? We should be able to allow the examination of possible flaws in the system to assess, control, and mitigate relevant risks, and then help the system be ready for true threats.
Cyber security management should not be a routine business. It’s important to test the system against the impacts of explicit and implicit risks. Strong preparation to resist a hacker`s invasion should therefore include a comprehensive management framework, appropriate cyber threat countermeasures, and having the correct perspective on actual incidents. It is impossible to prevent 100% of hackers from launching attacks, but we can make it much more difficult if a hack is successful.
This is similar to what the book ‘The Art of War’ teaches us; we should not rely on the likelihood of the hacker not coming, but instead on our own readiness to compromise the hacking.