As financial institutions turn to digital infrastructure for scalability and data processing, the need for a robust cybersecurity framework is more vital than ever.
However, defending against a pervasive and hidden threat can be challenging. “Too often we have a narrow definition of cybersecurity,” said Bill DeLong, Security National Automotive Acceptance Co.‘s senior vice president and chief information officer, adding that the approach to security needs to evolve on a regular basis.
Lenders just kicking off a cybersecurity prevention program should start at the top of the Center for Internet Security’s list of 20 controls. “They have exclusive and deep knowledge about the current threats — that’s your intel community,” said Hyundai Capital America‘s chief information security officer, Eddie Younker. As one of the global organizations with the combined knowledge of actual attacks and effective defenses of experts across various industries, the CIS is an indispensable resource lenders should leverage, he said.
“Start with the first five to knock out over 50% of the vulnerabilities in your environment,” advised Younker, who is also the captive’s vice president of information. “You’ve got to know where your data goes and how it flows.” Below are the first five controls necessary in every cybersecurity program, outlined by the Center for Internet Security:
- Inventory and control of hardware and software assets : Actively take inventory, track, and correct all hardware (physical computers) and software (code on a computer’s hard drive) devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
- Continuous vulnerability management : Continuously acquire, assess, and take action on new information to identify vulnerabilities, remediate and minimize the window of opportunity for attackers.
- Controlled use of administrative privileges: Control, prevent and correct the use and configuration of administrative privileges on computers, networks and applications.
- Secured configuration for hardware and software on mobile devices, laptops, workstations and servers : Establish and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers and workstations using a rigorous configuration management. Also, change control processes in order to prevent attackers from exploiting vulnerable services and settings.
- Maintenance, monitoring and analysis of audit logs : Collect, manage and analyze audit logs of events that could help detect, understand or recover from an attack.
“[These are] highly impactful with laser effort, maybe even with limited resources,” Younker said.
More information and the full list of CIS Controls can be found at https://www.cisecurity.org/