A team of cyber bandits plan a sophisticated attack on a famous Las Vegas casino. They tap a boy genius who happens to have designed the world’s strongest security system that protects the safe at this famous casino. They get the plans to the security system and figure out a way to break-in. It’s dangerous but possible. Using another experienced hacker they begin the process of systematically figuring out the vulnerabilities in this security system. It turns out the security system has a kink in its armor and that it needs to get a software update every night between 2 and 2.30am … Wait this is from the movie Ocean’s Twelve. Oops … wrong story. Back to the real-world.
This was the press release from the SEC last week, in case you missed it.
Completely ignoring the Hollywood story above, let’s review the facts of the SEC story.
Chinese hacker breaks into a server of a Investment Advisory Firm and 100,000 customer accounts are compromised
The Financial firm gets fined $75K for violating the “safeguard rule” and not adopting any written cybersecurity policies, procedures or response workflows to protect their clients PII from unauthorized access or security breaches
More specifically, the firm had
No disk encryption on server
No risk assessments conducted or vulnerability tests
Wait, What?!!! Yes. Not some sophisticated hacker gang that steals from the Bellagio in Las Vegas. This was a Chinese hacker gang that just hacked into an unsuspecting financial services company. The financial firm suffered monetary damages and lost customer information but it lost something far more than that. Yes, TRUST.
And, the press release that SEC issued last week made it clear that the SEC intends to use them to make a point.
This is NOT Hollywood. Cybersecurity threats are real and if businesses think it’s not going to affect them, think again. SEC has stepped up it’s efforts to pro-actively audit firms.
Clearly, this case was completely avoidable. With these kinds of stories hitting the headlines, I hear from a lot of firms that they are confused about what to do.
Here’s what the firm should have done:
The firm needed to establish a written cybersecurity policy
It needed to figure out how to enforce the cybersecurity policy on its devices, networks and applications especially the one that had access to PII
The firm needed to periodically revisit it’s policies and procedures and re-concile them against their actual implementation
Hired an independent IT firm to conduct vulnerability and risk assessments
Adopted a cybersecurity response plan that clearly state what they would do if they were breached.
Trained their staff on all processes and procedures
If you have questions on this, feel free to reach out to me at firstname.lastname@example.org.