FS-ISAC Report Focuses on the Security Priorities for Company CISOs

The Financial Services Information Sharing and Analysis Center (FS-ISAC) surveyed various chief information security officers (CISO) in the financial industry on some of their primary priorities when it comes to improving security for their organizations. According to the survey report, titled 2018 CISO Cybersecurity Trends, employee training was one of the top concerns for CISOs, with 35 percent of all those surveyed mentioning it as a top priority. This was followed by infrastructure upgrades and network defense at 25 percent and breach prevention not far behind at 17 percent.

The FS-ISAC classified the CISOs surveyed into two types: those who performed technical functions, such as chief information officers (CIOs), and those who performed non-technical functions, such as chief operations officers (COOs). The CISOs with technical functions tended to prioritize matters such as infrastructure upgrades, network defense, and breach prevention, while the non-technical CISOs saw the human element, that is, employee training, as a more significant issue.

The report also talked about how cybersecurity has evolved from a topic primarily dealt with by IT personnel to one that is on the minds of executives in boardroom meetings. This was reflected in the number of quarterly reports submitted by CISOs to their boards of directors, which stood at 53 percent. Furthermore, 8 percent of the CISOs surveyed went beyond the quarterly reports — some even provided monthly feedback.

The organization gave a list of recommendations for CISOs looking to build up their security posture.

  • Organizations should train employees on security issues, especially when it comes to downloading and executing unknown applications on company assets. Employees should also be able to report suspicious emails and attachments according to company regulations and policies.
  • Although the report noted that more than half of all CISOs gave quarterly security reports, the FS-ISAC encouraged even more frequent reporting to board of directors for both readiness and transparency.
  • CISOs should be empowered to make decisions with regards to security, ensuring the free flow of critical information within their organizations, which can increase transparency and make the decision-making process more efficient.

Security as a Priority for Organizations

The FS-ISAC report highlights an important fact: Organizations need to prioritize security more than ever. The financial industry, in particular, is very vulnerable to attacks — from sophisticated campaigns by threat actors such as Lazarus, who were responsible for some of the more notable campaigns against financial organizations, to more simple but no less effective scams like Business Email Compromise (BEC) schemes. The past few months alone have seen a number of attacks against financial organizations, including the IcedID Trojan attacks or the more recent KillDisk attacks, which hit Latin American financial companies. Due to its size and very nature, the financial sector remains, in many ways, one of the primary targets of cybercriminals.

The security issues are not just limited to within the organization; however, as customers themselves can also be affected. For example, attacks to compromise ATM machines directly impact users — and therefore, by extension, can cause harm to a company’s reputation and even subject it to fines and penalties.

As mentioned in the FS-ISAC report, employees are especially critical when it comes to the implementation of an organization’s security plan. Educating users on key issues can bolster the security posture of an organization, as they are both the first line of defense and typically the main point of entry for malicious activity.

CISOs, or people in charge of an organization’s security, are also increasingly becoming necessary for many organizations. Attacks such as the recent WannaCry ransomware campaign could have been mitigated with better implementation of security measures. This could be done through proper planning as well as having a dedicated CISO overseeing the organization’s security.

The harsh truth is that cybercrime is going to be more prevalent going forward.It’s time for organizations to shore up their defenses to counter malicious attacks, from the top executives of the organization down to the rank-and-file.

Organizations can start by looking into the implementation of the following security best practices that can help minimize the impact of threats:

  • Employees are often targeted via phishing attacks. Thus, educating employees on how to identify and mitigate phishing and social engineering-based attacks can stop attack attempts from being successful.
  • Securing all possible points of entry to the system, such as the email gateway, reduces an organization’s exposure to threats by effectively filtering all incoming and outgoing traffic.
  • Any proper implementation of a security plan will also involve keeping devices, software, and systems up to date to prevent bugs or vulnerabilities from being exploited. For organizations that use older or legacy software, virtual patching can provide effective coverage without the need for immediate patching.
  •  Proactively monitoring systems and networks provides an additional layer of security. A CISO, along with a dedicated team, is tasked not just to deal with threats as they happen but to also scan the organization’s network for any possible malicious activity.

To help CISOs combat malicious threats, organizations can look into solutions such as Trend Micro™ XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Threat Landscape