(On Monday I moderated a panel on ransomware at the annual SIBOS conference of the Swift IT messaging financial network, which this year is being held in Toronto. Some 8,000 business and technology executives from financial institutions around the world are here. Panel members included Adam Evans, senior vice president and chief information security officer (CISO) at the Royal Bank of Canada; Judith Pinto, managing director, Promontory Financial Group and distinguished industry leader for banking and financial Markets at IBM; Glenn Foster, SVP and CISO at TD Bank Group; and Robert Boyce, global cyber resilience lead at Accenture. Here are some of the highlights. I started by asking panelists if there is a ransomware crisis today, or is it at the same level it’s always been?)
“Do I think there is a crisis? Absolutely,” said Robert Boyce.
“There have been a lot of changes and tactics and geopolitical motivations that have shifted in the last 18 months that are causing a crisis, in financial services in particular, during that time frame. Our research is showing financial services companies are being targeted 300 per cent more than in the past. I think there are several different reasons for this. One, in the past, national critical infrastructure has been seen as off the table for most threat actors. But once we started seeing the Russia-Ukraine conflict, those ideologies changed significantly, and we’ve seen a lot more targeting at critical infrastructure, including financial services.
“Second, tactics have changed significantly by threat actors. In simple terms, the history of ransomware is the threat actor gets access to an organization, deploys malware, detonates the malware, things are encrypted and then you [the victim] decide whether you want to pay to get the decryption keys. Over the last six years, we’ve seen that change to encryption plus data theft, to what we’ve seen in the last 18 months to much more the theft of data. And that’s for a couple of reasons: The threat actor understands it’s slightly easier to take data and try to have someone [the victim] pay to get the data back before it’s publicized that it was stolen than to launch encryption. And I think it [just stealing data and threatening the company] doesn’t put you [the crook] quite squarely in the cross-hairs of law enforcement because you’re not causing business disruption.
“Lastly, the ecosystem [of crooks] has changed significantly. We used to see threat actors operating in isolation or as one gang … Now we are seeing threat actors focus on one thing — being really good at stealing credentials, or at creating zero-day exploitings etc. You can now go to a [criminal] marketplace and choose what you want to buy. The speed at which this is happening is incredible. The latest super-successful group [the Clop ransomware gang], which worked the MOVEit exploit, was able to get 500 victims in six weeks. It’s insane.”
Should an organization prepare for ransomware differently than any other cyber attack?
“Planning is incredibly important,” said Glenn Foster. “Part of that is going to be thinking through the criticality of your business processes — what’s truly critical versus what’s just important. Where is that critical data? How responsive are the backup and recovery? … Are the backups immutable? Do you have the ability to recover quickly?”
Just as important is measuring the risks of companies that supply products and services to your firm, he added. Financial services firms are handling the risks “fairly well,” he said, “but our supply chains aren’t. They are far less mature than we are. We have to quickly shift into understanding what technologies our key suppliers are running so when we have a MOVEit type of situation [many organizations had personal data compromised by outside data processing firms] we can identify those areas of potential vulnerability and get our business engaged.”
Judith Pinto spoke of the importance of table-top and ‘what-if’ exercises. Invariably, she said, the cyber incident your organization will face is not something that’s been anticipated. As an example, she recalled being on a panel with a Sony executive after the company had to disconnect from the internet after North Korea launched a devastating attack to protest a Sony movie. “We had a plan” for disasters, he said, “but we never had a plan for having nothing.” A good incident response plan, Pinto said, gives staff enough flexibility to react to the unexpected. Practicing that, she added, gives “muscle memory” when the time comes to use it.
The technology part of cybersecurity is easiest, Adam Evans added. But a cyber attack becomes a business conversation very quickly: How long can you sustain business disruption? Do you have a method to route that business service in a different way to keep your services up and running?
“My advice to folks in the room is to go through your supply chain, through your critical business services, understand their resiliency, and ask how they will recover from an incident. And for the business services, ask how you work around a business disruption. On average it will take 16 to 20 days to come back” from an attack.
There has to be a shift in thinking from disaster recovery/business continuity more to building corporate resilience to an attack said Boyce. “We know threat actors are going after backups immediately, so having a backup disaster recovery site doesn’t mean you are safe [from ransomware]. Second, the concept of thinking about what you need to have “a minimum viable bank” in the event of a serious incident has to include understanding your supplier chain.
What should senior management’s role be in cybersecurity?
“Regulators –no matter what country you’re from — believe the role of senior management and board is to oversee cybersecurity, cybersecurity response, to know what a risk is, to know what the bank’s response plan is, to know what the critical businesses are, to know who their critical vendors are,” said Pinto.
“There’s a lot of education that still needs to happen, especially at the board level and down to senior management at the banks. We have seen incidents that have resulted in changes at the senior management level because they didn’t have the oversight. You can question if they were getting the right information. I can’t say. But that’s where a lot of training needs to take place — what should you [leaders] be asking about? It’s not how many patches have [recently] been applied. Every time I hear [from a client] ‘We have done patching’ my head explodes. That doesn’t tell me what’s unpatched. And what level of risk are we running at? How much of our critical data is running on end-of-life [technology]? That way people can make decisions.
“Senior business leadership needs to be aware, ‘I have a critical function and it runs on end-of-life hardware or software,’ because in the end it’s usually the business that has to fund the remediation.”
“The board wants to understand how we’re going to recover,” said Evans. “They’re not interested in the technology. They are involved in business problems. You see more and more as [cybersecurity] leaders we are put in the boardroom to educate them and seniors leaders of the digital marketplace and the threats that go with it.”
“For me, it’s important to communicate to the senior executive team what are the most probable cybersecurity threats to our bank, and how do we sit in our ability to mitigate them compared to our cyber threat matrix,” said Foster. “For all these threats are we in tolerance? Out of tolerance? At tolerance? And we keep exercising the conversation with them back to that.”
Experts say if an attacker has the time and resources, they will get in the front (or back) door. But these days, with the knowledge we have in cybersecurity, should a company have all of its data stolen/encrypted by an attacker?
“No, you shouldn’t,” said Evans. “But the reality is different. We are all operating in more complex environments than we were 10 years ago. Do you know all the third and fourth and fifth parties your data flows to? We have 100,000 people at RBC. We’ve done reasonable things to educate them, but things to also to make sure we can protect data coming in and leaving the organization. But there are degrees where depths of security are introduced to an organization and it starts with the human factor. It is one phishing email, one link, one click and they [attackers] can get a foothold into the organization. And once they’re there, it’s your ability amongst a hundred thousand systems and people and services and third parties to find the needle in the haystack and make sure it doesn’t spread beyond where they originally came in.
“There is no silver bullet, there is no perfect [defence] scenario. What you have to get really good at is the ability to act in a storm and have a plan. What I can tell you is for all the experience that I have had in this role …. not a single incident we have worked on is the same as another. It’s your ability to mobilize and put the right people around the table that can make decisions on behalf of the organization and the clients you serve [that will make a difference in a cyber incident]. If you miss an opportunity to plan and you get hit, you will be trying to figure this out on the fly, which is the wrong time to do it. This is muscle memory.”
Encrypting your data to protect against theft “is not a panacea,” added Foster, because a prime goal of an attacker is to escalate their access privileges to a level where they can decrypt scrambled data. “What’s important is to think of the attack kill chain — ‘What are all the things that would have to be true for an adversary to steal all of our data?'” Then make sure there are robust security controls in each of those areas so IT can mitigate if one of them fails. So, for example, if the company’s data encryption fails there are data loss prevention controls.
That’s why cybersecurity budgets are so high, he added: Layers of controls will give the organization an opportunity to mitigate if each defensive layer is compromised.