Authentic8 Blog Category: Compliance

81% of CIOs and CISOs Defer Critical Updates or Patches

New research indicates that eight out of ten CIOs and CISOs refrain from adopting an important security update or patch, due to concerns about the impact it might have on business operations.

*

More than half (52%) said they have done so on more than one occasion. What about in your organization?

The Global Resilience Gap study, commissioned by security software firm Tanium, polled 500 CIOs and CISOs in the United States, United Kingdom, Germany, France and Japan, in companies with 1,000+ employees. Its goal was to explore the challenges and trade-offs that IT operations and security leaders face in protecting their business from a growing number of cyber threats and disruptions.

Infographic: CIOs/CISOs Holding Off on Patches and Updates (Source: Tanium Report)

Source: Tanium

The Problem: “Lack of Visibility and Control”

The report identifies “[l]ack of visibility and control across networks” as the main cause behind such missed or delayed updates.

80% of respondents reported they found out that a critical update or patch they thought had been deployed had not

Financial Services: How to Minimize Vendor Risk Online in One Step

Here’s a quick tip for CISOs and compliance officers in banks, credit unions, investment or wealth management firms who worry about cybersecurity threats that emanate from vendors and third-party apps:

Disconnect from the web.

Sounds radical? You may be surprised to learn that this process is well underway in some of America’s largest banks and investment firms. Let me explain.

IT security researchers agree that almost 80 percent of data breaches and malware incidents are web-borne and in some way browser-related. The regular browser has become the main gateway for attacks on the local IT infrastructure of firms (not only) in the financial sector.

Locally installed browsers – including those labeled “secure” by their makers – indiscriminately process all code from the web on the user’s computer or mobile device. The browser opens the door for data exfiltration and for malicious code to infiltrate the corporate network, for example through infected vendor websites or compromised third-party business apps.

The finance sector’

How Watering Hole Attacks Target the Financial Sector and Government Agencies

Websites of governments, regulatory bodies and financial authorities are preferred targets for "watering hole" attacks on finance, investment and compliance professionals. These online resources make it easy for attackers to target their victims. How do such attacks work?

*

Watering hole attack infographic

Source: GoldPhish

So-called watering hole (a.k.a. "water holing") attacks are probably the most economical of online exploits. Instead of identifying and tracking down individual targets one-by-one, the threat actors first research and identify a vulnerable website frequently sought out by key professionals in the targeted industry or organization.

In the second step, they install an exploit kit that may allow the attackers to target that site’s users even more selectively, for instance based on their IP number. Like lions hidden in the savannah grass, they then lay and lurk.

Once their prey shows up at the "water hole", the victim’s locally installed browser takes care of the rest. Because the browser is designed to indiscriminately fetch and execute code from

Financial Services: Blindspot Browser

For regulated investment firms, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has prioritized “cybersecurity with an emphasis on, among other things, governance and risk assessment, access rights and controls, data loss prevention [...] and incident response.”

While firms have significantly strengthened their compliance policies, their actual practices still reveal alarming gaps. Behind closed doors, compliance leaders in many firms I get to speak to admit that they lack the tools to sufficiently monitor, audit, and enforce employee web use policy.

Regulators expect firms to make a “reasonable” attempt to ensure oversight and remediate areas of weakness. So what’s getting in the way?

Securities and Exchange Commission (SEC)

The Web - Asset or Liability? It Depends On the Browser.

Whether research analysts or investment managers use business apps or social media, they rely on the locally installed web browser as their primary tool. It is the very same tool that increasingly leaves firms exposed to risks of data breaches and compliance violations online.

In a

Interview: SEC Compliance and the Internet

Key Issues for Investment Management Firms

What are the challenges regulated investment management firms are facing when using the internet?

We asked Jane Jarcho, the former Deputy Director of the SEC's Office of Compliance, Inspection, and Examinations (OCIE) and head of the National Investment Adviser and Investment Company Exam program, who recently joined the Promontory Financial Group as a consultant on regulatory and exam issues.

At the OCIE, Jane Jarcho oversaw its program areas, including Investment Adviser/Investment Company (IA/IC), Broker-Dealer and Exchange, FINRA and Securities Industry Oversight, and Clearance and Settlement. Ms. Jarcho also led the IA/IC examination program. Under her leadership, the number of IA/IC examinations increased by more than 100 percent.

The interview was conducted by Chirag Vasavada, Head of Business Operations at Authentic8.

*

Chirag Vasavada: Jane, given your tenure and experience across the SEC's program areas, you're in an ideal position to speak to the challenges faced by regulated entities today. The industry is under