CYBERSECUR I TY
SMALL FIRMS CYBERSECURITY GUIDANCEHOW SMALL FIRMS CAN BETTER PROTECT THEIR BUSINESSJULY 2014
SMALL F IRM CYBERSECURITY
DISCLAIMERThis document was prepared as an account of work within the private and public sector. Neither SIFMA or any of this members, or any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by SIFMA.
EXECUTIVE SUMMARYSmall businesses are becoming increasingly dependent on devices, services and applications that connect to the internet such as smartphones, email, social media, and cloud computing services in an effort to increase effi-ciency and revenues. Through this dependence they become larger targets for cybercriminals looking to exploit technological vulnerabilities. Cybersecurity firm Symantec reports that in 2012, 31% of all cyber attacks targeted businesses with fewer than 250 employees, up from 18% in 2011.1 Furthermore, in its 2013 Cost of Cyber Crime Study, research firm Ponemon Institute reported that smaller organizations incur a higher per capita cost than larger organizations ($1,564 and $371, respectively) due to cyber attacks.2 The SEC and FINRA have also begun examinations of cybersecurity preparedness among broker-dealers. As a result, it is crucial for small financial firms to take proper cybersecurity measures - measures to protect all computing devices, networks, and information - to ensure their business data remains secure. This guide builds upon the National Institute of Standards and Tech-nologys (NIST) Cybersecurity Framework which is derived from existing industry standards. Firms should apply the best practices in this guide in a risk-based, threat-informed approach based on the resources available and in support of their firms overall business model. The end goal is not compliance to a standard but to increase their cybersecurity and ensure the protection of their customers.
THREATSCHEW (CRIMINAL - HACTIVIST - ESPIONAGE - WAR)Cybersecurity threats can vary in scale and motive. Understanding the likelihood of different cyber threats and their potential impacts should be the first step in helping firms understand what types of protections they need. Counter-terrorism expert Richard Clarke, who has worked as a Special Adviser to the President for Cyber Security, developed a simple way to classify the different cyber threat actors into four distinct categories Crime, Hack-tivism, Espionage and War (CHEW).3
Small firms are at greatest risk of a criminal cyber attack, that could take the form of data theft, fraud or extortion. Criminal organizations profit greatly from these attacks and are continually seeking new firms to exploit and devel-oping methods of acquiring vital information. Hacktivism refers to actors seeking to make a political statement
1 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf2 http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf3 http://www.dtcc.com/~/media/Files/Downloads/Congressional%20Testimony/DTCC_Cyber-Security-Testimony_FI-NAL_6-01-12.ashx
through attacks that are generally disruptive in nature. These attacks often involve shutting down websites or defacing insecure websites to convey their message and can pose reputational risks to a firms brand. Espionage and War attacks are largely perpetrated with the support of nation states and aim to inflict serious financial or physical harm to the intended target and may look at a small firm as a gateway to disrupting the larger financial system or markets that they operate within.
In the case of a systemic attack or sector wide disruption the Financial Services Sector Coordinating Council (FSSCC) has created the Cyber Response Coordination Guide, which enumerates sector-wide procedures for addressing the technical aspects of an attack. SIFMAs Capital Markets Response Committee will address the busi-ness impacts and make recommendations for market open and close decisions.
As a small firm, criminal actors will pose the greatest threat. In most cases, however, prior to making security investments, we recommend contacting your local US Secret Service or FBI field office from a law enforcement standpoint and the Office of Critical Infrastructure Protection at the US Department of the Treasury for the latest information on the specific threats your firm may be facing.
C.H.E.W. - Motivations and Capabilities
CRIMINAL HACTIVIST ESPIONAGE WAR
Definition Organized groups of criminals who hide in cyber sanctuary countries to launch broad based attacks against individuals and companies for financial gain.
Loosely organized collections of hackers launching targeted campaigns against specific entities or web sites and able to cause embarrassment and financial damage.
Cyber espionage opera-tions are largely carried out by nation-states are extremely well-orga-nized and well-funded. They use this stolen intellectual property to enhance their own economies.
This is when the moti-vations of a nation-state or a terrorist group turn from intellec-tual property theft towards damage and destruction.
Motivation Money Information to sell
(e.g. credit card numbers)
Protest Revenge Demonstration of
Acquiring secrets National security Economic benefit
Destroy, degrade, deny
Capability Large number of actors
Basic to Advanced skills
Present in nearly all countries
Large number of actors
Tend to have limited skills
Few with advanced skill sets and motivations
Small but growing number of countries with capability
Larger array of support
Limited number of actors
Potential non-state actors
Expensive to maintain
SMALL F IRM CYBERSECURITY
COMPONENTS OF AN EFFECTIVE PROGRAM
NIST has created an approach for firms of all sizes to improve their cyber protections. This framework was the result of a collaborative effort between NIST and leading industry professionals and companies, including SIFMA. The framework is specifically designed as a broad strategic overview of cybersecurity policies, written from a business context that allows both technical and non-technical individuals to discuss the topic. The Framework is comprised of five functional categories:
NIST Cybersecurity Framework
Function Summary Description
Identify- Identification of at-risk data (PII1, accounts, transactions, etc.)- Assess the threat to and vulnerability of existing infrastructure- Understand all devices connected to the network and network structure
- Limit network access to authorized users and devices- Educate all users on cybersecurity awareness and risk management- Employ programs and services that secure data and networks (e.g. firewalls, file
encryption, password protection, data backups)
- Exercise network monitoring to detect threats in a timely manner- Evaluate threat and understand potential impact- Look for anomalies in physical environment among users, including presence of
unauthorized users or devices
- Contain and mitigate the event to prevent further damage- Coordinate with stakeholders to execute a response plan and notify proper authorities.
Once detected, notification to proper authorities- Evaluate response effort to improve response plan
- Execute recovery systems to restore systems and data- Update response plan with lessons learned- Resume business activities with internal and external stakeholders and manage public
This framework provides a holistic view of how small businesses can approach cybersecurity planning. We encourage firms to use these guidelines and the suggested approach to begin the dialogue of how to assess and improve their current cybersecurity protocols.
In order to cooperatively tackle the issue of cybersecurity across the financial industry, SIFMA strongly recom-mends participating in the Financial Services - Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC provides financial services firms a platform to share up-to-date threat information and best practices to mitigate these threats. As the cybersecurity threat to small businesses increases, cooperatives such as the FS-ISAC will continue to play a large role in mitigating, informing, and preventing cyber attacks.
IMMEDIATE ACTION ITEMSAccording to Verizons 2013 Data Breach Investigations Report, 76% of network intrusions and the top five methods of hacking both utilized weak or stolen credentials.5 SIFMA has adapted from the NSA