We’re now well into the second quarter of 2018, a point where organizations should be well into executing their technology and cybersecurity plans for the year. However, many are still looking for guidance on what products they should be considering, how to align their needs with their limited budgets, or even more simply, how to meet the latest compliance requirements.
As we continue through 2018, there are three emerging trends that companies should be focused on.
Data Privacy Enters New Territory
Two of the most widely discussed compliance issues this year are the New York Department of Financial Services’ cybersecurity regulation, NYCRR 500, and the General Data Protection Regulation. Both regulations break new ground.
NYDFS requires that organizations licensed in New York develop, maintain, and monitor a holistic cybersecurity program that is overseen by the senior leadership and officers of the company. The standards set forth by the NYDFS outline the minimum processes, procedures and controls that are needed to protect against data loss. Companies had to file for certification by February, and by September, they must implement cybersecurity awareness training and encrypt non-public consumer information at rest and in transit in addition to other practices.
GDPR is much more robust and impacts any organization that markets to or retains information from residents of the European Union. This regulation requires organizations to create and implement an opt-in privacy framework and security controls, and if an individual’s information is compromised, they must disclose this fact to the individual within 72 hours.
While GDPR is a European law, U.S. companies that are retaining personal information on EU citizens are impacted. The penalties for non-compliance is 2% of a company’s global annual revenue up to 10 million euros. If you were unaware of this regulation, you’re not alone. Many organizations are just becoming aware of it, even though it went into effect on May 25, 2018. Even if you’re not subject to NYDFS or GDPR, the key elements of these regulations—such as multifactor authentication, active monitoring and encryption—are becoming best practice to limit cybersecurity risk.
Many organizations are looking at a “pay now or pay later” decision as it relates to cybersecurity and compliance. One of the best ways to limit this exposure is to build out a functional roadmap to meet the demands of these and other requirements. Developing a holistic strategy not only helps control costs, but also limits risk exposure to cybersecurity incidents. Unfortunately, with a significant industry shortage in cybersecurity talent, many mortgage companies are finding it difficult to recruit qualified security professionals to aid in meeting these requirements.
Email, Fraud and Ransomware
Regardless of your organization’s size, chances are you know of someone who has been impacted by phishing, wire transfer fraud or ransomware. So far this year, we have seen a growing number of companies looking to improve their email security and cybersecurity monitoring to stop these attacks, with a focus on mobility, and endpoint protection.
Lenders should be adopting a comprehensive e-mail hygiene solution that not only includes SPAM filtering, but also detects threats such as malware. Organizations should also make sure that their e-mail and DNS platforms have configured Domain-based Message Authentication, Reporting and Conformance. This protocol is used to defend your brand and customers against email spoofing attacks. The solution is so effective that the U.S. Federal Government has made the implementation of DMARC a requirement for all agencies and organizations that it operates.
The recent Verizon Business 2018 Data Breach Investigations report found that ransomware was the fifth highest overall cybersecurity threat last year, beating out traditional malware, spyware and the use of stolen credentials. In fact, ransomware increased nearly 50% in 2017. This year, however, the current trend is cryptojacking. Cryptojacking is where an attacker gains access to a computer platform, installs software to generate Bitcoin or some other cryptocurrency, and instead of encrypting data and demanding ransom, they work silently in the background, generating Bitcoin at the expense of the victim.
Monitoring and Insight
Given the variety of attacks that organizations are being subjected to, along with compliance requirements for good monitoring and audit trails, demand is high for comprehensive monitoring and analytics that help lenders understand how their data is being used and provide automated threat intelligence and improved protection.
Earlier technologies, such as Security Incident and Event Management, provided a platform for correlating and collecting logs and information from multiple sources within an environment. Intrusion Prevention Systems were also utilized to provide automation around preventing active exploitation by an attacker within a company’s environment. The challenge with both technologies, however, is they need constant care and feeding. Organizations must “tune” their SIEM and IPS solutions, which takes up labor costs.
The next wave will be “managed” solutions that enable companies to simply outsource the human staff. Such technologies include Amazon Guard Duty, which monitors threats and indicators of compromise and, through the use of machine learning, automates alerting and response to threats.
Overall, cybersecurity in 2018 is focused on reducing liability through adherence to compliance, reduction of fraud and increased efficiencies through better intelligence and threat management. These concepts require a multilayered cybersecurity strategy in order to reduce the risk exposure of an organization, and more importantly, its customers. Either way, lenders cannot afford a “wait and see” approach to dealing with new compliance challenges. Data privacy laws are accelerating, and lenders that lag behind them could be left in the dust for good.