What 'Law & Order' can teach CUs about cybersecurity
“When facing upheaval, it is comforting to have things going on that make us feel a little more secure,” said Larry Clinton, president and CEO of the Internet Security Alliance. “Something we can count on: There is an episode of ‘Law & Order’ on air every minute of every day,” he said with a laugh.
Every episode of the television show “Law & Order” follows the same pattern: The Problem, Urgency, Barriers to Resolutions, the Champion, and finally, the Resolution. And, said Clinton, “Law & Order” can teach us a lot about cybersecurity.
“The ‘Problem’ is sophisticated cybercriminals who are using advanced technological methods to steal money and an antiquated police structure that cannot keep up,” he said. “How big is the problem? In the last minute, $4,400 was lost due to cybercrime and 832 new versions of malware were created.”
One of the biggest “Barriers” is that we don’t understand the problem, Clinton continued. “Too many of us are still worried about hackers, or just about credit cards and PII [personally identifying information]. People think criminals don’t care about their business because it is too small. If you think that, you are wrong: 70% of cybercrime happens at small businesses. Cybersecurity is not just defensive, keeping the bad guys out; you need to be proactive.”
In the financial services industry, too much time and money is being spent on compliance at the expense of resources that could and should be devoted to cybersecurity, Clinton asserted, pointing out there are more than 60 separate security standards just for FIs.
“Financial institutions are still using security models based on a perimeter-oriented outlook and safeguarding information in the back office. But attack models have evolved and changed,” he said. “The system is getting weaker thanks to the Internet of Things. Meanwhile, the attackers are getting much better. They are making hundreds of millions of dollars and reinvesting in their business. Attacks are so sophisticated, once they get in they clean up malware so when the financial institution does a penetration test it comes up clean. And then the attackers move.”
The bad news: you cannot “solve” the cybersecurity problem. The good news: you can manage your cyber-risk. “No one lives germ free – we are under attack all the time. But with good hygiene and good medical care, you can manage your health.”
Solutions need to be enterprise-wide, credit union boards of directors need to be involved, and there needs to be an understanding that cybersecurity is not all about IT, Clinton said. “Cybersecurity is a continuum – you are never completely secure. There is not going to be a magical widget invented to solve the problem, or an overarching cyber-regulation that will make everything secure, we all need to work together.”