Five Questions with…Bob Shaw, Director of Technical Architecture
From time to time, we like to introduce new voices to our blog and pick their brains about technology trends and industry observations. Most recently, I sat down with Eze Castle’s Director of Technical Architecture, Bob Shaw, to discuss cybersecurity and how clients are responding to increasing threats.
1. Earlier this year, the WannaCry outbreak made a lot of waves and forced firms to reevaluate their protections against ransomware. What would you say is the biggest takeaway from the WannaCry incident?
BS: The first thing I would say to firms – and it sounds simple but it’s not always a given – is don’t pay the ransom! You’ll never get your files back. That’s where the second part comes in, always have backups. Backups are the only fool-proof method for recovering your data, and it’s critical that firms use robust and secure backup and recovery tools to safely store their files and protect them against these types of incidents.
2. What’s the technology you’re most excited about right now that’s helping firms guard against cyber threats?
BS: Next-generation firewalls are really interesting and effective. We work with Palo Alto to deliver these to our clients, and when we lay out the facts, it becomes pretty evident how beneficial they are. Older, port-based firewalls can’t necessarily detect what traffic is doing, but next-gen firewalls have the ability to analyze unknown traffic and simultaneously develop protections to safeguards networks. Firms also have greater visibility and control in managing applications and content to uniquely implement security protections for their infrastructure.
3. If you had to narrow it down, what’s the one area of cybersecurity preparedness that firms most often overlook?
BS: Incident response. A lot of firms are really open to implementing new technologies and building robust policies to protect their data and confidential information, but they fail to think through how they’ll react when and if a cyber-attack strikes. And an incident will occur – it’s only a matter of time. The scale of that incident is obviously going to vary based on protections in place, but it’s vital to give thought to the procedures your firm will need to go through as a result of a cyber incident and how exactly you’ll maintain or resume operations, depending on the severity of the threat.
4. The human factor of cybersecurity is something we talk about a lot, particularly as we see phishing scams become more sophisticated and targeted. What other types of social engineering risks should firms be aware of?
BS: Email phishing is still probably the most common threat, and perhaps the one most likely to successfully trick users. But we’re also seeing hackers use other communications, particularly voice calls and text messaging. One example involved prompting users to say “yes” when they answered the phone, which their voice was then recorded and could be used to authorize wire transfers in the future. Text phishes are also popular and try to con users into clicking a mobile link or downloading a text image, which can then infect their device.
5. Vendor risk management is a critical focus area for the Securities and Exchange Commission (SEC) and other regulatory bodies, as well as investors, looking for firms to shore up security across their organizations. What mistakes do you see commonly made during the vendor due diligence process or overall as part of a vendor risk management strategy?
BS: I think, unfortunately, a lot of firms don’t have a vendor risk management strategy, and therein lies the problem. They might do their due diligence when they’re first looking for an IT provider or fund administrator or application vendor, but they don’t always follow-up. Vendor risk management has to include more than a “before you buy” scenario. On a regular basis, firms need to be in touch with their service providers and have a comprehensive understanding of their cybersecurity safeguards and policies. Regulators and investors are very comfortable with outsourcing, but the burden still lies on the firm itself to manage vendors and ensure their data and assets aren’t being put at risk as a result of those vendor relationships.
More Articles on Cybersecurity Best Practices: