Last month we began the story of a very ambitious bank filled with well-intentioned individuals who love their jobs and want to see their customer’s information protected. We were introduced to the bank’s Information Security Officer, Walter White and we watched as he took important steps to protect his company with internal control implementation and cybersecurity practices (like hiring an IT company to perform a penetration test). He thought his company was secure, until the unexpected happened. Today, we find out what event changed everything…
Fade in…We see Walter sitting in his office, filled with anxiety as a cybersecurity team arrives at the bank. Walter’s IT Director has just informed him that the bank has been hacked and confidential information has potentially been compromised. Walter already called his IT firm and they don’t know what happened, but are scrambling to find out. They were all confident the bank was secure. Little did they know a complex vulnerability was left open and exploited by a hacker.
The Chief Information Officer has called a cybersecurity company and asked them to come help the bank recover. The fancy cybersecurity team walks in and asks this fairy tale bank about the penetration test they are getting from the seemingly competent IT firm. They ask questions like “does this firm tell you what they’ve done and how they manually tried to penetrate your network? Have they shown you in narrative form what their process is for ensuring your IT environment is secure in language that makes sense to you? Are you sure they aren’t just running scans on your network?” (to name a few). Then suddenly Walter realizes he can’t answer these questions, at least not like he probably should.
Walter, still anxious, and becoming angry that he cannot explain what he’s asked the IT firm to perform, calls the firm’s project lead. The camera zooms out and you observe from the back of the room, watching the frustration on Walter’s face as you listen to the intense instrumental score that makes you feel like this conversation isn’t one you would want to hear anyway. He finally hangs up the phone and rests his head in his hands as he sits at his desk, trying to compose himself before going back to the Cybersecurity team to tell them the news.
Commercial break– You may be thinking that this company is now very different from yours. That you know what you are getting from your IT teams and this could never happen to you. But let me ask this question: if you were in that situation could you answer the questions this fictional cybersecurity company is asking? Do you really know exactly what you’re getting when it comes to a penetration test or are you trusting them to cover everything? In the internal controls consulting world we have a saying – “trust is not a control”. This goes for employees, customers, and even outsourced services such as an IT firm performing penetration tests. Just some food for thought as you enjoy your show…
The break ends and you are thrown into the intense conversations happening at the bank.The rest of this episode involves hard discussions between the ISO, CIO, and cybersecurity team as they work to find out what the IT firm was actually doing and what damaged has been caused by the breach at the bank. The cybersecurity team performs incident response procedures and explains the details behind the breach and how it could have been prevented had they done a few things differently. But just as you think you’re about to find out the secret to real cybersecurity, the credits begin to roll and you begin to decompress from the stress of what you’ve just witnessed.
End Episode Two.
What do we know so far? First, we’ve seen that just being compliant will not prevent a cyber attack. Don’t get me wrong, striving to be compliant is not a bad thing and will start some very good conversations, but we have to go beyond compliance. Walter should have been asking the bigger questions regarding risks in his bank and evaluated whether or not their efforts were really mitigating them. Most importantly, Walter needed to know exactly what he was getting from his IT firm. How could he have known that? That’s a good question and the answer is just that – asking the right questions. What are those good questions? Stick around for episode 3 and you will learn exactly what cybersecurity services your bank really needs to mitigate the risk of an attack like this one.