Cybersecurity: strengthen your enterprise, don’t vaporise.

On September 22nd, we discussed how the cybersecurity landscape has evolved since the start of the COVID-19 pandemic.

Based on the new treats that Businesses now face, we made recommendations for how our customers can identify and protect their assets.

Rob Knoblauch, VP, Global Security Services & Deputy CISO at Scotiabank and Steve Thompson, Director Cybersecurity Awareness, Training and Communications explored the steps our customers should take to mitigate harm to their business operation and discussed what should be done now to build their defenses.

 

About the speakers.

Damian has 11 years of experience in corporate and commercial banking He is a top performer who has a wealth of experience in areas such as credit adjudication, portfolio management, business development, prospecting, deal structuring and negotiation. Damian is responsible for the overall success of the commercial business line for Caribbean South (Trinidad and Guyana) and will bring a strong focus on deepening client relationships by working across business lines, including Retail and Capital Markets. Damian holds a BSc. in Management Studies with a minor in finance from the University of the West Indies and as Masters of Business Administration (M.B.A.) from Andrews University.

desha

Desha joins us as facilitator for the upcoming episodes of our original web series, Scotia insights. She currently anchors the country’s number one newscast: the CCNTV6 News at 7pm and has been in the news and current affairs business since 2004. She began her career in newspaper, moved on to radio then into TV. Desha recently founded her own company Suite Salyut Ltd– a Professional Media Services business that specializes in the provision of on-air presenter and recorded voice-over talent for a range of platforms including:  News Broadcasts; Live Events; Documentaries; Audio Books. 

SB

Rob is a cyber security professional with over 20 years of experience protecting financial institutions from a myriad of information security risks. He serves on a variety of customer advisory boards for leading cyber security companies and speaks at various conferences on Cyber Security, AI and Machine Learning. Rob has a passion for building strong teams and bringing new, innovative technologies to combat the growing complexities of cyber threats. Prior to Scotiabank, Rob has worked in the Toronto Stock Exchange, Bank of Montreal and Bird on a Wire. 

SB

Steve is Scotiabank’s Director of Cybersecurity Awareness, Training and Communications and has been with the Bank for the last 3 years. Prior to joining Scotiabank, Steve spent the last 10 years supporting public relations for some of Canada’s most recognized brands including, Bell, Shoppers Drug Mart and Interac. In his current role, he is tasked with building a cyber risk culture across Scotiabank’s global footprint.

Identify and protect your assets.

The CIA Triad is a well-known model for the development of security policies used in identifying problem areas, along with necessary solutions in the arena of information security. 

Confidentiality: Prevent sensitive information from reaching the wrong people while ensuring only authorized people can access it.

Integrity: maintain the consistency, accuracy, and trustworthiness of data. Steps must be taken to ensure that data cannot be altered by unauthorized people.

Availability: ensure that your data and systems are always available when you need them to be.

Protect your business. 

Frameworks
Adopt a cybersecurity framework. We recommend the National Institute of Standards and Technology (NIST) cybersecurity framework.

Create policies
Create cybersecurity policies and breach procedures. Focus on the recovery of your assets and make sure they are enforceable.

Know your regulators
Make sure you know your regulators for all the jurisdictions in which you operate. Often there are time requirements to report any cybersecurity breaches.

Develop playbooks
If a cyber breach occurs, running simulations will ensure that all senior staff know their role to play and will help ensure a quicker recovery.

Build Awareness
Your staff is the weakest link. Keep them informed of threats and how to spot them through a vigorous awareness program.

Questions & Insights

The top 3 security threats are typically things like Cyber Attacks, Ransomware and Social Engineering Attacks. 

To protect your business, you should have strong technical controls and use antivirus software. You should keep your operating systems up to date with the latest security patches. You must know where your critical information is and ensure it's secured. You should also look at developing employee education programmes to ensure your employees aren't susceptible to common scams. 

Each business is going to be different, based on what they do. You really need to take a look at what your major assets are. If your major assets are people, you need to start looking at controls that protect your people. And a lot of the processes and protections against people are generated through awareness campaigns. The big investment, dollar-wise is going to be in technology but that all depends on the business and what you're trying to protect. You don't want to bring in a million dollar security component to protect an asset that's only worth ten thousand dollars.You need to do a risk assessment on the value of your assets and focus on what needs protecting. 

In just 2 weeks, we were able to move 60% of our employees home and because of that, we had to look at system capacity and increase bandwidth to ensure maximum uptime. Today, we've gone to about 80% which is nearly 1,300 users all working from home. Ensuring uptime and productivity is a key part of it.

Customer confidentiality and data privacy continues to be a top priority. There is nothing that we take more seriously than our customer information. For our teams on the ground, we ensure that there are logical access controls. Employees who are supposed to have access to particular customer information do and the ones are are not supposed to,don't. Another area that we looked at was processes for getting you, our customers online and have people use our cash management system. By all accounts so far, our customers have really taken to the system and are adjusting to the new normal. They are getting online, using online and making sure that risks are mitigated. 

We're continuously securing the CMS platform. It's more of a journey and not a destination. We're always looking at things like multi factor authentication and even technologies that go beyond the computer. An example of something that we have in proof of concept mode right now is "customer personification" which tries to verify a user based on how they use the computer e.g how they use the mouse and how fast or slow they type. 

Any cybersecurity professional will tell you the same thing. You weakest link is your people and that's where you need to put a lot of focus. You should have internal policies but it really needs to be driven from the top down. CEOs and senior management need to take that tone and bake security into everything. At the end of the day, your IT team is responsible but señor leadership is accountable. They need to build policies, test people, run phishing campaigns against them, conduct annual training. These are very important steps to prevent different types of attacks.