Get access to the exclusive HR Resources you need to succeed in 2018.
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 14 cities across the U.S. this fall.
Gain the skills you need to rise to the next level in your career. Jon us at SHRM's Leadership Development Forum, October 2-3 in Boston.
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
NEW YORK—The “inevitable march to the cloud” poses cybersecurity threats for banks and financial institutions that might not be able to adapt quickly enough during the transition, Jerry Archer, chief security officer at Sallie Mae Inc., said at a recent conference here.
“[Translating] our current security models and our current threat models into a cloud-based environment is extremely difficult,” Archer noted. But not being able to do so will “open doors to the guys who want to attack us,” he told attendees of the Sept. 25, 2013, Cyber Security Summit.
Archer said cloud providers are “obviously looking to leverage existing infrastructure” to make the transition; but, in many cases, adapting financial services companies’ demands concerning security and regulation is difficult. Even so, the migration to cloud services is moving quickly.
“My concern consists of staying in front of that wave … so we have security models that could transition over to the cloud and have the same level of security,” explained Archer, a founder and board member of the Cloud Security Alliance, a nonprofit that recently completed a free, open standard that includes protocols to help organizations make sure cloud computing data are reliable and uncompromised.
The industry is confronting myriad cybersecurity challenges. Organizations and transactions are complex, he said. “Finding every vulnerability, and being able to close that hole in every single instance, is a very difficult problem.”
HR, too, faces challenges when it comes to cybersecurity, since there is a talent shortage in the field. An analysis in the first week of October 2012 revealed that more than 1,828 companies in Maryland had nearly 20,000 open cybersecurity jobs, according to the
Cyber Security Jobs report, a January 2013 joint report from The Abell Foundation and CyberPoint International.
And HR professionals’ role in managing, or at least being aware of, their company’s cybersecurity helps protect their crucial business and customer information.
Common threats to business data include intruders hacking into a computer system or network, remotely installed malware, lost or stolen laptops or data-storage devices, insider threats, accidents and natural disasters.
Regulation ‘Basic Need’ but Not Best Practice
Panelists at the conference debated the effects of regulation on financial services’ security. Archer said that while he’s somewhat of a cynic about regulation, from a practical standpoint, it’s a necessity and “sort of builds the muscle for security.”
“Compliance and regulatory concerns are a basic need, but they don’t represent best practice,” he said. Companies should begin by addressing compliance and build a program from there.
His organization is audited about 60 times a year on some portion of its security program. Archer said more mature programs use tools to automate compliance, thereby significantly reducing compliance costs.
Panelist John Prisco, president and CEO of malware-detection company Triumfant, said information security should be “knit” into an organization’s fabric, but that doesn’t always happen. Chief security officers often report to chief information officers or someone else on a technical level and don’t always get the ear of key decision-makers, he noted. Some companies that have suffered breaches seem to forget about them six months later.
“At some point they have to take it seriously, they have to fund it properly, and there has to be enough governance on the part of the chief security officer’s organization to properly protect the company,” Prisco stressed.
Other Security Concerns
In addition to cloud computing, panelists addressed other challenges, such as:
*Accumulation of cyberweapons. Bounties are being paid for “zero-day attacks,” or novel attacks that exploit software or systems in a way that’s hard to detect and mitigate. Countries, nation-states and cybercriminals are accumulating cyber-weaponry and are prepared to use it in “a pointed way,” Archer said.
*Movement toward pervasive and peer-to-peer computing. This includes activities like one person’s iPhone “talking” to another person’s iPhone to carry out a transaction with a third party. “It will be difficult to figure out how to defend in these kinds of environments where you’re seeing this totally new paradigm in computing,” Archer said.
*Third-party vendors. Hudson Valley Bank relies heavily on vendors for data storage, processing and reporting, according to its chief information officer, Howard Bruck. Regulators say it’s the bank’s responsibility to ensure that data and transactions are secure.
“If [the vendors] can’t convince us to a very high degree that we’re obtaining the data protection as if we were doing it ourselves, that brings them down to an almost certain unacceptable level,” Bruck noted. Third-party auditing standards, such as the SAS 70orSSAE 16, are helpful when choosing providers, he added.
Assume Data Will Be Breached
Prisco said it all boils down to “cyber-Darwinism”—meaning, the bad guys will go after companies that are vulnerable. Businesses, therefore, should assume that their data will be breached and that having all the perfect software won’t protect them.
“Assume that there is going to be a spear-phishing attempt and it is going to get through,” Prisco advised. “The idea is to detect it very quickly and to get rid of it very quickly. And I think that would be your most sound approach to defending yourselves.”
Pamela Babcock is a freelance writer based in the New York City area.
KPMG: Five Most Common Cybersecurity Mistakes,
SHRM Online Safety & Security, May 2013
Dueling Cybersecurity Proposals Center Around Standards, Threat Sharing,
SHRM Online Safety & Security, February 2013
Protect Your Business from Cyberthreats,
SHRM Online Safety & Security, December 2012
Cybercrime 2012: Malware Threatens Social Media, Cloud Services,
SHRM Online Safety & Security, December 2012
Employer Beware: Spyware Comes to Mobile,
SHRM Online Technology, December 2012
Company Data Endangered by Lack of BYOD Security,
SHRM Online Safety & Security, August 2012
SHRM Online Safety & Security page
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Choose from dozens of free webcasts on the most timely HR topics.
SHRM’s HR Vendor Directory contains over 10,000 companies