Last week, the CME Group confirmed that ClearPort, the system it uses to clear privately negotiated block trades in the over-the-counter energy and metals markets, had been hacked in July. While few details have been released on this incident, coming off recent incidents at NYSE and several large banks, this release should still be a reminder to all IT leaders.
As the largest futures marketplace, the CME Group has a large, sophisticated, and well-funded IT organization and there is no question that its IT systems are critical to its business operations and revenue. No doubt, its security programs are well-staffed and well-funded. Any security breaches of IT systems at the CME are unlikely to be the result of amateur mistakes.
The question every IT leader should be asking themselves is if well run and well-funded IT organizations like the CME can have security incidents, how can the rest of us believe for a moment that we are not vulnerable to security attacks?
Long-gone are the days of “security by obscurity” – believing that by flying under the radar your systems will not be a target of cyber-crimes. Bored college kids wanting to vandalize a site for bragging rights are no longer the greatest threat to security. While there are still public incidents of hacktivism – using security to make a political point or claim rather than for financial gain – now most breaches occur either by accident (e.g., lost laptop) or are driven by disgruntled current and former employees, or those motivated by financial gain. These financial motives range from using a distributed denial of service attack to seek ransom from companies with on-line revenue streams to collection of credentials for the purposes of cyber theft. In these cases, you do not need to be as large as the CME Group to be a target – and in many cases smaller organizations are a more of a target because fewer resources are generally required to be successful in the attack. There have been some reports of smaller companies that are likely acquisition targets being targeted for security intrusion as a way to get into the larger, acquiring company’s network.
Business leaders should demand robust Cyber Security plans from their IT leaders. Many frameworks exist to develop such plans, but the initial process should follow a few clear phases:
- Risk Assessment
- Risk Mitigation
- Ongoing Security Program of assessment and improvement
Risk Assessment will identify the critical infrastructure and applications that support a business – including any that contain sensitive information. Risk mitigation will entail implementing the specific technologies and processes required to protect the identified at-risk assets. Most importantly, a process to regularly review the assets and risks must be implemented because the risk factors and attack vectors are constantly changing. Security is a never ending effort – and ignoring the risk because your company is too small is no longer an option. Either your customers or regulators will be expecting to see your Cyber Security plans and all eyes will be on you if, or more likely when, you have a security incident.