Oh, the irony. I don’t know whether to laugh or cry.
October is National Cybersecurity Awareness Month. This is the month that the U.S. federal government wants us all to take responsibility for cyber security. Public companies, private companies, individual consumers, government agencies, institutions of every ilk, hardware and software vendors, law enforcement—all need to work in harmony to try to prevent and perhaps even eliminate cyber crime and other failures in cyber security.
The U.S. Department of Homeland Security is the agency behind National Cybersecurity Awareness Month. This is the tenth year we are observing this occasion. I went to the DHS website to get information about this special month and was greeted with this untimely message:
- Due to the lapse in federal funding, this website will not be actively managed
Oops. It seems that National Cybersecurity Awareness Month is a casualty of the partial shutdown of the federal government. What poor timing. Just when the government wants to play up the need for public/private partnerships, the government can’t show up to participate.
But that’s not the only irony that hit me today pertaining to this special awareness campaign.
There’s a good article on mitigating third party risk in The Fraud Blog written by Tracy Kitten and published by BankInfoSecurity. In her article, Ms. Kitten points out that the Federal Deposit Insurance Corporation (FDIC), an independent agency of the U.S. federal government – independent meaning it is not funded by Congress – is urging small community banks to be more proactive in their risk assessments of third party vendors they do business with.
In the banking industry, financial institutions with less than $1 billion in assets – typically your small regional banks and credit unions – tend to outsource some key processes to critical partners. Those processes may include check and credit card processing, and even core banking functions. These kinds of processes are the lifeblood of banks, and any security breach can be devastating. Thus, thorough risk assessments of these vendors/partners are important to do.
It happens that just such a breach occurred in 2011 when banking core processor Fidelity National Information Services (FIS) was hacked. Given that FIS serves 14,000 financial institutions in more than 100 countries, this breach was and still is a huge concern for the banking industry. Along with numerous forensics services, the FDIC was called in to assess and report on the breach.
So here is the irony during this National Cybersecurity Awareness Month.
According to renowned security expert Brian Krebs, the FDIC notified financial institutions in May 2013 that the FIS breach was actually much more extensive than originally reported. But the FDIC actually knew this information well before May 2013; it simply didn’t share that information promptly with the financial institutions that the agency oversees. In fact, the FDIC compiled a report in October 2012 – a full half year earlier than the notification – that detailed its assessment of the FIS breach. One would think that this report would be critical reading for the financial institutions that utilize FIS’ services, so why was there such a delay in the FDIC sending that information out? How unfortunate.
So much for the public/private cooperation that is the very theme of National Cybersecurity Awareness Month.