What we’re reading this week from the world of technology and operational risk management...
SANS 2017 Insider Threat Survey SANS Institute
77% of respondents to a SANS Institute survey said they did not know or could not figure the financial potential of an insider event. At the same time, 40% rated the malicious insider as the most damaging threat actor they face.
August 28 is the first of a set of rolling deadlines for the new and far-reaching regulations on financial companies by the New York Department of Financial Services—including the requirement to hire a “qualified” CISO.
Regulators’ Penalties Against Wall Street Are Down Sharply in 2017 Wall Street Journal [subscription required]
The Journal studied fines by the SEC, CFTC and FINRA during the first of 2017, and found them down by nearly two-thirds year over year. The drop could be due to less aggressive regulation by the Trump Administration but the winding down of big cases from the financial crisis years may also have contributed.
Modelling cyber risk: FAIR’s fair? Risk.net [registration required]
Risk.net calls FAIR “the most commonly used approach to quantifying cyber risk among banks” though notes some skeptics still think that any model is “at best a guess”.
A checklist for risk management of senior executives: securing their personal devices, educating them on phishing, etc.
The author of the NIST standards for passwords 14 years ago acknowledges that the string of random characters he recommended turned out to be easier to crack than a string of natural language words. He’s reallyverysorry.