Why CIS should be the favoured cyber control for FSIs

Bleakley Layby CIS Controls cyber

Critical Security Controls (CIS), a set of cyber defensive best practices, should be the favoured framework for FSIs and other organisations seeking to most effectively reduce cyber-related risk, according to Laybuy’s cyber chief (CISO) Martin Bleakley.

Speaking at the Future of Financial Services, New Zealand 2023 event, Bleakley noted that, with it being a consensus-built model “developed by experts around the world” – including input from New Zealand’s own Tony Krzyzewski, the country’s global cyber alliance ambassador – the control methodology is unique in being able to “address current known issues”.

“The [CIS] provide a proven, practical means of reducing cyber-related risk,” he said, adding that, due to its adaptability, they are also “applicable to every organisation – from small to enterprise”.

The CIS are also interoperable with and mapped with other popular and widely used enterprise security controls, notably the Payment Card Industry Data Security Standard (PCI DSS) for FSIs.

“With implementation groups assisting and determining safeguards applicable for your organisation’s size and if you need to comply with other international frameworks, there’s also mappings so that you can link these controls against for NIST, ISO, and PCI, just to name a few.”

Bleakley in particular praised the cyber resilience SaaS platform Onwardly as “a great tool for tracking PCI compliance” at Layby, an NZ-based buy now, pay later service, “for its posture and also its progress”.

The CIS Controls, last updated in 2021 and now in their eighth iteration, are based on a set of 18 actionable safeguards to help organisations mitigate the most prevalent cyber-attacks against systems and networks.

NZ a bigger cyber target than Australia

Citing the latest figures from security vendor Checkpoint, Bleakley revealed that Australian and New Zealand organisations, collectively, are attacked on average 928 times each week.

Curiously, of the two countries, New Zealand is the most targeted.

“This is quite sobering when you look at the relative size difference between Australia and NZ,” Bleakley said.

Of the currently most prominent malware families – QBot, Info stealers, TrickBot and XMRig and Amadey – QBot comes in as the number one malware based on impact, with a 4.7 per cent overall hit rate within the AN/Z region.

First appearing in 2008 as a banking trojan, Bleakley said QBot has effectively evolved as “a Swiss Army knife” for cybercriminals, being “frequently loaded with specific functionality tailored to accomplish particular goals”.

Notably, 81 per cent of attacks were found to be delivered via the web, with email representing the remaining 19 per cent of breach attempts.

“What this means is that the majority of threats are coming from the internet, with bad actors often taking advantage of weaknesses in our software systems to gain unauthorised access.”

For cyber defenders, the threatscape remains a “never-ending game of whack-a-mole”, Bleakley said.

“We’re just responding to something that’s just happened.

“The reality is we cannot cover all the attack points – it’s just not feasible. We are businesses, we need to communicate with customers, with suppliers, and have a presence on the internet and connect to other systems or have physical sites. All of these make it clear that trying to cover everything and being completely risk averse is unrealistic.”

He added that the temptation for businesses to simply “buy the most expensive shiny security tool or control solution off-the-shelf” should be avoided; it will not, as is hoped, “solve all your problems”, he said.

“While it might be nice to have, it’s not going to solve all your problems. It’s not your silver bullet.”