PODCAST
A Cybersecurity Update with FINRA's Complex Investigations and Intelligence Team
These days, it's not a matter of if, but when, when it comes to cybersecurity incidents, which is why it's essential for all firms to ensure they're prepared for the inevitable.
On this episode, we're catching up with Bryan Smith, the new senior vice president of FINRA’s Complex Investigations and Intelligence (CII) team and Brita Bayatmakou, vice president of the Cyber and Analytics Unit within CII, for an update on CII, the cyber threat landscape and what firms should be thinking about and doing in response to the latest trends.
Resources mentioned in this episode:
FINRA's FBI Cyber Threat Briefings (Next Briefing: April 22)
Episode 112: Introducing FINRA’s Complex Investigations and Intelligence Team
FBI Internet Crime Complaint Center: Industry Alerts
Reg Notice 21-29: Obligations Related to Outsourcing to Third-Party Vendors
Listen and subscribe to our podcast on Apple Podcasts, Google Podcasts, Spotify or wherever you listen to your podcasts. Below is a transcript of the episode. Transcripts are generated using a combination of speech recognition software and human editors and may contain errors. Please check the corresponding audio before quoting in print.
FULL TRANSCRIPT
00:00 - 00:22
Kaitlyn Kiernan: These days, it's not a matter of if, but when, when it comes to cybersecurity incidents, which is why it's essential for all firms to ensure they're prepared for the inevitable. On this episode, we're catching up with two members of FINRA's Complex Investigations and Intelligence Team for an update on the cyber threat landscape and what firms should be thinking about and doing in response to the latest trends.
00:22 – 00:31
Intro Music
00:31 - 01:04
Kaitlyn Kiernan: Welcome to FINRA Unscripted. I'm your host, Kaitlyn Kiernan. I'm excited to welcome one new guest and one returning guest to the show today to provide an update on FINRA's Complex Investigations and Intelligence Team, or CII, and some emerging cybersecurity risks. Joining us today for the first time is Bryan Smith, FINRA's new Senior Vice President of CII. And we are also welcoming back to the show Brita Bayatmakou, Vice President of the Cyber and Analytics Unit within CII. Bryan and Brita, thanks for joining me today.
01:04 - 01:05
Brita Bayatmakou: Thank you Kaitlyn.
01:05 - 01:06
Bryan Smith: So happy to be here.
01:07 - 01:13
Kaitlyn Kiernan: Can you both start by introducing yourselves? Bryan, since you are new with FINRA, let's start with you.
01:14 - 02:16
Bryan Smith: Well, certainly happy to be here. I actually am a long-time listener and first-time participant. Last 21 years I've spent at the Federal Bureau of Investigation, where my career spanned securities fraud. Spent some time at the SEC as the detailee there right after the financial crisis, really trying to leverage the skill sets and expertise of the two agencies. Ran our money laundering unit at the FBI, which is where I got involved in cryptocurrency and started the FBI's first cryptocurrency team there, which certainly has expanded over the last ten years, and then continued my work in that space that overlaps financial crimes, money laundering, cryptocurrency and cyber. And for the last two and a half years, I have overseen the FBI cybercriminal operations, serving as the section chief, which it was my responsibility for all of the FBI investigations that were non nation state actors. So, DDoS attacks, data breaches and ransomware.
02:17 - 02:27
Kaitlyn Kiernan: Thanks, Bryan. Definitely sounds like a great background for your new position, but how do you think your previous experience helped prepare you for this role?
02:27 - 03:30
Bryan Smith: My career in the last eight years was that combination of those functional areas, and a lot of people look at me and they say, well, how are those related? But I see them as part and parcel. Cyber is just a mechanism by which the adversary is doing the things that people have been doing since antiquity. And so, it's now being enabled not only just to steal money, but steal identities, engage in market manipulation, engage in microcap fraud, engage in insider trading. There's a lot of overlap in the activity, and it takes a lot of specialized skill sets in order to address something that's complicated like that. And so, I think that it's prepared me for the role that I'm here now with CII, where I have responsibility over a lot of those functional areas here at FINRA and recognizing that we need to bring specialized skill sets to attack those problems, but also do it in a way that's collaborative, because we need those multiple skill sets in leveraging against the adversary.
03:30 - 03:39
Kaitlyn Kiernan: Brita, we have had you on the show before, but can you remind us a bit about yourself? Has anything changed since we last spoke on FINRA Unscripted?
03:40 - 07:28
Brita Bayatmakou: It's great to be back here. I am now a vice president within Member Supervision and I lead our Cyber and Analytics Unit known as the CAU. And that sits within our National Cause and Financial Crimes Detection program under CII that we just were talking about. Our mission is to deepen and broaden FINRA's expertise in the cybersecurity, cyber enabled fraud and crypto asset disciplines and really provide expert knowledge and guidance to both internal and external stakeholders, and really aim to be at the forefront of identifying and mitigating the various cyber and crypto threats and risks that are out there. We are working increasingly to analyze what those emerging securities industry threats are using innovative data analytics and modeling techniques. And you ask, what's changed since our previous conversation? And a lot I would say we've had the opportunity to build out this unit and really enhance our ability to address and investigate complex threats in our area of expertise and truly advance the mission and objectives that we set out.
In addition to sharpening our focus in terms of the work we do in exams and investigations; we've really focused on building out our network of partnerships to support our engagement and intelligence sharing strategy. And there's been a couple initial successes. First of all, I think in order to do all of these things, we really needed to build out the right group of people. We've had a diverse and highly knowledgeable team of experts all come together with experience from the industry, from law enforcement and regulatory fields, and this has allowed us to refine our approach to the risks and threats that we tackle. So, having that diverse background within the team has really helped us to level up the entire organization in terms of cyber and crypto knowledge.
We can't tackle everything. We have been really focused on expanding our communication and engagement strategy through the publication of alerts and advisories in a variety of ways. I think we've published upwards of almost two dozen alerts since I joined this unit and have had a lot of different opportunities for both in-person and virtual engagement. We've held things like roundtables and working groups. We've had workshops and other educational webinars where we're able to facilitate the building of partnerships between industry folks, law enforcement, and really trying to provide that value in terms of intel sharing.
One thing that we did mention on the previous podcast was our quarterly regional cyber threat briefings that we hold in conjunction with the FBI. And this is a really great way to inform firms through these briefings about what the cyber threat landscape is looking like today. And it puts a face to the sometimes intimidating concept of an FBI agent. And it encourages firms to see the field office staff who they can reach out to and establish a relationship early on. One notable event that I'll finish on here is we hosted a first of its kind interagency tabletop exercise in partnership with CISA, the Cybersecurity Infrastructure Security Agency, the goal of which was to really evaluate our own plans and processes when it comes to responding to a cyber incident that would impact the financial services market. It was really insightful in terms of how it helped us to look at how we might improve the sharing of cyber incident intelligence among FINRA, U.S. Government agencies and member firms in that interagency response framework. So, really impactful activity. We talk a lot with our firms about performing tabletop exercises. And this is a simulation type event where you've got a cyber-attack scenario that you walk through. And it was really valuable and demonstrated that we don't just instruct others to do it, we'd like to do it ourselves as well.
07:26 - 07:35
Kaitlyn Kiernan: Taking a step back, Bryan, from your perspective as a newcomer to FINRA and this team, Brita mentioned a lot of the work that's happening within the group. But what do you view as the overall mission of CII?
07:36 - 09:21
Bryan Smith: I think you'd actually start with just the name of the group. It's Complex Investigations and Intelligence. We're bringing a specialized skill set to address what are complicated threats and frauds. You have Brita's team handling the cyber and the crypto piece of it. We also have specialized groups that are anti-money laundering experts and anti-fraud experts, and other individuals who are focused on high-risk register reps and elder fraud. You'd be hard pressed to find somebody who knows all of those areas, and we are bringing, with the establishment of this group, that specialized skill set to the investigations, to the examinations and the sharing of intelligence and working in a consultative manner with other portions of FINRA, so that we can do two things. And it's akin to back to my days at the FBI, where our job was to make cases and prevent cases.
And the way you do that is you've got the right skill set to be able to address the case, but also that you're doing things to share information and intelligence out to others so you can prevent future cases. If we can provide that value that Brita was just talking about to member firms, what we're seeing across the industry so they can better identify matters early on, do something about it, and we can prevent future victimization, that's a win for all of us. It's a win for FINRA. It's a win for the firms. It's a win for the investing public and leads to more faith in the markets. And it's a simple concept. Simplicity doesn't mean it's easy to deliver on it. But that's what I see as our mission—is to deliver on those two things.
09:22 - 09:34
Kaitlyn Kiernan: A focus for FINRA in recent years has been the use of data and analytics to improve operations. How has CII's use of data analytics evolved over the past couple of years?
09:34 - 11:21
Brita Bayatmakou: Data and analytics is a key part of how FINRA delivers on our mission. I've really seen a cultural shift at FINRA in terms of who is taking on ownership in this space and as an enterprise, being more intentional and embracing of disruptive technology, things like machine learning, artificial intelligence, predictive analytics, and really leveraging data and information to drive our decision making. And I've seen firsthand within CII an increase in our own collective knowledge and understanding of how to apply our analytics capabilities and functions, and really through the use of hands on tools like graph and link analysis, being able to uncover previously hidden relationships that we couldn't identify before within my unit, within the Cyber and Analytics Unit, we established the Analytics Threat Targeting team to, as the title suggests, target top threat areas and prevent misconduct or minimize harm to investors by leveraging these analytics platforms, we've really been thinking about how do we maximize the value of that data?
How do we focus in on threat detection using innovation but not hoovering up increasingly large amounts of data, but being intentional and creative about what data we need to leverage and use, and this will help us to make more informed, quicker regulatory decisions. I'll give one example. Within CII, we've been able to work on the hunt for registered representatives with crypto asset related outside business activities that pose a heightened level of risk. There was a tool developed and research done so that we could identify misconduct within the marketplace as well. So, it's been exciting to see the evolution here at FINRA as well as within CII.
11:22 - 11:36
Kaitlyn Kiernan: I wanted to pivot a little bit over to the cybersecurity risk space. It feels like cyber risks are everywhere. How do you both view the risk landscape as a whole?
11:37 - 14:44
Bryan Smith: It's important to look at the nature of the threat and to understand what you're going against. And as I mentioned before, I used to do consulting work before the Bureau. And there's two things that they made us read. One was Sun Tzu and The Art of War, and the second was Stephen Covey and The Seven Habits. I'm not going to give a book report, but the key components of those two and how it relates to cyber is one, you've got to understand the adversary. If you don't understand the adversary, you don't understand the environment that you're working in. How do you hope that you can be successful against it? And the other part is working with the end in mind. We know what it looks like. Where is it that we're trying to go and what do we need to get there? People don't know where to start with cyber. And so, I think you start at the beginning of what does it look like? And what it is, is that you've got a global problem, you've got threat actors who are across the globe, both the individuals as well as the infrastructure, the servers that they're utilizing. You have victims that are across the globe, you have an interconnected web of infrastructure that we're all using across the globe as well.
In addition, when you look at it, is that you have specialization by the threat actors. They have copied the Western civilization model for commerce and recognize that I can outsource a lot of different things. So, if I'm going to compete on a world stage, I've got to have world class capabilities in all the things that I do, and if I can outsource my distribution, I can outsource my accounting function to somebody else, I will focus on my core competencies. Well, the adversary has done the same thing, and I liken it to a little bit it's like Ocean's Eleven, where everybody had their role within that scheme, and they were the best at it. That's what the adversary has done. And so, they are leveraging money laundering facilitators to move the money for them instead of them having to do it. They are buying the code that they're going to install on your system, and they're buying the access to the systems. And so, it's a specialization.
And I think it's really important for everyone to understand that because that's what we're dealing with. And so, we have to in some ways respond in kind. And then the other biggest trend I think is that they are evolving and adapting, that what works today doesn't necessarily work tomorrow. And so, we have to be cognizant of they will adapt to things that we do from a regulation standpoint, from what law enforcement does from a defensive standpoint. And so, we need to continue to evaluate to be on top of our game if we're going to have success and be able to better protect ourselves. They are adept at what they do in their craft, which means that we have got to respond in kind with that same sort of specialization. Which is why with CII, we have those teams who have that deep knowledge, and then it can apply it and leverage that with other functional knowledge, be it in maybe the micro-cap space, and you leverage those two skill sets so that we understand exactly what's going on.
14:45 - 15:49
Brita Bayatmakou: I look at the landscape today through the lens of our hyperconnected world. We're living in this fast paced, social media driven digital environment, like Bryan said, where the adversary's adapting to what we're doing. This means that there has been an expanded attack surface, with financial services continuing to be one of the top targets, if not the top target. And with things like the increasing move by organizations to the cloud and our constant online life, basically, it's a bit of an existential threat that we all face, and it just means cybersecurity or cyber resiliency really needs to be built into what we do, not only because it happens to be part of our job or my job, but because we all need to protect ourselves and our systems and our information from what seems like an insurmountable challenge. But I do think it's all the more reason that we need to come at it in a collective way. I think that's definitely a key to combating what has transformed in terms of the landscape.
15:50 - 16:10
Kaitlyn Kiernan: It is interesting how social media can play into this as well. It's amazing how you see trends on Instagram, where it's like asking people to share where they went to high school and share their first car, and then people just volunteer this information and it's like, this is clearly very common password security questions.
16:10 - 16:30
Brita Bayatmakou: Absolutely. And I think one of your recent podcasts talked about demographics and younger generations entering the capital markets and engaging more. So, I think that's something also that we need to think about as we are trying to protect investors. It's important to know who we are protecting as we look at the landscape from both sides.
16:31 - 16:42
Bryan Smith: Earlier this week, I was meeting with one of the teams and they tried to social engineer me by asking me my first concert that I went to. And so, they're adept at knowing the right questions to ask if they want to get in my accounts.
16:43 - 16:54
Kaitlyn Kiernan: That's another good one. I won't ask you that on the podcast today. But what do you view as the top priorities for cybersecurity in the financial industry right now?
16:54 - 18:02
Brita Bayatmakou: The financial services are a target for the actors, and the reason why goes back to something that an old gangster said of why do you rob banks? That's where the money is. So, they will continue to be attacked, and they're going to be hit with what I call the symptoms of the cyber threat, which is ransomware, it's going to be account takeovers, identity theft, DDoS attacks, data breaches, and those types of things. But I think we have to look at this from an ecosystem perspective and understand that interconnectedness that we have. We're seeing more and more instances where the adversary is targeting what you would consider those third party or supply chain risks within industries. And that's not unique to financial services, but they're targeting entities that are in the middle, which then is having an outsized impact. And so, if you're a firm, your cybersecurity may be top notch and you may be doing all the things right. But if your vendor who has access isn't, that is a risk.
18:04 - 18:31
Kaitlyn Kiernan: We just talked on a recent episode about vendors and how that's relevant when it comes to generative AI and the risks in that space, but it's also just a general risk. FINRA released Regulatory Notice 21-29 a couple of years ago, pointing specifically to the supervisory obligations with vendors. So, we can post that to the show notes too, for anyone who wants to refresh on that topic.
18:32 - 19:05
Brita Bayatmakou: When we see criminals exploiting things like trusted software that's used across an industry, it just becomes a force multiplier. In terms of the impact, I think everybody considers how they build a strong fortress. But thinking about what your strategy is, how you maintain business continuity when you don't understand what your third parties or vendors might be doing and how they're protecting assets and information becomes an increasing challenge. Being able to anticipate and understand those relationships is incredibly important.
19:07 - 19:17
Kaitlyn Kiernan: Thanks, Brita. So, Bryan, when you were first introducing yourself, you mentioned your work in the ransomware space. How has that landscape changed in recent years?
19:17 - 20:02
Bryan Smith: It is a model of what I talked about as far as the adversary—global nature specialization. Many of the listeners may have heard of the term malware as a service or ransomware as a service, and they have perfected that model. There has been a democratization of cyber actors into ransomware, where historically you needed to be pretty technical to engage in this conduct, and unfortunately, they have enabled, now, people who really all they need to be able to do is utilize a computer. It has a gooey interface and will look like any software application that you and I could probably get on there and figure out how to launch a ransomware attack within a few minutes.
20:02 - 20:03
Kaitlyn Kiernan: Not that you should.
20:04 - 20:06
Bryan Smith: Not that you should.
20:06 - 20:08
Kaitlyn Kiernan: Just a caveat. We don't recommend that.
20:09 - 20:28
Bryan Smith: We might want to cut that out. So, that increases the number of individuals that engage in this conduct. They have perfected that model of specialization that I talked about before with the Ocean's Eleven, where they are bringing the top skill sets in to engage in this conduct.
20:29 - 21:11
Brita Bayatmakou: Ransomware as a service, of course, has been the new model. And we also are seeing not just data being held ransom. We're seeing the encryption of systems, the exfiltration of data and extortion and kind of this triple threat, also a threat of maybe a DDoS attack if firms or individuals don't pay. So, I think it's becoming more than just a simple, hey, I'm encrypting your data, give me the money. Now it's, we're going to release this data and please pay. And we may or may not actually do what we say. So, I think it's becoming with the larger group of threat actors out there, there's less credibility, if you will, among those thieves. So, I think that's another shift in the landscape in recent years.
21:12 - 22:09
Bryan Smith: Before, if you backed up your data, you could just restore from backup. And then they implemented the double extortion, which was, I'm going to steal your data and encrypt you. They have multiple pressure points on you in order to get you to pay. And then you see they are calling your vendors. They're calling your employees in the company and harassing them to put pressure on you to pay. Every time there's a tactic that we do on the defensive side to make it harder for them, every time there's a recommended action by CISA or the FBI or FINRA, they will respond in kind. And so, it's just important for us to recognize that we've got to continue to be mindful of what they're doing to change and recognize that we don't want to be making decisions in the moment where that pressure is on us. So, anything that we can do to slow that down and think about ahead of time is going to help us in those instances.
22:10 - 22:21
Kaitlyn Kiernan: And that ties back to those tabletop exercises Brita has mentioned, where you practice thinking through your steps when you are more levelheaded and not in the moment of stress.
22:22 - 23:26
Brita Bayatmakou: For better or for worse because ransomware has become so common, we're seeing firms have a more thoughtful response in terms of negotiations and engaging partners to figure out what the best path is. In the past, criminals, like I mentioned, might have taken pride in their credibility and customer service in terms of decrypting and releasing that data. Whereas now there's, I think, less trust among the bad actors, and that results in a reluctance for firms to pay, which I think is helping in terms of the motivation. When you think about the scope of attacks, which are very complex, and the economic impact, which is so significant beyond just a ransom payment, you have to think about the costs of restoration, the productivity losses, the reputational damage, which we know is so hard to quantify. There are just so many factors that are contributing to this ecosystem. And like you said, Kaitlyn, performing a table talk, having a simulation, understanding who your communication partners are going to be in the face of an attack is unbelievably important.
23:26 - 23:49
Kaitlyn Kiernan: And joining the FBI briefings that FINRA has been doing as well, so, you already have your contacts lined up, they're all ties together. Thinking too much about the sheer number of cyber risks and vulnerabilities out there today can be pretty depressing. It can turn most people into a cynic, I think. But is there any good news we can wrap up with?
23:50 - 27:44
Bryan Smith: Yeah, I think there is. Having just come from the FBI, in my 21 years in service, I've never seen the level of cooperation that we have been seeing over the last two years against the cyber threat, and it's this recognition that we're all in this together. And it goes a little bit back to what we talked about and the theory behind CII and the specialization. It's that a number of agencies bring a lot of different and complementary skill sets and expertise to this fight. And in and of themselves, they might be able to have a little bit of an impact. But when you put it all together, you can really have an impact on the ecosystem. And so, there's been a number of operations over this last year that has really targeted not just the symptoms of the cyber threat, which the symptoms are things like ransomware, but the ecosystem that supports it. And using that Ocean's Eleven analogy, we really turned the problem on its head and realized, what is it the adversary needs to do to conduct this activity and broke it down to those areas and ensure that in every single one of those investigations that we were doing, or our partners that the other agencies were doing went after those.
And those four areas that we call them, the key services are, malware in the delivery system by which you're going to get it on the network, the infrastructure by which you're going to launch the attacks, as well as then you have to remember they're running a business here. It's a criminal business. And like any business, there's an accounting function. You need to be able to track what has been done, who's been victimized, who is the affiliate, who did the victimization? Where do we stand in the negotiations? How much money have they paid? Have they paid because there is no honor among thieves? They will steal from each other just as much as they will steal from all of us. So, they have to track that. That is also infrastructure. And that's been really important to understand that because that provides some opportunities as well as then on the other side, we will give some advice as far as what you can do, of things that actually matter that will help us get to these individuals. In addition, they need some sort of communications platform by which they're going to task, direct, attract new members and engage with the victims. And then finally, they're doing this to make money. So, there's got to be some sort of entity that's involved with moving that money out of our pockets into those of the adversary where someone else can't get it.
And pretty much exclusively, at least over the last six years, they are leveraging cryptocurrency to do that. And so, that has been the approach that the U.S. Government and its partners has taken. And they're starting to be some actions in there. Last year, about a year ago, the FBI had an operation with its partners against the Hive ransomware group, where for seven months the FBI was on their network pulling down decryption keys and handing out to victims every time they got victimized. And you went from a group that was engaged in $110 million in losses over a year, to about $9 million in those seven months. What was interesting about that case was that we had a complete list of all the victims in there, and we found out only about 20% of them were reporting to law enforcement, which is not a good situation. In that case, it was okay because we had access to their system, and we could go out and give a decryptor to them. But I will tell you, there are other instances where the FBI has or had descriptors. Alfie, BlackHat, Sodinokibi, REvil. If people don't call us, if we don't have that access, we can't deliver it to you.
27:45 - 28:15
Brita Bayatmakou: Bryan, that's a really good point. This is why we always encourage member firms to reach out to us, to reach out to their risk monitoring analyst, or whomever, because we're increasingly deepening our own partnerships with law enforcement and can get people to the right place. And it'll help us to identify whether that may impact the industry in a broader sense. So, I cannot emphasize enough the importance of reporting. We're not here to revictimize anyone. It's absolutely important as we all tackle this as a whole.
28:16 - 28:24
Kaitlyn Kiernan: Yeah, and I have heard that some firms feel afraid to report cyber incidents. So, what would you say to someone with those feelings?
28:24 - 29:04
Bryan Smith: Well, one, I think there's a value add for them. It's that you actually may get information from law enforcement or from us about the threat that you wouldn't otherwise know, and it may help you through those situations. In addition, I know from my experience at the FBI is that we are there to help you through those initial stages of if we've got information that's going to help you restore your network, identify other areas where the group is, tactics that they're using, the FBI is going to share that with you to help you through that situation. Their ask is that they just get the basic information that they need to help go after the actors.
29:05 - 30:00
Brita Bayatmakou: In terms of a positive spin on things is with increasing amounts of technology and tools, we've been able to leverage things like crypto tracing tools. Bryan mentioned the use of crypto in ransom payments and other types of payments across the cyber ecosystem, and that's really opened up our ability to conduct forensic investigations and potentially gain attribution around criminal groups. So, this is a skill set that we've developed internally within FINRA, and it's a big component of how we've been trying to address, within my unit, challenges when we're looking at a cyber investigation where that team may have stopped with the information around a ransomware attack, now we've got a crypto team that's able to bring in their expertise, and we're structured in such a way that we can look further and start to follow that thread and dive deeper using those kinds of tools and technology. So, it's a really exciting time.
30:01 - 30:17
Kaitlyn Kiernan: Great. Well, thank you for providing some of the positive news out there. And then just to wrap things up, if you could give folks a tip for one thing that you could do today to make themselves feel better about their cyber security posture, what would you tell them to do?
30:18 - 31:41
Brita Bayatmakou: First of all, it's all about adaptation. I mentioned resiliency a few times, and we need to be thinking about how do we become resilient for the inevitable cyber incident that we're all going to experience. How do we get comfortable with emerging technology in this shifting landscape? We cannot afford to put our heads in the sand. This is not someone else's job. So, I think if you're listening to this episode, there's a good chance you work within a member firm or maybe you're a compliance or risk management professional. So, get to know your IT partners. Get to know your firm policies and procedures and identify who you can ask questions to. There is a lot of advice around how to get the fundamentals right, whether it's understanding your systems and testing your employees in a variety of ways. But if you're not able to do that, if you're not able to understand the ins and outs, find out who is and understand the vernacular. Understand what questions to be asking your third-party vendors, because that will help you to raise your own awareness and contribute to this. There are a lot of resources out there and publications, whether it's CISA's cybersecurity alerts, the FBI alerts, a lot of third-party vendors themselves have really useful publications that firms can leverage. So, I'd say think holistically about who has information that can help you improve your own cybersecurity posture.
31:41 - 33:28
Bryan Smith: And I don't know if I could say that there's one. I would probably put it into three different buckets. One, there's technical advice, and Brita just went through a number of things that you can do there. And I can't overemphasize enough of doing the fundamentals right, the basics, looking at your logs, making sure you have logs, have your system updated, that sort of thing. Those are things that any firm should be able to do. You don't need the huge budget to do those types of things, and certainly stay on top of the threat information that's coming in. The second one is think functionally. We are in this situation because somewhere along the line we forgot that these systems we put in place are there to serve business needs. They were developed to enable global supply chain, for us to speed up commerce, to work and communicate globally at a speed and a price that you didn't see before.
Those are business problems that technology was solving. And somewhere along the way we said, that's an IT problem. That's for them to deal with. The way we get out of this is that we get a partnership between the IT people who know technology and people who know business and are looking at it from a functional side of what could an adversary do if they got into our network? And let me make sure I'm working with IT to protect that. And you can't protect everything. And so, you want to make sure you're protecting the crown jewels and what's really important to your group and your department, which is going to vary within an organization. But those conversations need to be had because we got to marry that up. And then the last one is be prepared. You've got to expect that you're going to get attacked, and you need to have a plan in place for what you're going to do when that happens.
33:29 - 34:14
Kaitlyn Kiernan: Thank you, Bryan and Brita, for joining me for this episode. We talked about a lot of interesting resources, so our listeners should be sure to check out the show notes of the episode for links to those and more, including information on our 2024 Cyber Threat Briefings, which I highly recommend you check out. And listeners, if you don't already, you can subscribe to FINRA Unscripted to stay up to date on all of our latest episodes, and you can send any thoughts on today's episode or ideas for future episodes to us at [email protected]. Today's episode was produced by me, Kaitlyn Kiernan, coordinated by Hannah Krobock and edited and engineered by John Williams. Until next time.
34:14 – 34:19
Outro Music
34:19 - 34:47
Disclaimer: Please note FINRA podcasts are the sole property of FINRA, and the information provided is for informational and educational purposes only. The content of the podcast does not constitute any FINRA Rule or amendment or interpretation to such rules. Compliance with any recommended conduct presented does not mean that a firm or person has complied with the full extent of their obligations under FINRA Rules, the rules of any other SRO or securities laws. This podcast is provided as is. FINRA and its affiliates are not responsible for any human or mechanical errors or omissions. Parties may not reproduce these podcasts in any form without the express written consent of FINRA.