A Security Checklist for Financial Institutions
In the eyes of the cyberattacker, just about anything and everything out there is a target. But whether for the theft of personal and confidential information (such as passwords and PIN numbers) or having enough data about somebody to launch a covert identity theft attack down the road, their ultimate goal is one thing: to get money, and lots of it.
In this regard, one of the most vulnerable industries here in the United States is the financial industry. Despite being mandated by various federal legislations forcing financial institutions to improve their system of controls and audits, many of them are still are victims of cyberattacks.
In this article, we look at some of the major security topics that should be included in any checklist as a CIO or CISO make sure their financial institution is complying with federal legislation and mandates.
Note that for the purposes of this article, the term “financial institution” can mean any organization that handles money and related transactions for a customer. This includes banks, lending centers, brokerage institutions, stock and commodities trading firms and so forth.
1. Using Approved File-Sharing Programs
It’s obvious that many financial institutions, at least here in the United States, create and possess many documents. These can range from simple bank statements to confidential financial modeling data that the banks have to send over to the federal government for review and approval.
In order to electronically transmit these sensitive documents from one place to another, employees have to use file-sharing programs. Most financial institutions already provide this tool, which is supposed to have built-in security features. But employees, being creatures of habit, often like to use the software tools that they are accustomed to. Many of these tools send information as clear text across a network, which would make it very easy for the cyberattacker to intercept and hijack mission-critical information and data.
2. Train Employees to Recognize Phishing Emails and Social Engineering Attacks
Although many financial institutions have relatively good spam filter technology in place, there are still quite a number of attacks that get through, especially the phishing emails. The cyberattacker of today knows how to make these phishing emails look very convincing, enough so that a financial institution’s employee will fall for it, submit their private/confidential information and leave a door of opportunity open for the cyberattacker.
Social engineering attacks can also happen to any organization, but they are very prevalent at financial institutions, especially targeting the lower-ranking employees such as administrative assistants. The cyberattacker can sweet-talk one of these employees into divulging contact information that will later be used in a business email compromise (BEC) attack, which normally involves transferring a large amount of money to a fictitious bank account overseas.
3. Screen Your Third-Party Vendors
In an effort to save money, financial institutions often hire contractors from third-party vendors in order to carry out day-to-day tasks, especially when a deadline is looming. One of the best examples of this is the Comprehensive Capital Analysis and Review (CCAR), which takes place on a yearly basis at the top 30 banks in the United States.
These banks must provide documentation to the federal government that they will be solvent should another Great Recession (like the 2008 one) occur. This huge project involves the work of many people these banks are often understaffed for this project. They often wait until the last minute to hire third-party vendors to help out. The result of this is that these third-party vendors are not properly screened and vetted out, increasing the chances that there could be a rogue contractor among them.
4. Implement Safeguards to Avoid Data Loss
As mentioned before, information is vital for any financial organization, whether it’s customer data or just internal data. But in either case, it must be protected so that it does not fall into the hands of a cyberattacker. Examples of bad practices include the following:
- Using a USB flash drive to store confidential information so that he or she can work from home
- Sending company documents or memos to a personal email address so that it can be more easily accessed by the employee
- Having their laptop stolen when it is being used in a public venue
- Tossing confidential financial documents into the trash
If it’s in your budget, it is highly recommended that you seek the help of an accounting firm or another cybersecurity firm in order to help you establish your set of data loss prevention controls and get regular audits.
Other common safeguards include securely deleting all data from discarded hard drives and shredding documents before disposing of them.
5. Make Sure That Only Company-Issued Devices Are Used by All Employees
It should be part of your organization’s security policy that employees must use company-issued devices (such as laptops and smartphones) for their work-related activities. They should be constantly reminded of this and the consequences if they do not follow through with this.
Under no circumstances should the employees be allowed to use their own smartphones to conduct work-related matters. This will greatly reduce the risks of what is known as “BYOD,” or Bring-Your-Own-Device. The primary reason for this is that company-issued devices will already have all security measures implemented into them to make sure that no confidential information and data is accessible to a cyberattacker.
It’s also important to conduct routine audits of these company-issued devices to make sure that the employees have not disabled or deleted any security-related applications that were installed onto them. This also includes all forms of communications. As mentioned previously, under no circumstances should personal email or social media accounts should be used to communicate messages that are sensitive in nature. Only authorized means of communications should be used, such as using only company email or an approved instant messaging application.
6. Make Sure That All Lines of Network Communication Are Secure for Remote Employees
Given that many employees like to work remotely, it is very important that your financial organization maintains the highest levels of security standards for remote login and network access. In this regard, you should implement the use of Virtual Private Networks (VPNs) between the employee’s laptop and the corporate servers. Also implement the use of two-factor authentication (2FA).
Apart from using the normal password, you could also consider using the RSA Security Token and biometric technology in order to fully authenticate a remote employee.
7. Make Sure That Your Entire IT Infrastructure Is Up to Date
This simply means that your entire IT staff has been trained and is keeping up with installing the latest firmware/software patches and any other relevant updates on all of the servers, workstations and mobile devices. It is important to keep a regular schedule of this and to be sure that the duties are distributed among various employees, not just one.
8. Be Sure to Implement a Strong Password Policy
Passwords are still the prime source of interest for the cyberattacker, especially at a financial organization. Therefore, it’s critical that you have a very strong password policy in place. This will of course mean that employees will have to create long and complex passwords, so in this regard, you should consider making use of a password manager application.
9. Lock Down All Devices
It should be a part of your security policy that whenever an employee leaves their workstation, they should immediately lock their computer so that nobody else in their absence can access it. But this is often a forgotten task, so it should be part of your security checklist that after a couple of minutes, the workstation should activate an auto-lock.
10. Conduct Penetration Testing Exercises
One of the best ways to make sure that your lines of defense are up to par is to conduct various penetration testing scenarios. This should occur on a regular basis, with a minimum being at least twice a year.
11. Make Sure That You Have a Backup and Recovery Plan
No business or corporation, especially a financial organization, is immune from a cyberattack. Therefore, it is always best to prepare for the worst. This means that you have a solid backup and recovery plan in place and that you prove its viability by testing from time-to-time in real-world situations.
12. Always Maintain a Support Line
It’s important to keep in mind that security technology can’t always track down every anomaly in the cyberthreat landscape. Employees are also a great resource for observing anything out of the ordinary, and thus there should be a dedicated security support line in place so that they can report any suspicious behavior or anything unusual to the right personnel.
This article has examined some of the top security topics that a financial organization should include in their checklist. There are many others as well, but the items listed in this article should give you a good start in compiling your checklist. But in order to make sure that your organization is as secure as possible, it is recommended that you consult with a cybersecurity specialist who has a strong level of expertise in this area.
‘Simple mistakes’ putting financial firms at risk of cybersecurity breach, IBT
The Top 10 Cybersecurity Threats for Financial Institutions, Cybersecurity Association of Maryland, Inc.
The Top 6 Cybersecurity Mistakes Financial Firms Make: External IT, ThinkAdvisor
Biggest Mistakes Financial Services Technology Leaders Can Avoid, CompuCom
Threat Predictions for Financial Services and Fraud in 2018, SecureList
Simple mistakes are putting financial firms at risk, ITProPortal