6 Security Best Practices for Financial Services

A business that provides financial services or handles sensitive financial data needs to implement security measures to abide by the multiple financial compliance regulations. Not only that, but cyber attackers predominantly target financial institutions. 

According to the IBM X-Force Threat Intelligence Index for 2020, businesses in the insurance and finance sector experienced more cyberattacks in 2020 generally. Hackers are undoubtedly looking to access financial hubs directly, and financial institutions need to protect their client’s financial data. 

Unfortunately, cyber attacks can weaken public confidence around that institution, be a significant liability, and cost millions of dollars (even for midmarket companies). Therefore, it’s important to establish security best practices.

The methods of security you use will depend on the type of data you collect, how it is being collected, and the number of data you collect. If you are new to this industry and need to start upping your security, then be sure to establish these six best practices as soon as possible.

1. Implement a Formal Security Framework

Every business needs a formal security network. Companies in the financial sector need to mitigate cyber risk through two major guidelines: NIST and FFIEC. 

NIST, or the National Institute of Standards and Technology Cybersecurity Framework is a prominent framework for information security (the PDF can be accessed here). This framework follows three levels of security progress (the core, tiers, and profile), and it provides guidelines for how businesses can identify, protect, detect, respond, and recover in terms of risk management and data security.

NIST’s framework is multifaceted and much more complex than it may appear at first. Within each level, there are different elements. Each cybersecurity plan must develop its framework functions (identify, protect, detect, respond, and recover) and organize them by categories, subcategories, and informative references. Therefore it is essential to go through each element at each level of your cybersecurity process to ensure that your security framework is thorough. 

Work through every framework function at the framework core:

  • Identify: Locate and identify business contexts, critical resources, and cybersecurity risks essential to an organization. You should locate people, assets, data, systems, and capabilities within a business; consider this as your primary organizational assessment regarding security. Expected outcomes of this are asset management, governance, risk assessment, and risk management strategy.
  • Protect: Look at the organization’s safeguards to ensure the delivery of the aforementioned critical services. Will include identity management and access control, maintenance, protective technologies (like a firewall), and data security (like DLP tools).
  • Detect: Develop activities that identify and alert an organization to the occurrence of a cybersecurity event. These functions might include anomalies and events, continuous monitoring, and the organization’s detection process (like SIEM systems and employee monitoring).
  • Respond: Develop and implement the strategies and appropriate activities for taking action when a cybersecurity incident is detected. This function might include response planning, threat/attack analysis, threat/attack mitigation, and security improvements. 
  • Recover: Implement a robust recovery plan so your business can return to normal operations and reduce the impact of a cybersecurity event. Functions included in this category include improvements, recovery planning, continuity plans, and communications. 

Once you do this, you can move on to the tiers and then create a cybersecurity profile.

FFIEC is another handbook that should be referenced by companies that provide a financial service. FFIEC stands for the Federal Financial Institutions Examination Council, and they provide an Information Technology Examination Handbook, a comprehensive list of security guidelines.

While these guidelines may be extensive, they are crucial for a financial organization to abide by. Setting up security policies for your financial data will better assist your team in complying with other regulatory standards, like PCI-SSD, SOX, and GLBA.

2. Arm Your Employees with Knowledge

Your employees are additional lines of defense against malicious attackers. And preparing your employees with knowledge, tools, and key red flags will help you mitigate risk better. 

On top of this, your employee negligence could lead to insider threat attacks, so preparing your employees is very important. 

Fileless, zero-footprint malware are pervasive ways that hackers can access critical financial network infrastructure. This malware can be lethal, holding your data and sensitive information hostage. Educate your employees on what that type of malware behavior is and what it looks like will help to prevent this effective malware from bypassing the firewall.

Hold regular security awareness training sessions to update your employees on changing cybersecurity policies and best practices. If employees need to log in with multi-factor authentication and change their password regularly, they will be more receptive to these hindrances when armed with knowledge. 

3. Perform Continuous Threat Monitoring

Businesses in the financial sector must perform 24/7 threat monitoring. This is critical because hackers don’t sleep, and Security Operations Reports reveal that 35% of malicious threats were detected in off-hours (between 8 pm and 8 am). 

Hackers will do anything to access a financial institution network, so continuous threat monitoring needs to occur. Have employee monitoring software run as soon as a user logs on that identifies when a malicious hacker breaks into your network; they might log on with employee credentials through remote access. 

Since your network servers will stay connected to the internet even when workstations are off and the company is closed, hackers can still access this network through latent phishing scams, IP masking, and stealing credential log-ins. While the hacker may have gained access to this sensitive data at another point in time, they will most likely try to hack into your system while everyone is asleep. 

At this point, the hacker already has the sensitive data, and your firewall, antivirus software, antimalware may not stop the intruder. Implement a security incident alert that monitors sensitive data (DLP software) and watches when sensitive financial data is moved, modified, copied, or deleted. 

4. Assess and Manage Vulnerabilities

As part of your cybersecurity framework, your business needs to assess network vulnerabilities. This is one of the first recommendations from the Federal Trade Commission’s five principles for data protection: take stock. 

Taking stock of all the potential vulnerabilities in your company network may prove shocking. You may have old employee accounts, third-party integrations, and shared access points that you didn’t know about. Ask that your systems administrator assess these vulnerabilities and mitigate these vulnerable endpoints. 

Once you take stock, try to scale down and limit the number of endpoints that a hacker could access your sensitive data. Since businesses in the financial industry are susceptible to identity theft and major financial loss for their clients because of a security breach, you do not want sensitive data to be protected by only one set of safeguards. 

For example, implement a zero-trust policy for security. Use encryption to protect sensitive information and house this data in a secure data center or a password-protected network location with limited access. This will be guarded by multiple stages of password protection as well. The idea is to limit the number of unexpected ways that attackers could access unprotected or minimally protected data ports. This is called locking it down. From here, you can remove unnecessary or duplicate data and plan for data protection.

Common vulnerabilities include personal devices, personal networks (especially for remote workers), cloud computing, third parties, former employee log-ins, and integrated apps. 

5. Manage Third-Party Risks

With the average organization using 129 apps, this means that there are plenty of avenues that malicious actors can take advantage of your company. Each of these apps, and other security endpoints that IT or your security team might not know about, risk increases. Patching these endpoints will be critical to keeping networks secure. 

Additionally, Gartner assumes that a large portion (they estimated about a third in 2020) will result from shadow IT resources and the Internet of Things, otherwise known as vulnerabilities and risks that IT was unaware of.

It can be challenging to track down all of an organization’s vulnerabilities, especially if much of your organization log-on through a mobile device or integrated app. However, you can track movement in your system/software environment and prioritize critical vulnerabilities.

Third-party risks are, of course, part of this equation. Especially in the burgeoning decentralized fintech industry, more private businesses adopt the software-as-a-service model (SaaS) for online banking, outsourcing much of the businesses’ critical functions to third parties. Therefore, each relationship that a company has, whether they are vendors, suppliers, or partners, brings added exposure to personal information.

Minimizing third-party risk will include securing financial data, as previously mentioned, through a secure framework and security protocols and limiting the data that third parties have access to. Establish security postures with your vendors and require that all your business partners follow your security requirements if they collect customer data (this may even be necessary for regulatory compliance reasons). Your third-party business partners may be liable to security and regulatory audits, so be sure to enter into a clear and agreeable relationship.

Another best practice is segmenting your network. This allows you to limit the areas that third parties can access, organizing potentially dangerous endpoints in secluded clusters. 

6. Create a Strong Cybersecurity Culture

Cybersecurity demands that your entire business structure is focused on securing your data and protecting your clients’ financial information. Therefore, cybersecurity is more than just an IT problem; you need to have everyone on board. 

This will be necessary when it comes to training your employees around red flags and informing employees about incident response plans. Employees will need to be prepared, and they must understand why these regulations are necessary. It can be as simple as noting, non threateningly, that this is vital to the company’s survival (i.e., if the company fails at this, the company, and the livelihood of the workers, are at risk).

Cybersecurity is extremely difficult, but a company in the financial sector needs to maintain adequate security protocols and best practices to protect against a data breach and widespread financial fraud. 

Keep your staff informed about cybersecurity on a need-to-know basis, and regularly update your security protocols with the most up-to-date requirements. 
Your system should have all of the essentials established and regularly perform security audits so that you know your system is still secure. With intuitive monitoring software with UEBA technology, you can stay on top of threats and vulnerabilities.

By SoftActivity Team

May 31st, 2021