Most cyber criminals are money-motivated — this puts the financial services industry at heightened risk of a data breach.
According to the Financial Stability Board (FSB), an international body overseeing the global financial system, the industry saw a jaw-dropping 3900% increase in cyber attacks in a single year. The move to remote work increased the scope for threats, says the organization’s report, and financial services firms should continue investing in and maintaining their security efforts.
Whether you’re an international investment firm, mid-sized insurance company, or independent financial planner — cyber security should be at the top of your priority list.
Following these ten best practices can quickly improve your firm’s defence and reduce the odds of a cyber attack.
1. Gain cyber situational awareness
A financial services’ firm’s first step toward stronger cyber security starts with building cyber situational awareness (CSA). CSA is all about developing the big-picture perspective that will help you proactively secure your firm and sensitive client data, and consists of three parts.
The first is knowing your IT infrastructure. This could include (but is not limited to) computers, phones, software, data, smart devices, third-party vendors, and any cloud-based services your teams use.
The second is knowing the cyber risks to your financial services firm, such as phishing emails, malware, credential theft, and outdated “legacy” hardware that no longer receives critical security-related updates.
The third and final part is knowing how to respond to identified threats. Regardless of your firm’s size or specialty, this likely includes using complex passwords, implementing multi-factor authentication (MFA), and developing an incident response plan to name a few — but more on these later!
2. Train employees and stakeholders
The end user is the weakest cyber security link for financial services firms. Many cyber attacks rely on social engineering techniques to fool users into opening malicious links or sharing their credentials. If successful, attackers may then:
- Redirect financial payments to a banking account they control
- Sell your client’s private data on the dark web
- Steal intellectual property (IP) and demand ransom to get it back
What does effective cyber security training look like?
Educate employees on the red flags of a social engineering attack. Phishing emails often have typos or strange formatting, a strategic move to evade spam filters or isolate the more gullible victims. The message may also include aggressive or intimidating language, random file attachments, requests for sensitive information, and more.
But don’t stop there. You may also want to include information about:
- Data privacy regulations and how they affect operations — for example, what are the rules for data breach notification?
- Physically securing IT assets — make sure employees know to use hard-to-guess passcodes for their company phone.
- How to respond to a cyber security incident — where should employees forward suspicious email messages? And when?
3. Be password wise
Passwords are the first (and sometimes only) line of defence that prevents attackers from accessing accounts and compromising sensitive client information. Far too many users rely on weak credentials. Yes, simple passwords are easy to remember, but also easy for attackers to guess.
Here are a few commonly used “weak” passwords:
What’s in a strong password?
Passwords should be long and complex, using a mix of upper and lowercase letters, numbers, and symbols. Every added character makes it more challenging and time-consuming for an attacker to crack. We also recommend using passphrases — strings of words that make sense to the user and no one else.
A strong password may look like:
How to track account credentials
Another essential cyber security tip is never to reuse passwords. A single set of breached credentials could put any other account using that same login information at risk.
But don’t worry about having to memorize them all — password managers make it easy to generate, manage, and store hundreds or even thousands of unique credentials.
We recommend looking for a password manager that works for your platform (such as iOS or Linux), has a strong reputation in the cyber security community, offers reasonable pricing for your firm, and demonstrates a clear commitment to data protection.
4. Use multi-factor authentication (MFA)
Multi-factor authentication (MFA) adds another defensive layer by requiring two or more authentication factors to confirm user identity. There are three main forms of authentication we see today:
- Passwords, passphrases, or personal identification numbers
- Hard tokens (USB key) or soft tokens (text message or notification from an authenticator app)
- A unique biometric characteristic (fingerprint or face ID)
How MFA improves your defence
With MFA enabled, even if an attacker obtains an employee’s password, they won’t have the keys to the kingdom. They’ll still need other credentials to access the account, limiting the success of certain cyber attacks such as business email compromise (a tactic that often involves gaining access to an executive’s email account and posing as the victim to initiate financial transfers). Page Break
Virtu Financial is a recent victim of BEC. With offices in nations like the US, UK, and Canada, this global financial services provider lost nearly $7,000,000. Cyber criminals illegally accessed an executive’s email account and, posing as the victim, requested two wire transfers. Not only did the attackers get away with millions, but the victim company’s insurance provider refused to cover much of the loss.
5. Use a virtual private network (VPN)
Accessing firm data over a shared internet connection can introduce added risk. While convenient, public hotspots typically have minimal security measures, which makes them easy targets. If your employees must use public Wi-Fi, a virtual private network (VPN) can help secure their connection.
How a VPN works
A VPN works by masking the user’s internet protocol (IP) address, defending against cyber crime tactics that target weak infrastructure, such as:
- Man-in-the-middle attacks — the attacker, positioned between two users, intercepts or alters communications data.
- DNS poisoning — when the attacker exploits domain name system (DNS) vulnerabilities to reroute traffic from a legitimate server to a malicious one.
When to use a VPN
There are several instances when it would be beneficial to use a VPN:
- When using public Wi-Fi
- When travelling (especially in an airport or hotel)
- When accessing the firm’s network remotely
Choose a VPN based in a friendly country (one with solid data protection laws) with nearby servers to ensure a fast and reliable connection. Remember that, unlike certain firewalls, VPNs can’t stop users from clicking on malicious websites or links.
6. Patch and update regularly
Attackers are always looking for ways to circumvent your firm’s defences — and they might exploit an outdated or unpatched system to do that.
Updates are changes applied to software or operating systems, often to optimize performance or fix a bug. Patches, however, are specific updates that address cyber security vulnerabilities found by the developer.
In other words, all patches are software updates, but not all software updates are patches.
The Equifax breach that compromised hundreds of millions of customer records (and cost the agency $700 million) illustrates the importance of patching. According to an extensive report by the House Oversight Committee, the company failed to patch a disclosed vulnerability that the attackers went on to exploit during the attack.
What we mean by patching “regularly”
Applying patches as soon as they become available is a critical way to reduce security gaps, but it’s proving to be a challenge for many businesses. The UK’s Cyber Security Breaches Survey 2021 found that only 43% of organizations have patching procedures in place. Having a policy in place helps ensure that employees apply critical updates as soon as possible.
7. Back up critical data
Financial services firms should routinely back up critical data to ensure they can recover important files and resume operations quickly after a cyber attack. Backing up data can help protect against other incidents as well — such as when hardware malfunctions, files become corrupt, or a physical disaster limits access to essential files.
Keep copies of your firm’s data on an external hard drive, another secure location off-network, or a secure cloud-based backup service.
Choosing the right backup provider
Every backup solution has its advantages and disadvantages. Take the time to select an approach based on your firm’s unique needs. For example, saving business-critical data to an external hard drive might not make sense for remote-only firms or for those lacking an experienced employee to carry out the work.
No matter the backup solution you choose, ensure it’s compliant with industry and national-level regulations such as the Financial Industry Regulation Authority (FINRA), the Financial Conduct Authority (FCA), and even the General Data Protection Regulation (GDPR).
8. Take a proactive approach to cyber security
Insurance is often considered a proactive must-have. More and more businesses turn to cyber security insurance to keep them protected against any future incidents. But an insurance policy won’t stop cyber criminals from targeting your financial services firm, nor will it guarantee reimbursement after an incident.
In fact, the New York Department of Financial Services recently recommended that cyber insurers stop paying ransom since doing so could encourage similar attacks in the future. Two months later, one of Europe’s top cyber security insurance providers stopped reimbursing ransom payments.
While having cyber security insurance is an important step to take, unless used alongside other defensive measures, it offers little refuge from a cyber attack.
What does a proactive approach look like?
A proactive approach involves implementing preventive measures that improve your firm’s security and reduce the chances of an incident. This commonly starts by building out an incident response (IR) plan.
Taking the right steps before, during, and after an attack can help get your business back up and running fast. By proactively developing (and regularly testing) an IR plan, you will have a clear, easy-to-follow, and up-to-date playbook to use when an attack occurs.
9. Continually monitor your network
Threat monitoring could technically fall into the “proactive approach” outlined above, but this cyber security measure deserves its own section.
The best way to keep your firm secure is to monitor your network, cloud-based services (such as customer relationship management systems), and endpoints (such as laptops) for cyber threats. It may seem complicated however the right software makes it easy.
Financial services firms should turn to holistic threat monitoring, detection, and response platform for their security needs. Cyber attacks are an unfortunate reality, but end-to-end visibility and the proper response can minimize damage to your firm and valued clients.
10. Stay on top of emerging threats
The financial services industry experiences a lot of conventional cyber attacks, such as business email compromise, ransomware, and nation-state. But cyber security is always changing, and you may not have time to keep your finger on the pulse of the threat landscape.
Instead, sign up for our newsletter below. You’ll receive the latest news about new and emerging threats, cyber security best practices and tips, informative webinar invites, and more!