Data security is on the mind of every risk manager, but does it have the same level of importance for your C-suite, the board, or your customers? It should, and your job will be exponentially easier if you can get at least two-thirds of that list on board. Data breaches are extremely common, but there are few industries in which a breach can be as damaging as in the financial industry. The sheer quantity of customer PII that you hold makes you a prime target in healthcare, insurance, and very few other fields.
Preventing data breaches in finance can safeguard your reputation, and it will help to protect your bottom line from the civil penalties, payment for damages, and the restitution that could result from a successful cyber attack. As consumer data privacy takes a front seat for government legislators, more and more regulations are being passed that will hold enterprises responsible for failure to implement security measures and protect private citizens’ sensitive information.
Leverage Available Intelligence and Best Practices
The Financial Industry Regulatory Authority (FINRA) maintains a checklist on its website with some best practices when it comes to cybersecurity. Even if you don’t strictly deal with financial services, FINRA’s checklist is still a great starting point to look for ways to improve your security posture. Cyber threats are constantly evolving and the financial industry has to be on its toes to pivot effectively towards new emerging cyber threats.
Trust the Experts
Like everything else, cybersecurity is frequently outsourced as it is exceedingly difficult to staff high-quality personnel for every enterprise, especially if you’re a small business. While keeping in mind some of the key risk indicators for vendor management, a team of third-party IT security experts can be just what is needed to take a look at your security measures and make some tweaks or policy recommendations.
Learn From Past Mistakes
Closely examining some of the largest successful data breaches in the financial sector is one of the best ways to prepare for the inevitable cyber-attacks that will target your enterprise. We’ll highlight some of the major events and their respective attack vectors just below.
September 2017 Equifax Data Breach
In this incident, the PII of over 147 million customers was compromised. That is nearly 40% of the entire US population that had their data stolen as a result of this breach. Because of their failures in this instance, Equifax was fined $700 million.
The attackers gained access to Equifax’s systems through a known security vulnerability that had an available patch for over six months. Once inside, the unsegmented nature of Equifax’s network allowed basically unfettered access to their data. As if that wasn’t damaging enough, the cyber criminals located login credentials for customers that were completely unencrypted and stored in plain text. The final nail in the coffin was that this perpetual loss of data continued for months because administrators failed to renew an encryption certificate for a tool that would have detected the breach.
October 2014 JPMorgan Chase Breach
This data breach cost 83 million customers the loss of their contact information. What makes this specific incident so noteworthy is not what was taken, but what was available for the taking. The attackers in this instance were able to obtain the highest possible level of administrator privileges as well as root access to 90 of JPMorgan Chase’s servers. The attackers could have made off with a wealth of financial information, but they focused on customer contact details, likely in order to perpetrate future targeted social engineering attacks.
A detailed investigation into this attack revealed that access was obtained through a seemingly minor oversight. When a network server was updated, IT personnel failed to re-implement multi-factor authentication.
Conclusions
An analysis of these incidents provides us with several key takeaways:
- Update your software
- Implement network segmentation
- Utilize a third-party vendor risk management platform
- Use an attack surface monitoring solution
In both of these events, an attack surface monitoring solution would have provided early warning of the incident and prevented such a high volume of PII loss. Breach notification in the Equifax incident specifically would have prevented the allegations of insider trading that resulted after executives began selling off stock prior to the breach becoming public knowledge.
Embrace the Risk
Hands down, the most critical step that you can take to adjust your security posture is to stop looking at prevention as the only option. Preventing data breaches in finance enterprises entirely is highly unlikely. Cybercriminals have targeted this industry because of the high reward of a successful breach, and they will continue to find innovative ways to compromise your systems and infrastructure. Incident response and attack detection must be integral parts of your cybersecurity program.
Implement Standard Cybersecurity Practices
Requiring strong passwords for both customers and employees, enabling multi-factor authentication, establishing end-to-end encryption technology, and effectively securing every device with network access may seem like common sense, but failures in these areas have caused some of the most substantial data breaches in history. Cybercrime is here to stay, and realizing the importance of these steps will take your agency a long way toward addressing a large segment of its threat landscape.
Combat Social Engineering Through Education
We could have included this tip in the previous section, but its importance justifies an entry of its own. Social engineering, like phishing and its related attacks, is by far the most common type of cyber attack. This holds true for major companies, private citizens, and small businesses alike. Properly educating both your employees and customers in common phishing and social engineering methodologies will enable them to recognize when they are being targeted. This can go a long way towards preventing data breaches in finance services by stopping these same individuals from simply handing over sensitive information or login credentials to cybercriminals.
Address Remote Employee Security Concerns
Whether your business allows remote work as a full-time option or it is a rare occurrence, this is a prime opportunity for bad actors to gain access to your secured network. The temptation of public WiFi, poorly secured personal devices, and other vulnerabilities can allow criminals to slip in through the proverbial back door. We have always advocated against bringing your own device policies, and that is still a prime recommendation. Almost as important is the use of a VPN to connect remotely to internal systems. This will enable a more secure connection for your employees and take steps toward preventing man-in-the-middle attacks.
While processing financial information may be your forte, at Venture Lynk we provide customized third-party vendor risk management solutions for a wide variety of customers. Allow our industry experts to evaluate your cybersecurity posture and leverage their own experience to benefit your company. Our vendor management team is even capable of working wholly within your pre-existing vendor management platform to free up your personnel for other tasks.