It shouldn’t be a surprise that financial services companies are prime targets for online security breaches. In the first half of 2019, these were the top eight industries reporting data breaches, according to CSHub.com:
1. Health care
2. Retail
3. Finance and insurance
4. Government agencies
5. Information (data collection and distribution)
Interestingly, the authors of the CSHub article suggest that one of the reasons health care continues to top the list of breached data is because of their strict compliance and reporting guidelines. Like businesses in the financial sector, health care operations are bound by rules that require them to notify consumers when data has been breached; other businesses with looser standards might not make data breaches known to the public.
In the retail space, we see overlap between data breaches among retail/commerce companies and the financial sector — again, anywhere money changes hands, you’ll find security threats. Swipe-and-go and point-of-sale systems are favorite targets of cybercriminals, especially at gas stations and ATMs, according to CSHub.
Despite being some of the earliest adopters of fraud detection and prevention, as well as having some of the highest standards in online security, banks, financial firms and insurance companies continue to be favorite targets of cybercrime for obvious reasons. Criminals go where the money is.
Verizon studied security “incidents” and “breaches,” where incidents are defined as any kind of security disruption, and breaches are specific data leaks (so, all breaches are incidents but not all incidents are breaches). They found that the financial industry had the most breaches in one year, across all industries, and small firms reported the highest number of breaches because “they aren’t as well equipped to neutralize such security intrusions as large companies,” according to a government report.
This is why more small to midsize firms are partnering with third-party platform-as-a-service providers like us, at Empaxis. Because our turnkey asset management platform integrates with a wide range of software programs and web-based solutions, we have to adhere to the highest standards in data security. Certifying we are ISO 27001-compliant and providing social engineering training for our team are just some of the measures taken to ensure security.
The biggest threat to any organization’s cybersecurity is human error. For financial firms, human vulnerability is not only through your employees but also your clients. There are steps you can take to secure your clients’ online data.
When was the last time you read and updated your data security policy? We recommend that you follow the cybersecurity framework laid out by the US National Institute of Standards and Technology (NIST) and the information security guidelines listed by the Federal Financial Institutions Examination Council (FFIEC).
Data security is not an IT department’s sole responsibility. Data security should be part of everything you do, from every piece of paper you print to every interaction your team members have through their keyboards.
The FFIEC suggests that organizations develop a “security culture,” meaning that data security becomes part of your everyday operations. Companies with strong security cultures ensure that security is integral to every product and service they produce and sell. Another feature of an effective security culture is holding employees accountable for complying with your data security policy.
1. Multi-factor authentication, especially when employees access your asset management platform from outside your physical walls. Some firms even go so far as to allow only very limited external access to backend applications. Some banks, such as USAA, are requiring their customers to use multi-factor authentication every time they log onto their accounts, even when they log in from recognized devices. This may be a slight inconvenience to the bank’s customers, but it sends a clear message that the bank is doing its best to protect their customers’ most sensitive data.
2. Strict BYOD policies, which refers to the ability of employees to bring their own mobile devices to the workplace, or to use their personal devices to do work. Some companies do not allow employees to bring their own devices, while others will allow it as long as the employee is willing to install company-managed firewalls, antivirus and anti-spyware technology.
3. Annual or twice-yearly cybersecurity training. Your IT team or outsourced partner should be able to provide you with educational materials about the most recent threats to data, as well as best practices for protecting your clients’ accounts. Share horror stories of how much it costs organizations when they are breached by ransomware.
4. Foster a security culture by regularly sharing news and information about best practices for protecting your clients’ data. Employees are your first line of defense against security incidents, and knowledge is their weapon.
5. 24/7 threat monitoring, like we do at Empaxis.
6. Turnkey asset management platforms, such as TAMP1. With secure connections in place, cloud-based applications can protect data in ways internal servers couldn't. For example, if there is a fire or some other physical damage to the server, then that data might never be recovered. With a secure cloud-based system, data remains protected and accessible regardless of damage to locally stored devices.
The FFIEC information security handbook describes a layered approach to cybersecurity.
7. Preventive controls such as firewalls and access controls that prevent unauthorized users from accessing data
8. Detective controls such as antivirus and antimalware applications that scan and detect potential threats
9. Corrective controls such as an emergency response plan in case preventive and detective controls fail
As more financial firms respond to client demand for 24/7 access to their accounts, as well as cross-channel connectivity, the challenges for securing their data increase. After all, you can prevent, detect and control only what’s within your sphere of access; you can’t manage your clients’ devices, internet access and cybersecurity practices.
Our monthly newsletter features helpful resources, articles, and best practices to implement within technology providers and investment firms