7 Cybersecurity tips for your financial services business

Reading time: 7 min

Despite modern security methods, data can remain vulnerable to attackers who are constantly improving their software. The frequency of attacks is growing rapidly every year. The first risk group is the tidbit for hackers – financial firms. Economists at the World Bank argue that in the United States alone, they are responsible for more than 50% of hacks. According to Cybertalk, in 2020 the number of cyber attacks against such organizations increased by 238%. What can they do to protect themselves?

Formal security framework

First, you need to familiarize yourself with basic recommendations from the official structures for cybersecurity at the state and world level.

The Federal Communications Commission (FCC) recalls the first line of defense – firewalls. Not only standard, but also internal ones on work and home computers of employees. You can join voluntary firewall programs that already contain the necessary tools to filter and document your cybersecurity policy.

Remember to regularly update your protection protocols, create and validate data backups and examine cloud files to identify vulnerabilities. Additional antiviruses will protect you from phishing attacks. Multifactor identification using personal mobile numbers of staff will secure passwords and become an additional barrier.

Collaborate with national cyber alert systems and follow their news to quickly learn about new types of threats and get support if necessary. Consultations with private experts and companies will help you choose the right cybersecurity policy. They will suggest additional programs to reduce vulnerabilities, analyze traffic and check files.

Explore the global cybersecurity agenda set up by the International Telecommunication Union, one of the UN agencies. It is built on the following principles: legal, technical and organizational measures, capacity building and interaction in the event of cyber attacks. Take a look at the ISO Generally Accepted and National Information Security Certification that contains comprehensive guidelines, for example, NIST and FFIEC standards.

Read more: How to best identify your organization’s training needs

Information armor of employees

The InfoWatch Analytical Center has recorded that since last year, employees have increasingly become the reason for the success of phishing attacks. 44.1% of leaks occurred due to their wrong actions or inaction and 55% of losses due to cyber attacks could have been avoided if people inside the company did not violate the basic principles of information security. Employees create simple and identical passwords, download malicious files, click on suspicious links, ignore program updates and danger warnings.

Even reputable companies sin with such a negligent attitude. So in 2021, there was a sensational attack on Colonial Pipeline, an American pipeline system, which completely stopped its operation for five days. The human factor is to blame. The employee reused the password that had already been hacked and leaked to the darknet and the system did not use multifactor authentication.

It is easier to fool a person than a machine. For cyber attacks through personnel, manipulative methods of the so-called social engineering are used. For example, they fake corporate letters and resources or write from fake pages of colleagues. When a document is opened, the malicious code launches an invisible download of the file so that hackers gain remote access to the computer. An interesting video or a reminder to update something may be sent to the mail and when you try to save an attachment, Trojans are launched. Calls allegedly from a provider or a neighboring department, flash drives presented at conferences, intruders entering the office disguised as employees – the imagination of burglars is truly limitless.

Keeping up with cybersecurity policies for both new and old employees will help counteract all this. It also requires additional control from management and computer systems, strict requirements for passwords, device blocking and attentiveness to suspicious content.

You can arrange training and testing, but with a reasonable approach. For example, Go Daddy, an IT company, tested the staff’s ability to resist phishing attacks, but lost their loyalty in the process. The firm sent everyone a letter promising to pay $650 for the New Year and asked for their details. 500 people believed and were very offended when they learned that instead of an award, they should take a course on cybersecurity. The organizers had to apologize.

Continuous threat monitoring

The reaction to cyberattacks generally comes too late. Deep Instinct has published a report which says it takes 20.9 hours on average to take protective measures. During this time, the hackers manage to do everything they have planned. Therefore, it is important to always be on alert, think over all possible scenarios in advance and continuously analyze the degree of vulnerability of systems.

Attackers often start their actions at night or on holidays, cover up the fact of hacking, disguise themselves in every possible way in order to delay the moment of detection and make it as unexpected as possible. In well-thought-out and consistent steps, they capture more and more data every hour. It is like a snake bite – if you notice it in time and immediately get rid of the poison, you will survive. Continuous monitoring with the help of a complex of software and the observance of precautions will help reflect an attack at its initial stage.

• Do not rely on antivirus alone.
• Make it a rule to periodically test your processes.
• Do not use outdated programs.
• Keep an eye on the network where computers are connected.
• Install reliable vulnerability scanners that will automatically run regular checks.

You can outsource monitoring and join general programs for tracking attacks in order to know about the current weaknesses of other companies and learn from other people’s experience.

Assessment and control of vulnerabilities

Some companies specifically employ hackers to attack them. Who, if not a thief, knows better all the available loopholes to your property? For example, the Dash cryptocurrency made a challenge: “Hack us if you can and get a cash prize.” Apple hired hackers to develop a more secure version of iOS and so did Twitter. There are special Bug Bounty programs on the basis of which people can receive rewards for discovering vulnerabilities. They were used by Facebook, Yahoo!, Google, Reddit and Microsoft. This is effective, but, unfortunately, very costly.

Most companies resort to self-assessment of security defects, contracts with specialized companies and individual professionals in this area. Comprehensive testing should be monitored constantly, otherwise cybercriminals will take advantage of pauses and unexpected errors.

Deficiencies are identified and eliminated in order from most critical to least significant. Automated tools are perfect for this, producing multipage, detailed reports with clearly sorted issues. These programs are easy to customize, they immediately send recommendations on how to solve the detected shortcomings and allow you to compare the results with previous testing.

Risk assessment includes not only an analysis of the degree of protection against third-party intrusion. It also deals with overall performance and finding bugs that can harm the system.

Third party risk management

Financial enterprises constantly interact with partners from various fields of activity. The threat can also come from them. Like in ordinary life: they give a child vitamins, dress them warmly, strengthen their immune system… But then the child goes to the kindergarten where they play with a sick boy and pick up the virus from them. You can become a random catch for hackers who want to make the most of their data. They can also purposefully attack partners in order to get to your company through them.

Let us remember how the NordVPN service was hacked. The operator of the Finnish data center, from which the company rented a server, made a gross mistake. Without any coordination, he connected an insecure remote access program which the hackers happily took advantage of. The service found and fixed the leak only after three months, but due to the high security parameters, they could not inflict significant damage on it.

Partners will vouch for safety and responsibility, but you shouldn’t just take their word for it. Back up yourself with the following measures:

• send your specialists to them to conduct an independent review of the security system;
• if you entered into a transaction as an affiliate, you have the right to make joint strategic decisions and optimize information protection;
• put forward requirements for cybersecurity practices at a formal contractual level, securing the consent legally;
• constantly monitor the status of your servers in order to calculate the threat in time.

These actions will not give you a 100% guarantee, but they will definitely minimize the risks. In case of damage due to the fault of the partner, you will be compensated for it.

Strong cybersecurity culture

Protection from external threats should not only concern the management of the company, but be part of the corporate culture and internal rules. Every employee should think about it: from the top to the lower positions. The board of directors starts such an initiative, regularly supports and monitors it. The team not only accepts it, but also understands that it is very important to achieve this.

Back in 2002, the UN Assembly approved 9 requirements for a global cybersecurity culture:

• awareness;
• a responsibility;
• response;
• ethics;
• democracy;
• risk assessment;
• design and implementation of security tools;
• security management;
• revaluation.

You can apply them to your culture. In this regard, Yahoo is setting a positive example. They offered employees something like a large-scale role-playing game: some pretended to be hackers, others caught them red-handed and others analyzed the actions and developed an optimization plan. Among the main tasks was to train everyone to use password managers and to improve the overall tone of cybersecurity. Here are the main ideas that came out in the end:

• Be clear about the goals of good behavior so that the person does not invent them on their own and always rely on the verdict of the security department.
• Monitor the response of the employee to staged threats without them knowing it and consider the next steps depending on the test results.
• Constantly work to improve the measures taken and try new techniques, reinforcing everything with strong motivation.
• Do not punish or force/ People themselves should want to protect their company from threats and understand what is required from them for this.

Employees were rewarded with interesting gifts for performing the necessary actions and even competition. On special panels, the progress bar of each department was recorded, which everyone watched. As a result, Yahoo was able to achieve its mission and double the number of correct responses to phishing attempts.

Comprehensive response plans

A planned response to a cyberattack will help neutralize the effect of surprise and immediately begin protective measures. Both the manager and the trainees should know their proper cybersecurity guidelines. What should you do first if you have lost access to your account? How do you identify a fake email and a hacking attempt? Answers to these questions must be prepared. Everyone should know the instructions for identifying a leak, reacting to a cyber attack and recovering from it.

Take simple steps to keep yourself safe:

• Document the common types of attacks that you can potentially face.
• Assess the magnitude of the probable problems and prioritize how to solve them.
• Connect cybersecurity experts to come up with a comprehensive response strategy.
• Arrange in-house testing and educate your employees on the cyber defense plan.

However, do not forget that the strategy may be outdated and needs to be updated regularly.

Conclusion

In today’s reality, it is dangerous to think that a cyberattack can happen to anyone but you. Hackers are interested in companies of all sizes and the financial sector faces the most serious risks. It is better to prepare in advance, spend some of the funds and prevent the threat than to lose huge percentages of profit after its implementation.