My recent conversation with a small wealth management firm proved to be insightful — for both myself and the executives. Since the firm isn’t a conventional bank, they believed they were not as vulnerable as many other financial institutions, and therefore had less to worry about as far as security breaches go. Why would someone bother with them? After all, they didn’t have nearly the volume of data that regional or national banks have at their fingertips, they reasoned.
As the conversation continued I hypothesized that while they aren’t a traditional bank, they were very active in mergers, acquisitions, and divestitures of companies as a means of generating growth for their clients’ investments. Wouldn’t you want to keep that info away from the hackers, who could profit on it themselves by gaining market-timing advantages or selling the information to someone else? Of course, the executives admitted that that was an interesting perspective and they needed to ensure proper protections are in place to secure their enterprise.
Gone are the days where cyberattacks happen only to large banks. Credit unions included, financial institutions are collecting unprecedented quantities of structured and unstructured data. This data could be analyzed to yield enormously valuable insights—but also could serve as a high-quality target for bad guys. Anyone who stores personal data or allows it to flow through their network is a potential target. A single distributed denial-of-services (DDoS) attack can wreak havoc on any bank for months, by deflating IT team productivity, driving customer down-time, reducing margins and degrading brand reputation.
With these cautions top of mind, there are five safety measures financial institutions can take to more effectively protect themselves and their customers.
Compliance, Policies, Procedures
Cyber security is paramount at every layer of IT infrastructure, including cloud. Today’s financial services professionals need to look beyond known threats and implement a complete security program to continually monitor the ever-changing landscape. To adequately prepare and guard your critical infrastructure from an attack, you have to plan and implement a multi-layered security approach. Your strategy and focus should include putting several controls in place, as well as implementing and following policies—before a cyberattack happens. This includes adopting best practices such as automated patching and reporting, and increased tracking, compliance and monitoring, as well as having a chief security officer onboard. Because hacking tactics are always changing, your team needs to not only be proactive, but predictive. Where are we most vulnerable? What should we safeguard the most? Planning with these questions in mind gets stakeholders aligned.
Training
The big question is whether an organization has the knowledge to fully understand all the security implications of potential breaches. Based on my past experience, I’ve seen a lot of companies fall short because they focus on technology and don’t put a similar focus on training. Employees need constant education in order to stay vigilant—keep in mind that about half of all breaches are enabled by workers (usually unwittingly).
While 99% of employees want to do the right thing, there are always risks associated with someone clicking on a phishing link, for example. Training has to be driven into your corporate culture. It has to come from the top, with leadership—not just the IT department—making it a priority. Employees are both the weakest links and our strongest advocates. If they’re trained properly, your organization becomes far stronger. But in order to succeed, you have to guard against an array of tactics, including social engineering, in which a scammer is able to mislead someone into providing sensitive information simply by talking with them.
Understand Your Adversaries
Don’t overlook the clues right in front of you. Many organizations are learning that they need to think like the attackers who want to steal, corrupt or destroy data. The more you understand about their behaviors and actions, the better equipped you’ll be. This approach can lead you to spot activity that’s atypical and respond more effectively. Breaches occur through a variety of adversaries, including cyber criminals, terrorists, hacktivists and insiders. Each group has its own motives, though some may overlap. You have to become threat-focused to confront any and all attacks, whether they’re phishing attacks, copying data to insecure devices, deleting or modifying critical data or capitalizing on the use of unapproved devices. It’s scary, but many financial services organizations have already been breached—they just don’t know about it. Malicious operators are like sharks constantly nibbling at the cage. They’re always there.
Advanced, Proven Technology
Companies need significant resources to constantly manage and monitor firewalls, logs, user applications and intrusion detection system (IDS) systems to successfully prevent, protect and help them guard against cyber attacks. An effective managed security platform can ensure business resiliency, provide complete visibility into your security environment from a single view and reduce exposure through multiple intrusion points. Of utmost concern is being able to hurdle the challenges of escalating threats while keeping pace with changing regulations. Doing this effectively results in gaining more visibility into what’s going across your environment. This means you are able to understand what is happening at any given time.
Choose the Right Partner
Many organizations choose to outsource their IT security operations. But when it comes to outsourcing security, it’s truly buyer beware. The first consideration: You need to decide exactly what you need to protect—generally, devices, network, applications and data—and then determine what components of these areas you want to outsource. Then, you need to choose the right partner (or partners) for your specific needs. The more you can consolidate vendors, the more efficient your strategy will be. Part of this comes down to understanding the balance between performance and cost. You should understand that you will never be 100 percent secure. Choose a vendor who can help you make the right decisions around balancing performance, effectiveness and cost.
Tim Kelleher is vice president of security at CenturyLink, Monroe, La.
