A recent letter drafted by the Financial Services Roundtable (FSR) and sent to financial services companies promotes a risk-based cybersecurity approach. Noting the diversity of institutions, the FSR proposes moving away from imposing rigid requirements on all firms; and instead, holding individual firms accountable for customizing cybersecurity programs that align with their risk profile.
Challenged constantly by the difficulties of managing security risks from the Internet of Things (IoT), mobile devices, the cloud and legacy systems, financial services firms need the agility to adapt—or continue to be bombarded by cyber attacks.
Financial Firms Are Cyber Crime Magnet
An April 2017 IBM X-Force Research report shows financial firms are targeted by an astounding 65% more cyber attacks than average businesses—with the number of financial services records breached soaring 937% in 2016 to over 200 million. Considering these dismal conditions, it’s no wonder the top 95% of the top 20 U.S. commercial banks have a network security grade of “C” or below, according to the 2016 Financial Industry Cybersecurity Report cited by Fortinet Senior Director, Brian Forster, in a March article.
Steeped in money and valuable data, financial services companies will remain in cyber criminals’ cross-hairs as they deal with:
- Rapid digitization is driving finance firms to embrace the cloud and connect on-premises devices and legacy systems to it, complicating the security environment. Matters are further muddled by multi-vendor security platforms, which can create gaps in protection.
- Human fallibility. Remote workers and mobile devices have increased not only the size of network attack surfaces, but also the number of attack vectors. Cyber criminals use this to their advantage and attack financial services firms through employees with phishing and other social engineering scams. It doesn’t help that many employees access networks with devices that don’t have the proper security safeguards.
- Constant rule changes. Frequent regulatory changes—and the requirement to immediately comply—have firms scrambling. Cyberattacks often happen amidst compliance chaos.
Steps to Risk-Based Cybersecurity
While the challenges above are common to many finance firms, there’s no one-size-fits-all solution to cybersecurity. Firms need to view cybersecurity and business strategy holistically; and identify and prioritize risk based on the value of specific business functions and assets. This requires a risk-based cybersecurity approach focused on:
- Assets. Locate and identify your most valuable assets. Where and what are they? How are they protected? What would happen if they were to be exposed? Picture worst scenarios; focus on actual risks and change your approach as the picture changes.
- People. People are the weakest link in cybersecurity. Educate employees on threats and behaviors to avoid, as well as how to report mistakes and suspicious activities.
- Documentation. Develop processes and protocols for managing and responding to threats. What is your plan for responding to zero-day threats? How do you enforce policies and penalize policy infractions?
- Technology. An advanced network infrastructure doesn’t remain so for long. Updating systems and applying patches on schedule is a must; so is regular testing.
Having full visibility into these factors is a first step to targeting security to your firm’s risk profile. It assumes that critical assets require more security than non-critical assets, and that your cybersecurity posture needs constant adjustments to stay ahead of changing threats.
Would you like an assessment of your risks, assets and cybersecurity posture? CCSI can help you evaluate your network and develop a risk-based security strategy to address them. Contact us.