Keep out of the headlines and ahead of the competition:
By Adam Louca, Chief Technologist- Security, Softcat
Globally operating financial services firms, by their very nature, are subject to a host of different cybersecurity regulations which can make navigating data rules and keeping compliant a challenging task.
Some players in the global financial market see intervention by regulators in such matters as an additional burden to generating revenue. However, it’s essential to be transparent and make appropriate adjustments early enough to protect your business, its customers and to proactively secure its future.
#1 Cast the net wide
Ensuring everyone in your organisation is aligned with your cybersecurity strategy—and is responsible for implementing their piece of the puzzle—is critical.
A big part of this includes regularly training employees on good I.T and security practices and ensuring they follow through with what they’ve learned.
Every individual should understand how to manage their electronic equipment and what to do in particular web-based scenarios. You should also be able to test this knowledge by running security drills.
For example, companies today often send fake spear phishing emails out to employees for training purposes, to see who clicks on the links or attachments and who flags it to the right team.
Clicking on attachments from bad actors is one of the main ways malware ends up on a company’s network. It’s also one of the most common forms of ‘attack’ an employee will face, so it’s critical they follow protocol on these issues.
While regular training from in-house or external experts is an absolute must, make sure you break it down into chunks and avoid using technical acronyms, to prevent employees feeling overwhelmed.
Try to make the training relevant to their lives outside the organisation and show them how to use this information to protect their personal online lives as well, which will resonate far more effectively.
#2 Reliable processes
With GDPR soon coming into force, information security and privacy should be at the heart of every internal process. It’s absolutely critical for financial companies to implement an acceptable digital use policy, which addresses questions around business travel, critical customer data, how it should be categorised and timely responses to security incidents.
You may wish to put certain technologies in place to monitor and limit access to certain files or information. However,it can be hard to cut through the marketing noise when it comes to choosing which solutions are best for your business.
So, before deciding, draw up a technology roadmap which aligns with your company’s overall growth strategy and encourage collaboration on this with senior management who manage budgets across other departments. You can then cross-compare where there are technology gaps in the company and identify if budget needs to be prioritised or re-allocated to protect vulnerabilities.
Some organisations will find they don’t need to implement new technology, they just need to better use what they already have in place and tailor it to their environment. For instance, maybe you already have a firewall in place, but you haven’t necessarily configured it to block all traffic originating in an area notorious for hacking.
#3 Don’t forget external partners
There’s no end to major cyber breaches which originate from third-party suppliers.. This year, Equifaxblamed its giant data breach on a flaw in an externally provided piece of software it was using. The problem gets worse when you consider the risks don’t always end when a supplier relationship is terminated.
However, research has shown when companies evaluate the security and privacy policies of all suppliers, the likelihood of a breach falls from 66 percent to 46 percent. Proper oversight pays dividends beyond just compliance benefits.
Once a company has a clear picture of who all their vendors are and which of them have access to sensitive data, a variety of methods are available to help maintain security. For example; you could discuss the option of regular vendor self-assessments, request customer visits and audits, or ask them to purchase specific cyber insurance.
If your company or an external supplier experiences a data breach, it’s important to create an intelligent response plan that outlines the scenarios you could face and their potential business impact.
You must identify the critical systems you need to keep online and you’ll also need a strong communication plan in place to inform your partners, customers and the public in a timely and sensitive manner before it hits the headlines. Have a single spokesperson and prepare a script providing answers to likely technical questions.
You also need to make sure the organisation stores, secures and retains all system logs in original forms so they are admissible as evidence.
#4 Involve customers
If an attack occurs, is it possible to earn back your customers’ trust?
The answer is ‘yes’, but it will take time and you will need to be honest and completely transparent. Creating a better cyber security culture extends to your customer base.
Graham Cluley points out how common it is for companies to hide their data breach announcements in the darkest corners of the web where they’re less likely to be spotted.
Call us old-fashioned, but when has burying your head in the sand ever been the right approach to a crisis?!
Providing detailed information about the breach in real-time updates including how the issue is being resolved and expected timing is vital. This can be accomplished by sending out emails and ssocial media updates whenever possible.
You could place a prominent, temporary banner on your website’s homepage letting customers know an incident has occurred. Not everybody checks their emails and not everybody reads the news, so this is another way to let a customer know about any cyber security incidents.
Help your customersunderstand they have control over their personal information and how it can be managed post-breach. This can be done by having them re-confirm their preferences once the breach is resolved. Compensating victims in accordance with the severity of the breach is also a good solution. They will appreciate the additional support and the efforts you’re making to re-build trust.
There are two kinds of financial services firms: those that have faced a cyber-attack and those that will. The moral of the story is business leaders have the responsibility to build defences that are both comprehensive and resilient to limit damage, speed recovery and most importantly create a stronger, more-informed employeeculture.