For most of us, few things cause greater fear than hearing that our financial information has been breached. Or, even worse, that criminals have gained access to our funds. Many financial services organizations must now demonstrate their IT security and compliance in order to do business with new customers – not to mention satisfy nervous vendors and insurance providers.
When stepping up IT risk management for your financial services firm, make sure you don’t overlook these seven common areas of weakness that can prove deadly to security and compliance.
Many financial organizations don’t perform risk assessments unless they’re required to, and they rarely have a formal annual review plan. Establish an IT risk management calendar to ensure you audit at least annually some key areas: network infrastructure, threat detection, endpoint protection, patching, vulnerability scans, user accounts, passwords, file system permissions, unauthorized applications, and physical access to sensitive office areas, to name a few.
Many firms don’t carry cyber insurance; for those that do, it’s usually ineffective. Unfortunately, not all cyber insurance is created the same. If you simply added it to your business liability policy based on your broker’s suggestion, do some investigating to determine what’s actually covered. You may be surprised – and not in a good way.
Vendor due diligence.
Establish a rigorous due diligence process for any vendor you use – especially your IT provider. Request audit reports from independent third parties, ask for copies of their insurance coverage, and talk to existing customers to ensure the vendor is worthy of your trust.
Give serious attention to your authentication standards. Set up dual-factor authentication solutions – at a minimum, for all email and remote access. If someone can log in and see your data with just a username and password, your risk profile is significantly higher.
Without data encryption, a stolen laptop or intercepted backup poses a huge risk. To mitigate this, ensure your backup is encrypted both at rest and in transit, and put disk encryption in place on your laptops – ideally, on all your computer systems – to prevent a data breach.
Backup/disaster recovery testing.
When we evaluate a business, nine out of 10 times, its backup is not working as promised and is rarely tested. The problem is usually not the product, but inattentive management. Schedule regular backup management, and plan to perform annual full offsite restore testing.
End user awareness training.
No matter how solid your firewall, antivirus or spam filter, your end users represent your greatest risk. Most successful attacks use information obtained from an unwitting end user. To protect your data and reputation, require all staff to participate in a monthly computer-based training process that includes testing simulations.
If your financial services organization has these areas in hand, congratulations. If you think improvement is needed, start here. At a minimum, perform a risk assessment, figure out where you need remediation, and create an action plan. Following this simple framework will help your compliance and improve your business’s IT risk.
By Karl Bickmore, CEO