Financial institutions have specific, grueling challenges when it comes to cybersecurity. These are reflected in industry regulations, such as the new New York State Department of Financial Services (NYDFS) Proposed Regulation, slated to go into effect on January 1, 2017.
"Under the Proposed Regulation, Covered Entities must have a written cybersecurity policy that outlines every aspect of its cybersecurity program and explicitly addresses how the Covered Entity complies with each of the Proposed Regulation’s requirements."
The requirements are extensive and include areas of focus such as incident response and data governance. Regulations like these can have a profound effect on the industry. As Joseph Vitale wrote for the Harvard Law School Forum on Corporate Governance and Financial Regulation, "Given New York’s importance in the financial services industry, not only would the effect of the Proposed Regulation be felt immediately across the country, other regulators may follow New York’s example."
Mitigating Financial Risk with Cybersecurity Regulations
In the banking and financial industry, the security challenges are largely consumer facing, explains Devi Momot, Twinstate's CEO.
"You’re trying to achieve the balance of excellent security and privacy of critical information, while at the same time trying to make it really easy for the authentic customer to have access to their money and financial services," Momot says.
"Everybody wants everything to be easy access. They want it when they want it, and they want it to be easy. How do you keep all of that information and all of those pieces of information that can be turned into money as secure and as private as possible?"
Balancing ease of access with security is inherently challenging. Add mobile devices to the mix and the challenge grows exponentially. The amount of devices per individual is currently greater than one, and people often use those devices for banking. Says Momot, "If you have other rogue applications on your device, they could be harvesting information from the banking app. Your device itself might be secure, but the device could be a common point that strips away security. How can the banking industry protect against that?"
And how can it protect against any other number of attack vectors (such as a mobile device, wireless home network, wireless sensors, etc.), generated from balancing ease of use with security?
End-to-end encryption is becoming much more popular. Data can be encrypted from the point of origin to the point of extraction for viewing. That's becoming more and more challenging, too, but Momot predicts we'll see massive strides forward in the adoption of this technology. Banking organizations, especially, will be close to 100 percent adoption, she predicts.
"There are varying degrees of implementation today. But it's not too far from being used for every aspect, from the file level to the deepest potential level of encryption," Momot says."
Multi-factor authentication, where in every user has at least two means of authenticating identity, is also an opportunity to enhance security. Authentication types can include: something you are (biologic like a palm scan), something you know (like a password), something you have (like a token or swipe card), and some place you are (via GPS coordination). After the infamous iCloud breach, Apple started providing two-factor authentication. More and more, organizations with any type of delicate information are going to start requiring this as a condition of participation on their platforms or apps.
Data Governance and Classification
When a business has been operational for many decades, as Twinstate has, there tends to be a lot of data associated with that business. Many organizations are similar in that certain servers have been used as depositories for all sorts of data. When apps are fairly new, they might be sectioned off, due to new best practices. But older servers and apps could allow wide open access, a problem Momot says can be solved with data classification and rules of least privilege.
It's important to realize that passwords are not enough to protect your business from the many risks presented by employees with privileges. Momot highlights this idea: Every admin needs to be someone who is ultimately trustworthy, has a clean background (do a background check on everyone!), and has your back in every scenario. And even if you think you can trust someone, implement rules of least privilege.
That's a standard approach where everyone only has access to what they absolutely need access to on a daily basis. Technically, the CEO has the right to know everything. But do they have the need to actually get into the payroll file daily? If not, remove the privilege. Maybe you could elevate privileges, if necessary, during the accounting manager's vacation, for example.
"In an ideal world, accounts payable people will only have access to those files they need daily, and nothing else," says Momot. "Same with IT people. Certain people should be responsible for certain apps or infrastructure — and then that's it. Nothing else. That's the only set of keys they have," she says. That will lower the risk to the organization in the event that someone steals credentials or an employee goes rogue.
Learn how to mitigate financial risk with cybersecurity regulations. Click to tweet
Continuity of Operations Plan
Another way to enhance security in the financial industry is to commit to a continuity of operations plan. This plan could have a whole host of different tactics; one important one is the rotation of duties. This is recommended in accounting firms and in IT quite often to flush out corruption, explains Momot, and it also plays a role in cross training that may be vital in the event of an emergency when roles need to be filled quickly. If you see that something isn't quite right, you could discover that by removing people from their common role for two or three weeks. Depending on the size and capability of your business, you might consider implementing mandatory paid vacations. The idea is about more than just corruption. It's about resilience.
Any one person should be able to leave your organization for a period of time without affecting operations. In small organizations, that's a huge challenge; you may not have the bandwidth. In medium and large businesses, plucking someone out of their seat and continuing as normal is a capability you must have. This gives you a chance to test your ability to weather disruption.
Every element of security we've discussed above should and can be brought together in a continuity of operations plan. Document what might occur and lay out steps for what happens when it does. As incident response is part of the new NYDFS requirements, this will become a more and more necessary and popular way to mitigate risk in the banking and financial industry.
Want to learn more about the security challenges facing small and medium businesses today? Read our ebook on IT Security for SMBs.