Experts on Top InfoSec Considerations for Financial Services Companies



A panel of infosec and financial services professionals weigh in on the top threats and security priorities for the financial industry.

Financial services companies have long been the target of cybercriminals, but never moreso than today. Thanks to the proliferation of mobile apps, IoT devices, shadow IT, and today's always-connected atmosphere, attackers have more points of entry than ever before to compromise systems and steal sensitive financial data. The financial services industry is one based heavily on trust, and a single breach can be disastrous for a financial organization's reputation.

To find out what information security concerns are top-of-mind (or should be) for financial services companies in today's threat landscape, we asked a panel of infosec leaders and finance pros to weigh in with their expertise on the following question:

"What are the top information security considerations for financial services companies today?"

Meet Our Panel of Security Professionals:

Find out what our panel of InfoSec leaders and security pros has to say about the top information security considerations facing financial services organizations today by reading our experts' responses below.


Scott CurryScott Curry

Scott Curry is General Counsel for CyberFortis, a cybersecurity solution for the financial sector (part of cybersecurity consulting firm TSC Advantage). Scott holds a CISO Executive certificate from Carnegie Mellon.

"The most important information security concern for financial services organizations is..."

Reliance on Third Parties: Perhaps the greatest concern financial institutions face is controlling the cybersecurity risk posed by the myriad of third-party vendors they are engaged with. Banks and financial services companies continue to increase the number and complexity of relationships, outsourcing whole areas of business or products, and relying on third parties to a significant extent. The Office of the Comptroller of the Currency (OCC) has issued guidance that it expects comprehensive and objective oversight of third-party relationships that involve significant functions such as payments, clearing, settlements, custody, tax, legal, audit, IT, etc. Further, the OCC says the use of third parties does not diminish responsibility of a bank or financial services firm’s board and management to ensure the outsourced functions are performed in a safe manner.

Liability Pressures: Financial services companies face a wide range of security threats which they must vigilantly defend against daily. They must protect the confidentially of client and partner data, their own intellectual property, and as seen recently, their clients’ actual assets. With budgets to match their size, large banking institutions have been at the forefront of cyber risk management. Small and mid-size banks as well as financial services firms, however, now also need affordable cybersecurity solutions, driven by increasing regulatory requirements to have cybersecurity programs in place, and recent settlements that place liability for data breaches on financial services companies. Assessing, managing, and transferring cybersecurity risk through cyber insurance can seem complex but it demonstrates a standard of care in the event of a breach.

Growing and Evolving Risks: According to the 2016 financial industry cyber security report by SecurityScorecard, financial institutions suffered 22 major publicly disclosed data breaches in the year ending August 2016. Cyber risks continue to evolve, as attackers search for new and convenient entry points, from phishing emails to very sophisticated schemes instructing company resources to move customer cash to another banking institution. To prevent reputational damage and regulatory action, financial services firms must take a multi-layered and enterprise approach to cybersecurity, involving decision-makers from multiple departments, an array of technical defenses, robust policies and procedures, and regular cybersecurity training.


Ashwin KrishnanAshwin Krishnan

@AceKrish

Ashwin Krishnan is a technology industry expert with over two decades of experience in cybersecurity and cloud technologies. The author of Mobile Security for Dummies, Ashwin is currently a Senior Vice President of Products and Strategy at HyTrust, a late stage security startup. He regularly contributes to publications like CIOreview.com, SDxcentral.com, Virtual-Strategy.com and others. His speaking engagements include Mobile World Congress, RSA Security Conference, VMWorld, Telecom Industry Association, and Product Camp Silicon Valley.

"The top 3 things that any Fin Serv firm should be actively considering when it comes to IT security include..."

1. Identification and protection of critical data – PII information in the case of consumer facing companies, trading data in the case of exchange organizations and governmental and regulatory data in the case of inter-governmental or backend processing companies. The challenge of constantly keeping track of where this data is and how to encrypt it and keep the keys separate and utilize best practices for key management is key (no pun intended). In fact, security guru Bruce Schneier has noted that while the explosion of cheap and ubiquitous storage makes data collection a breeze, the need to identify the critical from uncritical data, classify and secure after the fact is the approaching nightmare.

2. Navigating in a constantly changing regulatory environment – Being nimble and proactive to navigate the ever-changing regulatory framework. Top of mind is GDPR (General Data Protection Regulation) – an EU mandate going into effect on May 2018. The implications for financial services firms that have to operate under this regulatory framework is enormous, and the cost of non-compliance even more so – 4% of gross revenue!! An example of this is to honor an end-customer’s request to hand over all personal information tied to him or her and destroy and remnants of the same. This requires enormous visibility into tracking every user’s data unambiguously and protect the same and be able to shred that data upon request. A recent blog post of mine ‘demystifies’ this mandate in layman’s terms.

3. Understanding the insider ‘threat’ – If the recent AWS snafu was any indication, the best run organizations have a weak link – the human. The insider threat need not just be malice driven, negligence is equally potent to disrupt the business. Therefore, putting in safeguards to limit the scope and privileges that key administrators have to prevent this as well as being able to audit log everything for forensics post-facto is critical.


David KruseDavid Kruse

@DavidRKruse

David Kruse is a cybersecurity insurance consultant with experience working as a banker at one of the country’s largest financials. He has worked with bankers, lenders, financial advisors, compliance officers, and insurance consultants my entire career. He's been published in Digital Guardian as well as in Business Magazine.

"The top information security consideration amongst financials today must be..."

An untrained & unaware workforce. Their workforces tend to be very large and, by nature of the information they possess, the companies are high-value targets. If you were to write a horror-story about a cyber disaster, it would surely start like this.

In the old days, protecting the company fortune consisted of having a big vault with even bigger security guards standing out front. There was only one way into the vault, and as long as your guards were bigger and smarter than the bad guy trying to break in, you’d generally be OK.

Not so anymore. Today, there are as many ways into the vault as you have employees & endpoints. No amount of IT security spending can protect a company whose employees don’t see themselves as part of a broader information security team. A large IT spend will not stop an employee from clicking on an infected link or attachment, from sending the W-2s to someone they think is the CFO (but is actually a scammer), or from even maintaining basic digital hygiene such as complex passwords and securing physical data (printed documents, reports, etc).

Employee training should be a feedback loop: Identify—Remediate—Train—Identify…and so on. For example: run unannounced phishing simulations as often as you can (monthly, even weekly if feasible) in order to identify potential weak points in your security chain. Once a weakness is identified, the employee’s manager & someone from IT can remediate an immediate need by meeting with that employee(s) to explain the results of the simulation and explain what to watch out for. (Keep it positive, though! We’re all learning together, and bringing the hammer down on someone will be far more likely to disengage them from the process.) Finally, conduct IT security training sessions regularly (quarterly or better), document attendance, and report the (anonymized) findings of the simulations & the outcome of the training sessions to the board.


Trey HawkinsTrey Hawkins

Trey Hawkins is the CTO of Leapfrog IT, aka the Sage of All Frogs. Trey oversees the architecture, implementation, training and evolution of Leapfrog’s core technologies. Trey is currently a member for InfraGard, a cooperative undertaking between the US Government, academic institutions, business and law enforcement agencies. He was nominated for the Atlanta CIO of the year award and has served on a special committee to help select the CIO of the City of Atlanta.

"The top information security concerns for financial services organizations include..."

1) Training, training and more training for your staff.

  • Social engineering is rampant right now. Make sure your team knows what to look out for so that they do not mistakenly process transactions or disclose sensitive information to scammers.
  • Documented and practiced secure processes that define how transactions requests and orders are placed.

2) Data Classification – organizations must know where all the sensitive information is stored so that proper controls can be implemented to protect it from falling into the wrong hands.

3) Encryption – stolen laptops and mobile devices account for many sensitive information breaches. Devices with proper encryption reduce the risk of data falling into the wrong hands.

4) Active Monitoring and Management – Having the proper polices and controls designed is good progress, but monitoring for breaches and infractions of policy is required to mitigate potential intrusions or breaches. Timely response to any breach or intrusion attempt is paramount.


Anatoliy OkhotnikovAnatoliy Okhotnikov

@Softjourn

Anatoliy Okhotnikov is Head of Engineering for Softjourn with more than 15 years of software development experience, including 10+ years in fintech.

"Nowadays breaches are getting more complicated and harder to beat..."

Recent disclosures such as the Yahoo hacks, CIA dump and Apple extortion threat are showing that attackers are becoming bolder, more commercial and less traceable. Fraud is the main security consideration for financial services companies at all times, and the main fraud drivers are data & identity theft. Today we should consider a very close inspection on data breaches as data theft is turning into data manipulation when attackers are not aiming to sell the data, but manipulate it for fraudulent transactions.

With the rise of IoT and its maturing ecosystem, information security offices should watch out for RoT (Ransomware of Things) whereby cybercriminals hijack a connected device and demand payment for access to be restored to the user. In the world of IoT, our most sensitive data is now everywhere, and we have another channel to leak our personal information. Attackers will target consumer devices from your connected fridge to game console. And do not forget that everything is mobile today, so mobile security is one of the main areas to consider as well. If your financial service has a mobile app (and in 2017 you must have one), you should keep in mind the malware targeting these devices in all sorts of sophisticated ways. For example, at Finovate Europe 2017 we saw financial mobile apps checking for the phone OS integrity before allowing any access to critical user data. Consider opening a new job in your company, the CCO, which is the chief cybercrime officer, if you do not have one yet.


Krystal Rogers-NelsonKrystal Rogers-Nelson

@ASecureLife

Krystal is a Safety & Security Expert for ASecureLife. As a homeowner and mother of a rambunctious toddler, she specializes in topics ranging from home and financial security to parenting and child safety. With a B.A. in International Studies from Humboldt State University, she is an experienced world traveler and sustainable living guru. She is committed to empowering individuals and families with the knowledge and tools needed to live a secure and comfortable life at home and abroad.

"According to PWC's Global Economic Crime Survey..."

Cyber crime has jumped to the second most reported economic crime and financial institutions continue to be prime targets. Although the U.S. financial industry's cyber security ranks 4 out of 18, compared to other primary industries in the US Economy, the finance industry remains vulnerable and has suffered the most security incidents with data loss than any other industry. Here are the top information security considerations for financial services companies we have found:

  • Evolving Cyber Attack Tactics. As cyber-criminals try new tactics to attack, breach, and exploit organizations, threats like phishing, spear-phishing, and social engineering evolve and become more sophisticated. Financial institutions need to make sure they are using the most up to date software and systems to quell these threats.
  • Ransomware is evolving quickly and a huge threat to financial institutions and their clients. They need to be proactive in protecting themselves by implementing cloud-based continuous monitoring systems that assess their vulnerabilities as well as third party vendors' and partners' vulnerabilities in real-time to catch these threats before they can infiltrate a system and hold data hostage.
  • Legacy IT systems. These systems are often inherited from acquired organizations and include vulnerabilities that can stay in the system for years. Legacy IT systems are expensive to maintain and are more prone to more un-patched vulnerabilities. In addition, challenges of software integration and architecture upgrading increase with mergers and acquisitions.
  • Malware was detected in all 20 commercial banks with 788 malware incidents based on Security ScoreCard Inc's 2016 study of 7,111 financial institutions in their platform. Generic Malware was found in 15 out of 20 commercial banks and 75% out of the top 20 U.S. commercial banks (by revenue) were infected with malware in 2016, including malware families including Ponyloader, and Vertexnet and Keybase. The Central Bank of Bangladesh was hacked in 2016 by a sophisticated team of hackers who infiltrated the bank’s network using Dridex malware, which allowed the hackers to steal over $80 million dollars around the globe via SWIFT network.
  • Below Average IP Reputation scores, Cubit Scores, DNS Health scores, and Network Security scores compared to the overall average for other industries. Research shows that companies with low IP Reputation scores are over three times more likely to experience a data breach compared to companies with a high IP reputation score.
  • Expired SSL Certificates. 15 out of 20 commercial banks have been found with a SSL certificate that is expired. The financial industry needs to improve basic security to support proper SSL.
  • Insecure TLS cipher suites and upatched CVEs. 18 out of 20 commercial banks have been found with one or more weak or insecure TLS cipher suites. Financial Institutions need to improve overall network and application security and ensure they are performing consistent, scheduled patching in their security systems.

John FarleyJohn Farley

@HUBInsurance

John Farley is the Vice President and Cyber Risk Practice Leader for HUB International, a leading global insurance brokerage. Based out of HUB’s New York, NY office, John holds 25 years of experience performing a variety of cyber risk consulting services for commercial clients across many industries. He is a regular speaker at educational seminars on multiple network security and privacy liability challenges facing organizations today. Areas of focus are HIPAA, HITECH, Payment Card Industry Data Security Standards, FERPA, and data breach notice requirements at the state, federal and international levels. Earlier this month, John demonstrated a live data breach at an educational seminar HUB hosted in NYC. In addition, John is a very well published editorial contributor on all cyber liability matters.

"The New York State Department of Financial Services' (NYDFS) new cybersecurity requirements went into effect on March 1, 2017..."

The new regulations apply to approximately 3,000 financial institutions, including banks, insurance companies, and other institutions operating under a license or authorization of New York state law, with certain exemptions. The new regulations will require the covered entities to:

  • Establish a cybersecurity program;
  • Adopt a written cybersecurity policy;
  • Designate a Chief Information Security Officer, or similar individual, responsible for implementing, overseeing and enforcing its new program and policy;
  • Create a vendor management program to ensure the security of their information systems;
  • Establish an incident response plan to respond to and recover from a cybersecurity event;
  • Implement a variety of additional controls, including annual penetration testing, multi-factor authentication procedures, encryption standards, data access limitations, formal log audit programs and data destruction.

New York has traditionally led the way in regulating the financial services sector. It could be expected that other states will soon follow with similar state-mandated cybersecurity requirements for the sector.


Dane Grouell, CSCPDane Grouell, CSCP

@mezzocompliance

Dane Grouell is the President of Mezzo Compliance. Mezzo Compliance is a regulatory compliance firm serving registered investment advisers and broker-dealers across all regulators and jurisdictions.

"The top information security concern is really simple..."

Employees. All the best technology in the world doesn't mean anything if the people using the technology are too casual with their security.

In my experience, technology and security are relatively easy to obtain. A well-qualified consultant can implement security measures appropriate to a firm's budget and risks. Staying ahead of the bad guys (or at least keeping pace) is the domain of professionals. Let them worry about the technical aspects.

The weak link in the security chain is the people using the technology. In our personal lives we all tend to be loose with our information security. We use obvious user IDs and passwords, save passwords in our web browsers, open email attachments at will, don't use anti-virus or firewall software, and a myriad of other dubious practices. These non-professional practices simply will not do when the non-public information of customers is involved. I encounter these same dubious practices time and again in my work as a compliance consultant.

These issues are also easy to solve. A few simple practices would almost completely mitigate employee risks:

  1. First and foremost, firms must provide training on technology and security. Real training. Take the time to do live training with a professional (budget permitting). At the very least, financial firms should do web-based or webinar training. Provide frequent reminders at staff meetings.
  2. Have solid policies and procedures. Cyber security policies and procedures used to get a mention in the Big Book of Policies and Procedures, but now should be a stand-alone manual. As the pace of innovation accelerates, financial services firms will need a separate manual that can be updated and distributed independent of all other manuals.
  3. A few policies and procedures that are free or really low-cost are:
    • Business email for business use only. No personal business should be done by way of the business email.
    • Require strong passwords and unique user IDs. A password keeper program would help. Don't be cheap -- buy it for your staff. Forbid saving passwords in the web-browser.
    • Inventory who has access to the firm's network and what devices are used. Restrict access to need-to-know persons and using only firm-approved devices.
    • Don't allow third-parties to access the firm's network unless they understand and agree to abide by firm security protocols.

Damian Igbe, PhDDamian Igbe, PhD

@DamianIgbe

Damian holds a PhD in Computer Science and has decades of experience in Information Technology and Cloud services. Damian holds a couple of certifications including AWS Certified Solutions Architect-Associate, AWS Certified Developer-Associate and AWS Certified SysOp-Associate. He is the founder and CTO of Cloud Technology Experts.

"The top information security considerations for financial services companies are..."

The same as the ones reported by a Cloud Security Alliance paper. Of the top 12 issues reported, the top two are particularly relevant to financial institutions: data breaches and weak identity, credential and access management. It is also interesting to note that the top security problems are due to staff's negligence to follow strict security procedures which may be in place.

According to Cloud Security Alliance: A data breach is an incident in which sensitive, protected or confidential information is released, viewed, stolen or used by an individual who is not authorized to do so. A data breach may be the primary objective of a targeted attack or may simply be the result of human error, application vulnerabilities or poor security practices. A data breach may involve any kind of information that was not intended for public release including, but not limited to, personal health information, financial information, personally identifiable information (PII), trade secrets and intellectual property. Two important security measures that can help companies stay secure are multifactor authentication and encryption.

Closely linked to data breaches is weak identity, credential and access management. To prevent weak identity, credential and access management, credentials and cryptographic keys must not be embedded in source code or distributed in public facing repositories such as GitHub, because there is a significant chance of discovery and misuse. Keys need to be appropriately secured and a well-secured public key infrastructure (PKI) is needed to ensure key-management activities are carried out. Any centralized storage mechanism containing data secrets (e.g. passwords, private keys, confidential customer contact database) is an extremely high-value target for attackers. Choosing to centralize passwords and keys is a compromise that an organization must weigh – the trade-off of convenience of centralized key management against the threat presented by centralizing keys. As with any high-value asset, monitoring and protection of identity and key management systems should be a high priority.


Timothy F. ShanahanTimothy F. Shanahan

@TFShanahan

Tim is a Trusted Financial Advisor now in his 40th year of advising high net worth individuals, corporate executives, retirement plans, and companies. Tim has developed a sophisticated expertise in investment management techniques to manage individual and retirement plan assets and has built a well respected firm brand as "Your Trusted Financial Advisor" with 12 other investment adviser representatives.

"Being a business regulated by the SEC and FINRA and subject to the rules and regs of other government agencies..."

Our top concern as a small boutique size firm is to have in place sufficient policies and procedures to be in compliance with the mandates of:

1. the Securities and Exchange Commission Regulation S-P, the Federal Trade Commission’s Safeguards Rule;

2. the Gramm – Leach – Bliley Act (GLBA); and

3. the Commonwealth of Massachusetts MGL Chapter 93H 201 CMR 17.00.

4. Compass must also comply with the California Financial Information Privacy Act (SB1) if the firm does business with California consumers. Compass maintains these policies and procedures as part of its compliance system and in integration with existing programs for: Identity Theft Prevention (ITPP) under the FTC FACT Act Red Flags Rule and Comprehensive Information Security Program (CISP).


Jeff SteadmanJeff Steadman

@Identropy

Jeff Steadman is a leader in Identropy’s Advisory practice, where he partners with clients to help them plan their Identity & Access Management (IAM) strategies. Jeff has been a long-time practitioner in the IAM field, and previously spent over a dozen years managing, building, and running IAM programs for SC Johnson and Walgreens.

"Protecting against identity threats, inside and out, has never been more important for financial firms..."

Both can wreak havoc on a company's bottom line and do significant damage to their social reputation and brand. While it is important for any company to have strong Identity & Access Management (IAM) service capabilities, financial services firms must go beyond fundamental capability and offer a robust suite of identity services that includes adaptive multi-factor authentication for access to any customer data, a comprehensive privileged access management program for internal employees and contractors with access to key customer or company data, and a strong IAM analytics program that includes user behavior analysis to help provide additional assurance that the person at the keyboard is who they say they are. Routine certification that access is appropriate for internal users should also take place with regularity to ensure access creep is mitigated.


David CoxDavid Cox

@DaveCox79

David Cox is the CEO & Founder of LiquidVPN.

"I spent four years working in Information Security for a large Chicago bank..."

And two of our biggest fears were inside jobs and shadow IT. There are departments that require very broad access to sensitive customer information. If an employee responsible for account auditing or security is compromised, there is no telling how much money it could cost the bank's insurance company. Shadow IT is a problem in most industries, but in the financial industry the threat is amplified because of how many transactions financial companies make every day.


Waqas KhanWaqas Khan

@Waqas_tweets

Waqas Khan is an Information Security Expert at PureVPN.

"The cyber security infrastructure for financial services providers now run on the concept of..."

Anticipating, protecting, detecting, responding and recovering. With the advent of advanced wireless payment systems like near-field communications, more opportunities are there for the hackers to compromise sensitive data. Furthermore, gone are the days of Phishing, ATM skimming, and banking malware; now the attackers make use of loopholes in the online banking to access high-value data. So while the companies need to excel in protecting their data, the main focus should be on detecting security flaws, implementing advanced security features and recover data loss efficiently.


Michael FiminMichael Fimin

@TrueCalifornian

Michael Fimin is an accomplished expert in information security, CEO and co-founder of Netwrix, a provider of a visibility and governance platform that enables control over changes, configurations and access in hybrid cloud IT environments to protect data regardless of its location. Netwrix is based in Irvine, CA.

"The main information security consideration for financial organizations today is..."

Not really how to protect a system or data, or how to prevent a threat or deal with a potential risk. Now, it is more about how to do everything at once – protect sensitive data, meet the government requirements for cyber security, comply with the industry standards, enable system availability for employees, offer continuous services for customers, and keep within the IT budget.

Besides that, threats change all the time, and some cleverly disguise – it is just not possible to foresee everything. So how can you be efficient, stay a step ahead and be able to deal with known and new cyber-security risks?

Almost 95% of banks surveyed by Netwrix say they need pervasive visibility into all activity in their IT environments. Visibility bundled with user behavior analytics provides knowledge about vulnerabilities, suspicious activity, and helps connect the dots between seemingly unrelated events that may threat security. Having a deep understanding of what's going on across core systems allows banks to maintain full control over the IT infrastructure, focus on real risks, stay compliant, quickly resolve any issues, while not wasting budgets on unnecessary spends and increasing system and services availability.


John VilsackJohn Vilsack

@GWGLife

John Vilsack is the CTO of GWG Life, a company in the life insurance secondary market based in Minneapolis. He came to GWG Life in 2015 from IT at a consumer retail company geared toward a young demographic, an experience that he said prepared him for the rigor of GWG Life. Vilsack has overseen the implementation of highly secure systems and multiple redundancies the company has put in place to prevent a successful cyberattack.

"User education continues to deliver the most bang for the buck in your security budget..."

A well-trained workforce is the first line of defense against phishing, ransomware, and social engineering attacks; the most common threats we face today in the digital world.

A Prevent Defense: A rock solid foundation of security begins with dropping in the right tools for the job. Enterprise-appropriate firewalls, intrusion prevention systems, VPNs, Multi-Factor Authentication, etc. help to create an architecture that, when monitored properly, can not only stop a direct attack in its tracks, but also help to identify threats from within.

You Are Being Hacked...Right Now: The only assumption you should ever make about your security is that it is never good enough. Policy should extend from the perimeter into your architecture to ensure that, should a hacker gain access to your most trusted assets, the damage can be mitigated. Encryption, network segmentation, application isolation, access controls, and active monitoring are some of the most important key controls in a sound IS strategy.

Storage is Cheap, Data Loss is Not: The guardians of your infrastructure should be able to speak fluently about your enterprise's backup strategy. When the threat of data or productivity loss looms over an org, every dollar spent on your disaster recovery plan pays off by an order of magnitude in getting everyone back on their feet again.


Adnan RajaAdnan Raja

@AtlanticNet

Adnan Raja is the Vice President of Marketing for Atlantic.Net, a trusted web hosting solution for businesses seeking enterprise level data centers. Atlantic.Net specializes in Cloud, Dedicated, Managed, and HIPAA-Compliant hosting with domestic and international data center locations.

"In terms of security issues..."

The multi-million dollar ransomware industry has grown and will continue to grow with amazing speed in the years to come, thanks in part to the spread of untraceable cryptocurrency such as Bitcoins and the proliferation of ransomware kits on the dark web, which allow anybody, even script kiddies with no programming skills, to put together and reap the financial rewards of ransomware attacks.

Ransomware is increasingly targeting organizations in the financial industries. These organizations often have thousands or even tens of thousands of gigabytes of financial data they cannot afford to lose – which makes them all the more willing to pay handsomely to get their data back at any cost.

There are many steps these organizations can take to protect themselves from ransomware attacks. On many occasions these attacks succeed because employees haven't been properly trained to recognize (and avoid) suspicious links or email attachments. Proper email security training, as well as establishing better rules for email attachments and which users are allowed to run executable files and install software can go a long way toward bolstering your defenses against a ransomware attack.

Social engineering and phishing attacks seem to make up the other half of ransomware woes. Attackers trying to find an opening into an organization's network–a chink in their armor–will often use phishing techniques to help figure out how to worm their way into user accounts, such as using personal information to better guess account and network passwords.

Other better and more thoughtful security practices can protect your organization against these ransomware attack vectors. Multi-factor authentication helps ensure that only your authorized employees can access your network. Two-factor authentication should be applied not only to your VPN, but to your organization's LinkedIn and Google accounts and other online accounts as well.

Better password management (including using password management tools such as KeePass) will also prove helpful in locking down your infrastructure. Autonomous offsite backup is a must, and network monitoring solutions to throw up an alarm if thousands of files suddenly start modifying themselves in the middle of the night can alert you soon enough to head off the worst of the damages if a ransomware attack hits you.

Constant vigilance and thoughtful, prudent, proactive security measures will keep your organization safe not just from ransomware attacks, but all cyberattacks. Organizations owe it to themselves, their employees, and their patients to keep their fingers on the pulse of cybersecurity and look for new exploits and threats to be aware of.


Julian WeinbergerJulian Weinberger

@NCP_engineering

Julian Weinberger is the Director of Systems Engineering, CISSP at NCP engineering. Julian is an information security professional and is responsible for developing IT network security solutions and business strategies.

"There is no shortage of security threats and breaches to financial services organizations..."

IoT, mobile and cloud only exacerbate the situation, making financial information more vulnerable. Mobile banking apps are bringing seismic changes to the banking industry.

To reduce risks, it's advisable to use a virtual private network (VPN). This is a tried and tested way to secure the connection and encrypt all data transferred between a mobile app and the bank.

Comprehensive VPN software solutions fit easily into existing infrastructure and require no additional hardware. Moreover, data traffic is secured at the device itself so that no unencrypted traffic ever leaves the endpoint.

Financial institutions can also protect themselves by ensuring all of the devices accessing their network have up-to-date firmware and implement network security technologies, such as intrusion prevention systems (IPS), and firewalls, within an in-depth defense framework to minimize potential attack vectors.

By leveraging a VPN, endpoint devices can communicate through a secure encrypted tunnel, which makes it difficult for an attacker to access an IoT device and breach a financial network.


Charles ReadCharles Read

@GetPayroll

Charles Read, President/CEO of GetPayroll and Simon is an accomplished senior executive and entrepreneur with more than 50 years of financial leadership experience in a broad range of industries, as well as a licensed Certified Public Accountant (CPA). He has owned GetPayroll for 26 years and is nationwide. He is a US Tax Court Practitioner, IRS watchdog, and small business advocate.

"One of our biggest concerns is theft of funds from a hacker..."

All of our accounts are secured with an absolute debit block not allowing anyone to draft funds from our accounts. If there is a State that requires ACH Credit for tax payments, we send physical checks instead. I don't want some underpaid clerk (or their friends) in some State Treasury office having access to all the of our clients' money on deposit in our trust accounts. The last thing I want is to come in some morning and find client funds in Moscow. Every credit transaction and inbound debit have a multi-point authorization. Also, no one person has the information to create and send money out or request funds from business clients.


Brady RanumBrady Ranum

@Dizzion

Brady Ranum is VP of Products and Strategy at Dizzion, a cloud-delivered desktop and end user computing solutions provider. Having spent more than two decades in the IT infrastructure technology industry, Brady excels in delivering high performance, highly available cloud deployments, custom networks, storage and compliant environments.

"One of the biggest information security risks for financial services companies is..."

Something not a lot of people think about: Almost all your data is walking out the door every night with each employee that takes a laptop or work device (like a cell phone used to access work email) home with them. Any data stored on an endpoint (laptop, tablet, cell phone, hard drive, USB drive, etc.) is vulnerable – especially if it's not properly encrypted. Where the big security risk comes in is with how we handle these devices. In today's work culture these devices are highly portable and it has become natural to carry your work devices (and all that data) around with you. We've seen a spike in data breaches in recent years from devices housing protected information being lost or stolen, especially laptops, tablets, hard drives and phones being snatched from parked cars. With the average worker using three or more devices for work purposes everyday, financial services organizations should be very concerned with how and where their data is stored, how those devices are handled and how data is accessed.


Tim PrugarTim Prugar

@nextcaller

Tim Prugar is the Director of Customer Success at Next Caller, a telephone security firm that partners with financial institutions to detect and prevent attacks at the Call Center level. Tim is also a member of the Communications Fraud Control Association's Consumer Education Committee.

"One of the top information security concerns for financial institutions today is..."

Protecting the phone channel from account takeover and identity theft attacks:

  • Research has shown that the introduction of EMV chips in the United States has pushed fraudsters towards Card Not Present Fraud (CNP) channels, including the phone, leading to a 40% increase in CNP fraud since 2015.
  • Fraudsters are leveraging spoofing, intentionally manipulating the Caller ID display, to get around authentication systems that verify their phone number.
  • Fraudsters are leveraging information obtained in the Call Center to launch attacks elsewhere in the institution, or even at other institutions. Security firms are reporting clients experiencing as much as 72% of their fraud is originating in the call center.
  • The human being is often the weakest link in the fraud chain – fraudsters know that, and find that the phone is the best place to target a living, breathing human being for manipulation.

Nick SantoraNick Santora

@Curricula

Nick Santora is the CEO at Curricula, a company that trains organizations how to not get hacked using short animated stories about cyber security breaches.

"Financial services companies have one of the biggest challenges dealing with information security because that’s 'where the money is'..."

With so many attacks targeted for financial gain, financial services companies not only have to deal with protecting their own infrastructure, they need to deal with protecting their customers as well. Just look at NY State, which was the first to introduce new cyber security regulations for financial services companies in the state that become effective later this year.

For some, the first approach might be to just use a check the box compliance approach to get these regulations out of their hair. But, this is the wrong approach. There is a reason these regulations are being put in place and we will probably see a lot more of them across the entire industry. Some of the requirements being mandated is designating an active CISO role, implement security awareness training for all employees, and pen testing and vulnerability assessments. These regulations will enhance the cyber posture of financial services companies and establish a minimum baseline of best practices to model off of.


Omri SigelmanOmri Sigelman

@NuroSecure

Omri Sigelman is Co-founder of Nuro Secure Messaging, a secure group messaging platform that allows organizations including enterprise, government and the armed forces to regain privacy and ownership of group collaboration between employees and authorized third parties for security and compliance purposes.

"The next big risk for financial services companies is..."

From cloud-based messaging and collaboration apps, also known as Bring Your Own Cloud (BYOC) or Shadow IT, which co-workers and teams increasingly use on their own personal devices to share and exchange sensitive company information. In March this year Deutche Telecom annouced it was banning the use of WhatsApp in corporate-issued phones while the UK's financial watchdog fined a trader more than UK Pds 37,000 for sharing insider information with a friend on WhatsApp.

According to Professor Alan Woodward, leading cybersecurity expert at Surrey University, U.K., in his recent co-authored white paper Hacker-nomics: Introducing the Dark Web, “it is tantamount to throwing away all of your perimeter security.”

CISOs are experiencing a perfect storm.

Shadow IT is introducing a series of personal, cloud-based apps that replicate and in some cases converge aspects of traditional messaging and collaboration applications.

Hundreds of millions of dollars are invested annually on mail, voice, data storage and business platforms as well as the management, protection and regulation of each. These all sit protected behind the corporate firewall.

None of this exists for collaboration and messaging.

According to a recent Gartner survey, by 2018 50% of all group communication will occur via mobile group collaboration apps.

Already over three billion people use consumer grade group-messaging and collaboration platforms. A Nielsen study in 2015 found 97% of these do so in the workplace and of these, 75% have admitted to sending important and confidential work-related documents and 87% indicated their employer has no group-messaging policy or solution for the workplace.

The key issue for CIOs and CISOs is that regardless of function these mobile-first, cloud-based apps lack enterprise-grade security, privacy or control. This view is supported by a recent study by Egress Software study that showed 87% of CIOs believe they are exposed by legislation around protection of data shared with third parties while 77% are frustrated that current simple encryption solutions are not sufficient and aren’t being used effectively.

It is a concern that affects all industries, but especially those in heavily regulated sectors like banking, finance, government, legal, retail and healthcare.

Through our conversations with security professionals, the evolving threat landscape and stricter regulatory requirements are putting financial services CISOs under pressure to urgently find a way to assure the security, privacy and control of messaging and collaboration within the enterprise.


John DancuJohn Dancu

@IDology

John Dancu is the President and CEO of IDology, a provider of real-time identity verification and fraud prevention solutions. Dancu’s expertise is frequently sought after by Fortune 500 companies and he’s seen as an innovator who is driving continual advancements in identity verification and fraud detection.

"A top concern for financial services companies today is..."

Ensuring that the growing number of their customer’s mobile interactions are secure while at the same time, easy and frictionless. The growth of mobile commerce has attracted a lot of new fraud tactics where criminals exploit the mobile environment for account takeovers. This has resulted in an urgent need for financial services companies to re-examine their identity verification processes when it comes to mobile transactions – and, doing all of it in a way that causes little friction, protects revenue and ensures growth.

Nate Lord

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Nate Lord

Nate Lord is the former editor of Data Insider and is currently an account manager covering the southeast, Great Lakes, and Latin America regions at Digital Guardian. He has over 7 years of experience in the information security industry, working at Veracode prior to joining Digital Guardian in 2014. Nate enjoys learning about the complex problems facing information security professionals and collaborating with Digital Guardian customers to help solve them.