Cyberattacks against the financial services sector and other industries have grown in number, size and sophistication as worldwide cybercrime costs have reached an estimated $600 billion per year. And financial firms are leading the charge — but not in a good way. Cyberattacks cost the financial industry more to address and contain than in any other industry, and the average number of breaches per financial services company has more than tripled over the past five years.
Rules and Regulations
Cybercrime is a growing industry around the globe that imposes significant costs on financial organizations that fall victim to extortion, theft and/or fraud, and financial industry regulators are beginning to take notice.
In order to ensure financial firms have the required safeguards and a plan for remediation in the event of an attack in place, regulatory authorities like the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority, which regulates broker-dealers, have issued their own cybersecurity guidance. Because the financial services industry is essential to our economy, these authorities believe no firm is too small to have cybersecurity protections in place.
To that end, more than 40 U.S. states have recently passed data privacy legislation. Taking it a step further, the state of New York state passed first-in-the-nation regulation that requires detailed programs to protect consumer data and employee training to identify threats to be created by banks, insurance companies and other financial services institutions regulated by the State Department of Financial Services. Additionally, other countries, including China, members of the European Union and Singapore are implementing regulations that will specifically impact banking institutions and intend to give citizens more control of their data.
And there’s never been a better time to put those protections in place because the Securities Industry and Financial Markets Association (SIFMA) is preparing for the latest iteration of its industry-wide cybersecurity simulation that mimics a real attack this fall.
The SIFMA Test
Referred to as Quantum Dawn, SIFMA’s biennial cybersecurity exercise provides a real-life “hands-on-keyboard” exercise for participating institutions to test their technical cyber response capabilities, ultimately identifying key findings for the financial sector and public partners to address crisis response protocols. Participants in the 2017 test included individuals across different areas of the financial services sector in a range of roles, including CEO, CFO, chief security officers, crisis management and others.
Not a pass/fail test but rather an opportunity for participants to interact across functions internally and with external partners as they exercise their crisis response and communications plans, Quantum Dawn employs a distributed approach that allows organizations to participate from their own locations to further enhance the authentic nature of the simulation and make use of real-world communication systems like email and phone.
While implementing specific security plans ahead of time and being able to answer crucial questions on the fly can help minimize the impact an unfortunate breach has on your business, the reality is this: compliance does not equate to security.
If you’re a financial institution, here are a few tips to put your organization in the position to pass the imminent Quantum Dawn test with flying colors.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued financial firms need more efficient ways to eliminate their exposure to vulnerabilities. And when it comes to securing the financial industry, the emphasis on eliminating that exposure needs to begin with good cyber hygiene.
With attackers constantly evolving their tactics, organizations have to stay ahead of that risk curve with more effective and efficient ways of reducing their exposure. Ultimately, financial institutions need to build resilient environments that remain secure, undamaged and unaffected by the constant pressure of hackers and other bad actors. Consistently practicing the fundamentals of cyber hygiene dramatically reduces the exploitable attack surface on endpoints as IT admins in the financial space shift defensive focus away from only reacting to a deluge of isolated threats to proactively eliminating the interconnected strategic exposure that attackers have available to exploit.
Operating System Patching
Due to their critical importance, keeping your operating system (OS) patched is a cyber hygiene practice that absolutely cannot be avoided. Software can be replaced, but you need your operating system to, well, operate your machine. Deploy critical patches and establish a test environment to assess the update’s effect. Bottom line: OS updates are often the most critical — treat them as such.
Many financial institutions still employ legacy, on-premise patch management solutions that require a significant amount of ongoing maintenance and sometimes even teams of specialists to oversee. As a result, patch management, a crucial and not all that difficult cyber hygiene practice, becomes cumbersome to manage while operational costs soar and resources are strained. Released by software vendors, software patches and updates should be a part of your regular cyber hygiene.
Manage Your Third-Party Software
Ensuring you have visibility into the software that is installed on the endpoints under your control and managing it could be the difference between an expensive breach and business as usual. Know what software your endpoints need, where to get it, how to install it, how often it’s updated and how difficult the upgrade paths might be. Ensure you can upgrade, replace or remove any third-party software installed on your system — third-party software deployment requires persistent effort.
While it’s important to remember that cyber hygiene is never finished and always ongoing, advances in cybersecurity technology are delivering an easier and faster path to operationalizing cyber hygiene that isn’t overwhelming for IT teams to deploy, maintain and manage.
Enter Automox — a modern cyber hygiene platform that closes the aperture of attack by more than 80% with significantly less effort than traditional solutions. The cloud-based and globally available Automox platform ensures your entire infrastructure is patched, has the right software and is configured correctly regardless of operating system (OS), software or geographic location — all from a single intuitive console.
As cybersecurity continues to threaten profits, data privacy and the reputations of financial services organizations around the globe, financial institutions should consider cloud-based solutions that automate patch management and cyber hygiene to achieve regulatory and government compliance while mitigating potential security breaches and securing essential data. After all, “finance is not merely about making money. It's about achieving our deep goals and protecting the fruits of our labor.” It’s time to better protect the fruits of our labor.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-based and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-based patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.