Voices

Relying on cloud services? Expand your cyber defenses

In order to provide real-time access to personal account and investment information, advisory firms use cloud-based technologies to deliver new products and services to their clients. Unfortunately, doing so provides cyber criminals with an access point to seize sensitive financial information for ransom or sale.

As a result, it’s important for all firms to have an information security strategy in place that safeguards company and client data wherever it resides. This strategy includes an ongoing, internal assessment of cybersecurity strengths and weaknesses, and, if needed, enlisting outside information security specialists to test and verify its effectiveness.

[Digital identity is broken, and fixes are urgently needed. Learn how large financial service and health care companies are tackling the issue to enhance customer experience, to stake out positions in their business ecosystems, and to manage risk on American Banker's Feb. 23 web seminar.]

When developing an internal security program, companies can adopt an existing industry standard as a guideline — NIST, COBIT, ITIL and ISO 27000, to name a few. These standards provide a blueprint as to the kind of processes and procedures that should be in place to protect sensitive data.

Each standard has its pros and cons and some are more suitable to certain industries than others, but the standards provide a general framework that companies can use to achieve their higher-level security objectives. Additionally, adopting an industry standard allows a company to become certified, which is a designation that might be significant to certain industry clients.

CONDUCT TESTING
Once a network is built and security protocols are in place, it is a worthwhile investment of time and money to hire outside information security consultants to conduct testing to find any gaps or holes in your network or set-up.

These consultants are certified security professionals who spend all their time keeping fully abreast of the developments in this quickly evolving landscape. Unless you have the time to do this yourself, you will almost always be better served by hiring an expert in this field.

One form of system testing consultants employ is penetration testing. This could include a complete review of all internal processes — what your network settings are, what your user setup process is, what your authentication protocols are — in order to identify any area of your network that might be vulnerable to attack.

If your company is engaged in building any kind of custom technology that is available outside your walls, hiring a consultant to conduct a code review to identify any vulnerabilities is critical. Also, consultants can provide a written summary of their findings, along with their recommendations on how they can be corrected.

EVALUATE EMPLOYEES
Another form of penetration testing might include conducting phishing tests across your user base. Pretending to be hackers, consultants contact employees in an attempt to access sensitive information, such as usernames, passwords, credit card details and other proprietary information. Phishing emails typically contain links to websites that are infected with malware which, if clicked on, can precipitate a cyberattack.

Consultants evaluate employee awareness when it comes to security issues — are they clicking on links they shouldn’t be clicking on? Or even worse, are they entering information they shouldn’t be entering?

Similarly, consultants might place random calls to various company locations to see if they can acquire sensitive information directly from employees. The consultants might pretend to be a representative from an IT support desk or a member of a company’s executive team, which often prompts the employee to lower their guard and offer up information they shouldn’t be providing.

Unwitting employees are responsible for the majority of security breaches. They unknowingly compromise data or jeopardize information security by circumventing established procedures.

Your biggest information security risk may not be your technology at all, but poorly trained employees.

For reprint and licensing requests for this article, click here.
Data strategy Data security Cyber attacks Cyber security
MORE FROM FINANCIAL PLANNING