Cyberattacks hit financial firms 300 times more than other organizations. Why? Because the opportunity is great.
Despite increases in regulatory policies — as well as enforcement — cyberattacks on U.S. financial organizations continue to grow in both frequency and severity. Financial organizations have become the chief target for cybercriminals, and firms located in the U.S. are most under attack.
Meanwhile, the risks are monumental. A successful attack can devastate an organization’s customers, systems and reputation.
Just about everything related to cybercrime is rising, from attacks, to costs, to containment times:
Financial firms need to prepare and respond. That begins with an emphasis at the leadership level and must trickle down through ongoing training, education and other efforts to make cybersecurity a key part of company culture.
The following tips address the more human aspects of cybersecurity — places where you need to win people over on the importance of maintaining a security mindset. These are some of the prime cultural areas where financial firms need to move the needle (while simultaneously improving technology controls).
1. Use leading password practices in your organization
Weak or reused passwords are the cause of 80% of data breaches worldwide. The dark web, past data breaches and other illicit sources provide cybercriminals with a continual source of passwords — and hardware specifically dedicated to cracking passwords is becoming more powerful and efficient every year.
- Implement password filtering for your Windows domain: This allows your organization to implement a blacklist to prevent weak and easily guessable elements such as seasons, years, months and sports teams from being included in your users’ passwords. Passwords can also be checked against lists of breached passwords. Many can be configured to allow decreased complexity with an increase in length, automatically encouraging employees to choose better passwords.
- Enhance password requirements: Increase your password length requirement to at least 14 characters and encourage the use of passphrases rather than passwords. Better yet, implement a password manager to create and maintain random, lengthy passwords.
- Implement multi-factor authentication (MFA): Use MFA wherever possible to keep any single password from becoming the weak link in your authentication chain.
2. Perform security awareness training and testing
You’re only as strong as your weakest link, and when it comes to security, that link is your employees. Any one of them could open an email and interact with a phishing link, compromising and locking you out of your business systems. And with more employees working from home due to the pandemic, cyberthreats have only increased in number.
It’s not just phishing emails that employees can fall prey to, either. Business email compromise (BEC) is another common way that cybercriminals attempt to steal your organization’s assets. These criminals target specific employees who have access to company funds or data.
Educate employees on common BEC attacks, such as vendor payment change requests, wire transfer requests, W-2 scams and gift card scams. If the employee falls victim, it could lead to a data breach, the introduction of malware and ransomware and/or the loss of company funds.
Overall, regular security awareness training is essential to keeping employees updated and educated on all types of security threats and all the ways cybercriminals will try to infiltrate your systems.
3. Improve security around remote workforce solutions
Hybrid and remote work models present a new type of attack endpoint. Due to the COVID-19 pandemic, financial firms adopted new platforms to enable remote work, but many have not taken steps like these to secure these platforms and mitigate their risks:
- Create and enforce policies around home-office networks: Make sure home office wireless networks have the most up-to-date security patches and protocols. Limit smart devices (e.g., temperature controls, smart TVs, IOT devices) to a separate network. Enforce VPN, encryption, multi-factor authentication and other security measures for all devices touching the company network.
- Create policies around physical company assets: Employees should physically secure tangible company assets (e.g., paperwork, laptops and other company-owned property) in their home office. All company equipment should be used for the express and sole use of company business. And all decommissioned company equipment should be properly sanitized and disposed of.
Download more cybersecurity tips
Wipfli’s e-book “30 cybersecurity tips: Best practices for your business” contains guidance around human controls, business policy and technology systems.
It provides tips, presented in accessible language, to help organizations increase their cybersecurity maturity. While some tips will need specialized IT support to execute, others involve company policy and culture issues that can (and should) be influenced by your leadership, HR and communication teams.
Click here to download the e-book.
Wipfli can help
Wipfli works with financial services firms to protect their organization. Our cybersecurity specialists can help you mitigate both the technical and human risk environment, working within the business constraints of the financial services industry.
To receive assistance, talk to your relationship manager or reach out to Wipfli’s cybersecurity team today.