4 Best Practices for Security Hygiene in the Financial Services Sector
uch like the masked bank robbers seen in movies and on TV, cybercriminals target financial institutions because that’s where the money is. As the use of smartphones and internet penetration increases, online banking has continued its rapid growth, creating rising customer expectations. These expectations, in conjunction with hackers developing increasingly sophisticated criminal tactics, have created a dangerous cybersecurity landscape for financial organizations to operate in.
In recent years, cyberattacks against financial services and other industries have grown in number, size and sophistication. While cybercrime hasn’t altered the fact that the financial services industry deals with money, cybercrime has increased the speed and the consequences surrounding a breach.
As a matter of fact, according to the 2018 Cost of a Data Breach Study, data breach costs in the financial sector are the highest among all industries except healthcare. The study, annually conducted by Ponemon Institute and sponsored by IBM Security, found that for each lost or stolen record containing sensitive and confidential information, the average cost for financial institutions in the U.S. is $206, or $58 more per record than the global average across industries.
The study also found that the average cost of cybercrime for financial services companies globally has increased by more than 40 percent over the past three years, and the average number of breaches per company has more than tripled over the past five years. With financial services firms being targeted more than any other sector, we’re talking about millions of dollars annually.
From regulatory compliance impediments to securing customer data and the risks associated with working with third-party vendors, the financial services industry is faced with a growing number of ever-evolving cybersecurity challenges.
Today, banks and other financial institutions are increasingly dealing with a growing number of compliance mandates and security regulations. In fact, cyber security failures have prompted data privacy legislation in more than 40 U.S. states. And last year saw New York state pass first-in-the-nation regulation requiring banks, insurance companies and other financial services institutions regulated by the State Department of Financial Services to create detailed programs to protect consumer data and ensure employees are trained to identify threats.
Additionally, China put their Cybersecurity Law into effect in 2017, and other countries, including Singapore and members of the European Union, are putting regulations in place that will specifically affect banking institutions and aim to give citizens more control of their data. Compounding the issue, globally operating financial services firms must be aware of new cybersecurity regulations and how they affect their business in order to navigate data rules and remain compliant, especially as they conduct business across borders.
These ever-evolving obligations challenge financial firms to reconcile overlaps and inconsistencies between compliance mandates. Consequently, excessive controls and silo-based solutions are leading to significant increases in cost and are further complicating the already complex world of cybersecurity.
While compliance programs are designed to improve matters, they can also have the opposite effect, diverting already limited cybersecurity resources away from immediate, specific risks. Bottom line: compliance does not equal security.
Financial institutions are on an ever-changing journey to improve the online customer experience and increase customer engagement, customer retention and profitability. This shifting business model has led to higher customer expectations, and customers increasingly expect a wonderful online user experience delivered through myriad channels on a 24/7 basis — all of this while ensuring their privacy is protected and most sensitive data remains secure.
In the always-on era of constant connectivity, many financial organizations don’t identify or classify data based on how sensitive or critical the information is. As a result, they lack a vital understanding of what matters most to their organization. Without the ability to adequately protect data based on risk, aligning a financial firm’s operating model and security environment to meet increasing regulatory requirements and heightened customer expectations is incredibly difficult.
Mitigating Third-Party Risk
As companies in financial services continue to outsource their internal processes, move their operations to the cloud and connect with customers through an increasing number of channels, the sheer amount of vulnerabilities grows. Because there are now more connected endpoints than there are people on the planet, the “attack surface” exposed to hackers is larger than ever as well.
As is the case with any third-party vendor contract, cloud service agreements impose convoluted regulations concerning data sharing and lead to a myriad of new cybersecurity challenges. While financial organizations often participate in partnerships and outsource services to reduce costs and improve service, these third-party risks must be managed and in a perfect world, mitigated. Even if your organization isn’t subject to regulations, a vendor you work with likely is, and their organization could be breached, compromising your data.
2017 witnessed a string of devastating malware attacks – including the WannaCry and Petya attacks — which cost several globally operating financial firms, including the property arm of France’s biggest bank BNP Paribas, hundreds of millions of dollars in lost revenues and unknown damages in harm to their reputation. As breaches and IT security incidents continue rising, patch management has never been more critical for financial firms than it is today.
For many financial institutions, IT infrastructure has not been integrated across the enterprise, making the traditional patch management process a manual, time-intensive and arduous task. Keeping operating systems and third-party applications patched and up-to-date is the only way organizations can completely thwart attacks based on known vulnerabilities.
In order to achieve regulatory and government compliance while mitigating potential security breaches and securing vital data, financial institutions should consider cloud-native solutions that automate patch management, expanding the ability of internal IT resources to focus on other, more strategic initiatives.
One such solution is Automox. With our cloud-native agent and policy engine, organizations maintain control over their level of patch management automation, flow processes and configuration enforcement, all from a single dashboard. The agent works on Windows, Mac OS X or Linux systems to monitor your vulnerability, providing an inventory of hardware, software, patches and configuration details. From there, the agent automatically patches vulnerabilities based upon your configured policies.
Four Best Practices For Security Hygiene
1. Keep Operating Systems Patched
Modern networks have multiple operating systems, utilize hybrid environments, and support remote employees. Research shows that 50% of Windows operating systems are running outdated versions and 40% of Apple devices are operating with outdated versions, leaving them susceptible to attack long after security patches were available. Having a regular process in place for checking for, testing, and applying patches to all OSs is the first step to protecting an entire infrastructure.
2. Update Software Patches ASAP
Apply security updates for software as soon as possible following their release. If organizations aren’t prepared to apply patches and updates regularly, it’s just a matter of time before vulnerabilities in network and applications will be exploited. Delaying patching is a risky proposition and can be minimized with automated patch solutions that deploy patches as soon as they become available.
3. Manage 3rd Party Software
Over 75% of vulnerabilities on the average PC are due to 3rd party applications, and major data breaches (including the Equifax hack) were caused by unpatched vulnerabilities found in 3rd party software. One of the reasons 3rd party software is left unpatched is lack of visibility around which applications are present within a large network. With the growth in cloud-native applications that can be installed by any employee, it is critical that IT departments track and patch all 3rd party software on their networks.
4. Manage Endpoint Configurations
For strong endpoint security, you need a complete and continuously updated inventory of all devices, including PCs, laptops, IoT wares and peripherals. Cataloging all of these endpoints and capturing off of their details gives you complete visibility into all of your endpoints, their hardware specs, installed software, locations, users, vulnerabilities and configurations. Effectively monitoring your endpoint vulnerabilities is key to ensuring infrastructure security.
As cybersecurity strategies mature and innovative solutions such as Automox continue to emerge, technology organizations that tie their cybersecurity efforts to real business needs and objectives will gain confidence in their ability to deal with the increasingly sophisticated threats that occupy today’s ever-changing and dangerous digital landscape.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.