Software Integrity Blog


7 ways financial services firms can protect themselves

Here are seven strategies that financial services firms can use to improve data security, lock down their assets, and protect their customers and clients.

How financial services can improve data security

In 2014, remote attackers hit JPMorgan Chase and the associated website of the JPMorgan Corporate Challenge, affecting 76 million households and 7 million small businesses. Financial services are high-value targets. Even just the name and address of a high-asset account holder can be valuable on the black market.

There isn’t a single fix-all solution available to guarantee the security of a given firm’s software and systems. However, when it comes to the finance industry, there are strategies that firms can implement to lock down assets and data as securely as possible.

Get the financial services cybersecurity report

7 ways to secure your systems and protect your firm

1. Conduct employee training.

It’s pretty simple to trick someone into sharing their credentials when they believe that they’re corresponding with someone from their firm’s IT department (via phone call or email). Why would someone question it in the first place? Thus, you should train employees how to avoid becoming a future victim. Train them not to share credentials via phone or email. Make sure that they understand that your firm’s IT department will never request that information.

To make sure that information isn’t leaked from within, employees should know how to identify fraudulent or malicious artifacts such as email attachments. They should be aware of common methods used to manipulate businesses such as spear phishing. And they should learn how to identify evidence once a breach has taken place.

2. Secure mobile devices.

Today, most people consume digital information on a mobile device. With that in mind, here are three important elements to consider:

  • Protect your phone with strong passwords and biometrics.
  • Consider creating a “bring your own device” (BYOD) plan for employees using personal devices in a work setting.
  • Outlook is one of the most vulnerable mobile applications.

3. Define security policies.

To be effective, a security policy must be reflected in every process, every decision, and throughout the organization. Use employee training to make employees aware of security best practices. For example, using complex passwords and maintaining a clean desk environment (i.e., properly storing confidential information).

Regularly refine existing security policies to include the most up-to-date information.

4. Establish a multilayered defense system.

Threats come from a variety of sources, from software vulnerabilities to web-based attacks. To block these, establish a multilayered defense system wherein multiple tools and processes protect sensitive information. These tools and processes must also work hand in hand to provide a seamless experience to the user.

5. Learn from mistakes.

Hackers are always learning new and improved methods to collect internal information from your infrastructure–always assume that this is the case. Learn not only from your mistakes but also from the mistakes of others. Continuously look for security loopholes that have or could one day lead to a breach. Close these loopholes as soon as possible. With this thought always in the back of your mind, remain proactive when it comes to security. This is the only way to keep up with attackers.

6. Have an incident response plan.

In an environment where hackers are usually one step ahead, collective accountability is a solid first line of defense. In a worst-case scenario (i.e., if a breach does occur within your firm), establish an incident response plan that minimizes the damage. What may be even more important is that your employees know about it and how it works. Conduct drills to practice the plan so that all relevant parties know exactly what to do in the event of a breach.

7. Harden your systems.

Last, but certainly not least, harden your firm’s systems. This includes conducting a penetration test and creating a threat model of all business-critical applications. Also, conduct architecture reviews before the application build begins and implement active code checking during the build.

Get the financial services cybersecurity report


More by this author