In 2014, remote attackers hit J.P. Morgan Chase and the associated website of the J.P. Morgan Corporate Challenge, affecting 76 million households and 7 million small businesses. Financial services are high value targets. Even when collecting only the name and address of a high-asset account holder, that information can still be profitable on the black market.
There isn’t a single fix-all solution available to guarantee the security of a given firm’s software and systems. However, when it comes to the finance industry, there are strategies that firms can implement to lock down assets and data as securely as possible.
It’s pretty simple to trick someone into sharing their credentials when they believe that they’re corresponding with someone from their firm’s IT department (via phone call or email). Why would someone question it in the first place? Thus, train employees how to avoid becoming a future victim. Train them not to share credentials via phone or email. Make sure that they understand that your firm’s IT department will never request knowledge of that information.
To make sure that information isn’t leaked from within it is important to train employees to be aware of fraudulent or malicious artifacts such as email attachments. Employees need to be aware of common methods used to manipulate businesses such as spear phishing. It is also important to teach employees how to identify evidence once a breach has taken place.
Today, most people consume digital information on a mobile device. With that in mind, here are three important elements to consider:
To be effective, a security policy must be reflected in every process, every decision, and throughout the organization. Use employee training to make employees aware of security best practices. For example, using complex passwords and maintaining a clean desk environment (i.e., properly storing confidential information).
Regularly refine existing security policies to include the most up-to-date information.
Threats come from a variety of sources, from software vulnerabilities to web-based attacks. To block these, establish a multi-layered defense system wherein multiple tools and processes protect sensitive information. These tools and processes must also work hand in hand to provide a seamless experience to the user.
Hackers are always learning new and improved methods to collect internal information from your infrastructure–always assume that this is the case. Learn not only from your mistakes but also from the mistakes of others. Continuously look for security loopholes that have or could one day lead to a breach. Close these loopholes as soon as possible. With this thought always in the back of your mind, remain proactive when it comes to security. This is the only way to keep up with attackers.
In an environment where hackers are usually one step ahead, collective accountability is a solid first line of defense. In a worst-case scenario (i.e., if a breach does occur within your firm), establish an incident response plan that minimizes the damage. What may be even more important is that your employees know about it and how it works. Conduct drills to practice the plan so that all relevant parties know exactly what to do in the event of a breach.
Last, but certainly not least, harden your firm’s systems. This includes conducting a penetration test and creating a threat model of all business-critical applications. Also, conduct architecture reviews before the application build begins and implement active code checking during the build.
It is important to build security into every step of an application’s life cycle–from the inception to launch and beyond.