Software Integrity Blog


7 ways financial services firms can protect themselves

Protect the growing assets of your company and clients

In 2014, remote attackers hit J.P. Morgan Chase and the associated website of the J.P. Morgan Corporate Challenge, affecting 76 million households and 7 million small businesses. Financial services are high value targets. Even when collecting only the name and address of a high-asset account holder, that information can still be profitable on the black market.

There isn’t a single fix-all solution available to guarantee the security of a given firm’s software and systems. However, when it comes to the finance industry, there are strategies that firms can implement to lock down assets and data as securely as possible.

7 ways to secure your systems and protect your firm:

  1. Conduct employee training.

It’s pretty simple to trick someone into sharing their credentials when they believe that they’re corresponding with someone from their firm’s IT department (via phone call or email). Why would someone question it in the first place? Thus, train employees how to avoid becoming a future victim. Train them not to share credentials via phone or email. Make sure that they understand that your firm’s IT department will never request knowledge of that information.

To make sure that information isn’t leaked from within it is important to train employees to be aware of fraudulent or malicious artifacts such as email attachments. Employees need to be aware of common methods used to manipulate businesses such as spear phishing. It is also important to teach employees how to identify evidence once a breach has taken place.

  1. Secure mobile devices.

Today, most people consume digital information on a mobile device. With that in mind, here are three important elements to consider:

  • Protect your phone with strong passwords and biometrics.
  • Consider creating a “bring your own device” (BYOD) plan for employees using personal devices in a work setting.
  • Outlook is one of the most vulnerable mobile applications.
  1. Define security policies.

To be effective, a security policy must be reflected in every process, every decision, and throughout the organization. Use employee training to make employees aware of security best practices. For example, using complex passwords and maintaining a clean desk environment (i.e., properly storing confidential information).

Regularly refine existing security policies to include the most up-to-date information.

  1. Establish a multi-layered defense system.

Threats come from a variety of sources, from software vulnerabilities to web-based attacks. To block these, establish a multi-layered defense system wherein multiple tools and processes protect sensitive information. These tools and processes must also work hand in hand to provide a seamless experience to the user.

  1. Learn from mistakes.

Hackers are always learning new and improved methods to collect internal information from your infrastructure–always assume that this is the case. Learn not only from your mistakes but also from the mistakes of others. Continuously look for security loopholes that have or could one day lead to a breach. Close these loopholes as soon as possible. With this thought always in the back of your mind, remain proactive when it comes to security. This is the only way to keep up with attackers.

  1. Have an incident response plan.

In an environment where hackers are usually one step ahead, collective accountability is a solid first line of defense.  In a worst-case scenario (i.e., if a breach does occur within your firm), establish an incident response plan that minimizes the damage. What may be even more important is that your employees know about it and how it works. Conduct drills to practice the plan so that all relevant parties know exactly what to do in the event of a breach.

  1. Harden your systems.

Last, but certainly not least, harden your firm’s systems. This includes conducting a penetration test and creating a threat model of all business-critical applications. Also, conduct architecture reviews before the application build begins and implement active code checking during the build.

Summing it up

It is important to build security into every step of an application’s life cycle–from the inception to launch and beyond.


Protect the growing assets of your company and clients.




More by this author