A Cybersecurity Primer for Financial Industry Executives

As the traditionally paper-and-person investment industry collides head-on with the next-generation Fintech industry, the result is unprecedented dynamism within the financial services industry. Awareness of CyberSecurity has never been more critical for Financial Industry Executives

Balancing post-depression era risk mitigation techniques with high-speed, hyper-connected, and highly automated investment management systems creates unique imbalance. We at CIT see a future in which firms and their information are truly border-less. Beyond brick-and-mortar offices and even beyond geopolitical boundaries. To get there, collectively we must do a much better job at quantifying, controlling, and mitigating cyber-based risks.
As a leading cybersecurity firm serving the FinTech and financial markets, CIT has blogged about some of these items previously in 2015, 2016, and  2017. We have shared what our teams are experiencing in the field doing pre and post breach analysis, including how the very nature of a threat (to an investment organization) has continued to change.

Today, it is common for both technical and executive staff to be confronted with antiquated or uninformed perspectives on cybersecurity.

Simply, the field is changing too frequently to keep up. Often, partners and executives within a firm are confronted with a nearly constant barrage of new regulation, potential risk, and seemingly unquenchable technology budget demands. Each alone could pose a substantial risk to a firm’s viability – together they pose a potential catastrophe. It is a classic case of decision paralysis – and rightfully so. Where to begin? With regulatory authorities? Investor demands? That new IT device that promises to mitigate yet-to-be-understood risks? As the media has shown through an almost daily breach announcement, this overload commonly refers to inaction or inappropriate actions being taken to address these demands. CIT utilizes its considerable resources to remain abreast of the trends and fads in the Cybersecurity industry. Yes, there are fads. We offer the following data points for consideration in order to help executives and technologists alike establish a common vernacular and understanding of the current cybersecurity trends and risks as relevant to the financial and investment services market in 2017.

  1. Attackers are going smaller. Larger firms and institutions have spent, and continue to spend, substantial amounts of their resources to mitigate cyber-based risks. As such attackers are pivoting to smaller organizations. Simply, think of the attackers as businesspeople. Their market has shifted so to must their business model. Small is in (and less prepared) while larger is out. The experts agree with us on this point! Smaller firms, use this as an opportunity to get ready!
  1. Less technical. As a species, we humans tend to like to help one another. It is in our nature. That very nature is being turned against us as social engineering attacks are used by attackers to gain a foothold and launch attacks.
  1. No more personal space. Gone are the days when there was true isolation between work and home. Social media, Internet of Things (IoT), and ever-evolving Big Data have rendered that separation obsolete. Being proactive about personal information security at home and work is now necessary. Compounding the situation are factors such as SEC guidance on social media and changes to the Form ADV requiring registration of twitter, Facebook, and LinkedIn profiles of registered advisers. FINRA has issued similar guidance for its member firms. How far must a firm go to protect itself from regulatory trouble caused by statements made by its employees on systems entirely outside of its control? The boundaries between professional and personal are more blurry today than ever before.
  1. Detection outweighs defense. In a survey conducted by LivSecure, 93% of homeowners reported that they would prefer if their home alarm system notified the authorities. Now, relate that to business. In most businesses, the IT systems in place are incapable of detecting or barely make a noise when they do detect an intruder. If the IT systems are incapable of detecting an intruder until they commit a malicious act, are not those systems essentially useless to allow business an opportunity to defend against attackers? Further complicating things is the continued financial pressure on IT as a cost center thus reducing available staff. To relate these two concepts, most IT departments never hear the alarm when it is going off and when they do they do not have the tools, technologies, or resources to mitigate the cause. To correct this, improve the detection of intruders within the firms IT systems.
  1. Living deeper – learning more. According to the FBI and Verizon, in 2016, intruders were active within their victims IT systems for 160 days. That bears repeating – 160 days. Consider that statistic and the implications that it carries. Hardening IT systems to prevent movement between systems, limiting access of authorized employees on a need-to-know basis, and implementing centrally managed application and operating system patching policies are some of the first steps to begin to decrease this figure. Our president presented some useful information to FinTech CIO’s on how to accomplish this – you can watch that talk here.

Overall, the attackers are in business to make money using the very information that is the lifeblood of the FinTech and investment industries – and businesses overall.

Creating an environment in which information security and cybersecurity are discussed and a core part of the corporate culture will define successful businesses in the coming years. Experiencing the ramifications of the changes created in the collision between the highly dynamic FinTech space and traditionally risk-adverse investment and financial services sector will be exciting and something that we all have the opportunity to witness. Mitigating the downside risk of that collision is now the responsibility of executives, regulatory organizations, and technologists together.

Corporate Information Technologies provides financial services firms with expert I.T. services including compliance assessment, cybersecurity penetration tests, and network security. Corporate Information Technologies can help create, refine, or validate your organization’s Cybersecurity posture and mitigate the risks presented by its shortcomings.

Our comprehensive Cyber Security offerings range from assessment to fully managed security offerings.

Contact us to learn more and let us show you how good I.T. can be!