<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=585074&amp;fmt=gif">

download this entire page as a pdf_fairdinkum consulting 

Employees Working Remotely

What Financial Firms Need To Know About Employees Working Remotely

Whether you are a Principle or Partner, It should come as no surprise that the financial sector is the single most targeted industry when it comes to cyber attacks.

As mentioned in the Global Banking & Finance Review "As data breaches are now an almost daily occurrence with both large enterprises and SMEs making headlines for compromises to intellectual property,the security of remote workers should be a high priority for any organisation. According to recent research from Apricorn, 48% of surveyed companies said employees are their biggest security risk, and one in ten companies with over 3,000 employees do not have a security strategy".

The SEC Brings Its First Enforcement Action under the Identity Theft Red Flags Rule

On September 26, 2018, the Securities and Exchange Commission (SEC) settled claims that Voya Financial Advisors, Inc. (VFA) failed to adequately protect customer information following a six-day cyberattack in 2016. The SEC’s order not only cites violations of the Safeguards Rule under Regulation S-P  (a staple of SEC cybersecurity enforcement actions against broker-dealers and investment advisers) but also is the SEC’s first enforcement action for a violation of the Identity Theft Red Flags Rule under Regulation S-ID,  which requires certain SEC registrants to create and implement programs to detect, prevent and mitigate identity theft. Click here for more details.

Financial institutions face 300% more cyber attacks than any other sector. The threat has gotten so far out of hand that numerous government agencies fear these cyber criminals are the biggest threat to bank stability. According to SEC Chair Mary Jo White, cyber attacks are such a grave concern that it overtakes terrorism in the Division of Intelligence’s list of global threats. There is one practice in particular that puts financial institutions at risk of a hack: Working Remote.  new-york-540807__340.jpg

In the JP Morgan breach of 2014, 83 million customer records were compromised.  That is 83 Million records stolen in just ONE breach. This incident is "the largest theft of customer data" and it all started with one employee working from home. 

 

This attack on JP Morgan should have taught us a number of things according to Claus . First, it should serve as a warning to the power and reach these malware attacks have. Second, it calls attention to what we have been saying for months; "your employees are your weakest link".  And third, this proves how easy it is for these attacks to stay under the radar. In the case of JP Morgan, the attack was underway for over a month before they figured out what was going on. 

Of the attacks that occur because of unsafe remote connections, 75% stem from having weak passwords. Having an in-depth comprehensive password policy is a must for all companies, but especially firms in the financial sector. Another way to defend against these attacks is multi-factor authentication (MFA). MFA is a strategy that adds an extra layer of security by requiring a code (normally retrieved from your cell phone) to be entered along with your password for access. A strong password policy and MFA are vital but they are only part of the solution. You will need to be prepared with backups, shadow copies, and off site disaster recovery as well.

 We have put together a checklist to make sure you are as cyber secure as you can be.

financial services audit checklist Fairdinkum consulting

 

Employee Owned Devices

What would happen to your brand trust if personal data and corporate data were combined on a personally owned device and the device was stolen or lost?

Companies around the globe have identified the convenience of employees bringing their own device (BYOD) to work. In fact, 82% of companies allow the use of personal devices for work, but out of those companies which support BYOD, 50% were breached through an employee’s personal device.

The Verizon RISK Team outlined a typical scenario of how an unregulated BYOD culture can become a grave concern. In its report, it identified an instance where a customer was locked out of his account and getting an error message. An investigation revealed no suspicious activity within the servers, and anti-virus scans came back clean. Furthermore, there were no signs of malware within the local area network (LAN).

BYOD_data breach financial firms_ Fairdinkum Consulting

The Risk Of Bringing Your Own Device To Work

It wasn’t until investigators looked into the BYOD network that it found their culprit. A faculty member’s personal laptop was infected with a virus at home and the virus later spread to the company network when the device was connected at the office.

A further review revealed that the BYOD and guest networks shared the same network equipment and Network Address Translation (NAT) with the corporate traffic. This made the company network vulnerable to malware from infected personal devices that are able to make their way past the firewall.

Common BYOD Risks

Common mobile malware includes trojanized apps and malicious links, both of which try to trick users into downloading harmful code to their devices. Third-party app stores, in fact, often contain malware-laced applications that can infect devices and gain access to their sensitive data.

A recent article in Forbes states Cyber Attackers Rely On Human Error

"Hackers rely only partly on their security-penetration skills. The other thing they need? Regular people making mistakes. "An analysis of threats faced by organizations in the first quarter of 2017 reveals that cyber attackers still rely heavily on user interaction," says Bo Yuan, Ph.D., professor and chair of the department of computing security at Rochester Institute of Technology.

Without a stringent BYOD protocol, company networks become vulnerable the minute an infected device is hooked up at the workplace."

BYOD Security

Public IP addresses should never be shared with unknown devices. Company networks need to be configured so that traffic from personal devices is sent out through a separate interface. BYOD security also comes down to best safety practices within the staff. All employees should be trained on how to handle their own personal devices, including:

  • Avoiding accessing company data by connecting via over-the-air Wi-Fi networks
  • Avoiding jailbreaking devices; this practice leaves devices more vulnerable to malicious applications
  • Keeping all operating systems up-to-dateBYOD_data breach financial firms_Fairdinkum Consulting
  • Encrypting personal devices and implementing strong passwords for both the device and SIM card
  • Only installing apps from trusted stores, such as the Apple Store and Google Play

 

A recent article on FOSSBYTES articulates the risk of Combining personal data and corporate data.

"BYOD makes it difficult to distinguish between personal data and corporate data because they are both kept on the same device. So, if the device is lost, the corporate data will be accessed by any individual who gets the device.

If the lost device stores critical data, the individual who finds it can publicize the information or use the data to damage the reputation of the organization."

Contact us for a free, no-obligation consultation and download our Financial Services Cyber Security Audit Checklist to check your cyber security posture. 

financial services audit checklist Fairdinkum consulting

Weak Configuration
= Cyber Exploitation

Weak Configuration: An Open Invitation for Cyber Exploitation

Technology devices don’t have a corner on weak configurations. System network configurations can be just as weak - especially when it comes to password protection. Weak configurations can be devastating to institutions holding large amounts of (sensitive) data such as financial services firms.

The Verizon Data Breach Investigation Report (DBIR), in fact, reported that four out of five breaches can be traced back to easily guessable passwords (e.g. a ‘123456’ password), and/or the lack of a static authentication system.

Even established institutions are prone to fall short in their efforts to mandate secure password best practices. Poor configurations are responsible for four major modes of attacks, including:

1. SQL Injection

Hackers can use an injection attack to bypass a web application’s authentication and verification mechanisms to access private data.

Malicious code is inserted, or “injected,” into strings that are passed to an SQL server for parsing. This data breach financial firms_fairdinkum consultingtricks the application into changing data or executing unintended commands - giving attackers full access to a database for the purpose of releasing its information or holding it hostage. An estimated one out of three Web attacks are launched via SQL injections.

To learn more about the danger of SQL injection you might want to read: A Brief SQL Injection History Lesson

2. CMS Compromise

Many institutions rely on some form of content management system (CMS) - WordPress or Joomla, for example - to share, publish and edit content. Unfortunately, these systems may contain vulnerabilities that are often exploited when left unpatched. These openings provide an entry point for attackers to install backdoor programs.

WordPress, despite being the most common CMS, is also one of the most vulnerable. One study revealed that 73% of all WordPress installations had one or more vulnerabilities that could have easily been detected using automated tools.

CMS solutions are inherently vulnerable because of their open frameworks. Many operators also use weak passwords, leaving their system susceptible to brute force attacks.

3. Backdoor Access

“Backdoor” essentially refers to any intrusion tactic that goes unnoticed. Hackers can use backdoor access to install malicious software or record user keystrokes, which gives them what they need to move freely around the unsuspecting victim’s network.

Systems are especially vulnerable to backdoor attacks when networks are accessed by multiple users. Attacks normally occur in stages, and backdoors are often used as a second point of entry or the third command-and-control stage of the attack process.

"Cyberattacks against financial services firms increased by over 70 percent in 2017, which reflects that the financial services sector is currently vulnerable to such attacks, states a recent report from Market Expertz. In the previous year, cyberattacks against the sector had increased by 60 percent.

The global cybersecurity in financial services market is expected to expand at an annual growth rate of 9.81 percent, leading to a global revenue of $42.66 billion by 2023, the report estimates.

Still, a Deloitte survey of 51 CISOs at U.S. financial services institutions in May suggests financial institutions aren’t spending enough to adequately defend against attacks."

Source: BizTech

4. DNS Tunneling

dns tunneling_Fairdinkum consultingDomain name system tunneling is a way of encoding the data of other programs in DNS queries and responses. It is used to establish unintended communication channels to a C2 server and enact dataexfiltration.

Since the DNS protocol is not intended for data transfer, it is often overlooked by security monitoring programs. As a result, the infiltration may go unnoticed for some time.

 

Don't allow a data breach to occur due to weak network configurations. Fairdinkum employs a combination of cutting-edge techniques to keep your network and data safe including security scans and monitoring, penetration tests, and security training to ensure that your data is safe with us.

Download Fairdinkum’s Financial Services Cyber Security Audit Checklist to make sure you are as cyber secure as you can be. 

financial services audit checklist Fairdinkum consulting

The Cost Of Not
Protecting Customer Data

In today’s digital world, customer data is one of the most valuable currencies. Unfortunately, that makes it an incredibly attractive target for hackers, phishers, and other cyber criminals. In fact, an estimated 158,727 pieces of customer data are stolen every single hour.

It’s not just cyber criminals that leave you vulnerable to data breaches, though. Simple human error can lead to the unintentional release of customer data, and the consequences for your business can be equally devastating.

 statistic_id273572_number-of-us-data-breaches-2014-2018-by-industry

Forbes reports"Globally, the impact of a data breach on an organization averages $3.86 million, though more serious "mega breaches" can cost hundreds of millions of dollars. IBM's 2018 Cost of a Data Breach study was formulated through interviews with more than 2,200 IT, data protection and compliance professionals from 477 companies and it provides an interesting insight into one of the most serious problems facing companies today.

The potential cost of an incident depends on several factors with the financial impact rising in line with the number of records stolen. On average, each record costs $148 and a breach of 1 million records costs $40 million while a breach of 50 million costs $350 million. The research also found that the efficiency in identifying an incident and the speed of the response has a huge impact on its overall cost. On average, it took companies 197 days to identify a data beach and 69 days to contain it."

 

Legal implications

At present, federal legislation governing data protection tends to be sector-specific, while state legislation focuses on protecting the data of individual consumers.

It can be hard to keep track of which regulations you need to adhere to, but the basic principle is that you need to take reasonable measures to protect personally identifiable or sensitive information about your customers - think names, addresses, social security numbers, or credit card information, for example.

Depending on your state and sector, you might be required to do any number of the following:

  • Encrypt personally identifiable informationdata breach_data encryption_Fairdinkum consulting
  • Destroy sensitive information in a way that makes it unrecoverable
  • Specify exactly how you plan to use the information you collect
  • Restrict the sale of information for marketing purposes
  • Publish detailed data security plans
  • Notify affected customers of data breaches within a set time frame

If you fail to meet your obligations and a data breach occurs, you may face heavy fines and be held liable for damages suffered by your customers. In some sectors and/or jurisdictions, you may even lose your license to conduct business altogether.

Public Relations Damage

Research has found that in the event of a cyber attack, as many as 60% of your customers consider leaving, and around a third actually do, even if they weren’t personally affected.

It makes sense — your customers are trusting you with their most personal of data, and a breach can seriously shake their confidence in your ability to keep that data (and them) safe. Very few businesses can survive the loss of one third of their customers, and chances are yours is one of them.

 financial loss_data breach_Fairdinkum consulting

 

Financial Loss

With legal consequences, public relations damage, and customer decline comes financial loss. Whether you’re paying steep fines or losing out on sales, your business takes a huge monetary hit from a data breach. The cost for an average small business is approaching $150 million, which again, most businesses simply can’t afford.

statistic_id267132_ic3_-total-damage-caused-by-reported-cyber-crime-2001-2017

Time to call in the experts?

Even the best-protected and most vigilant companies can fall victim to a data breach, so it’s important to take a proactive approach to keeping your customer data safe and secure. Ultimately, the best way to do this is to get a helping hand from the professionals.

At Fairdinkum, we help businesses like yours to secure their customer data, protect their reputation, and avoid costly legal and financial consequences. You can download Fairdinkum’s free Security Audit Checklist to help you to find your weak spots before cyber attackers do, or contact us now for a free, no-obligation consultation.

financial services audit checklist Fairdinkum consulting

The Human Element

 

Data Breach Scenario: The Human Element - Financial Services Firms

statistic_id881158_average-financial-business-damages-via-cyber-attacks-worldwide-2018

While the news sensationalizes cyber threats from bad actors and nation states, the reality is that the largest threats to organizations are their own employees and contractors. Humans are vulnerable and prone to fall victim to schemes aimed at gaining access to company networks. For their part, the hackers are sly and cunning and know how to take advantage of the weak link. When organizations take the initiative to learn about common data breach scenarios, they can better prepare and protect themselves.

The Verizon RISK team recently published a report, the Data Breach Digest, outlining the most common data breach scenarios. Threats can come from within an enterprise - including third-party vendor partnerships - as well as outside of it. Here is an overview of five scenarios the RISK team investigated, all of which demonstrate how data breaches can be caused by manipulation of individuals’ actions and emotions.

1. Social Engineering

In an example of this scenario, a company rival e-mailed a chief design engineer. The e-mail masqueradedsocil engineering_cyber security_fairdinkum consultingas a recruitment device, including an attachment with job openings. However, the attachment installed malicious software that was able to access classified design plans for a new piece of equipment. With these plans in hand, the rival was able to produce a copycat product, and the victim lost intellectual property.

 

 

2. Financial Pretexting

Financial pretexting generally involves manipulating human emotions in order to gain access to highly sensitive financial information.

In this particular case, a banking organization learned that someone had financial pretexting-cyber security_fairdinkum consultingattempted to wire more than $5 million through FedWire. While the attempt failed because of built-in protective measures, the perpetrator managed to gain access to company functions through emailing an employee. This employee, a regional manager, received an email ostensibly from the company’s CIO, complementing her.

She clicked on a hyperlink in the email, which initiated the installation of malicious software. In this case, the software not only scraped data but was also capable of initiating wire transfers through the computer.

 

3. Digital Extortion

Extortion works by demanding that victims pay a ransom in order to recover data, unlock computers and devices, or even gain back control of the network . This form of cyber attack represents a growing threat. For one manufacturing and retail company, an extortion attack began when a member of the IT team received two emails claiming to have several years’ worth of customer transaction data. After validating the threat, the company revamped its e-commerce platform and publicly admitted that two million customer records had been compromised.

 

4. Insider Threat

Insider attacks are less common, but can be devastating. These attacks rely on trusted employees or contractors who have privileged access to network data.

Verizon reports that the majority (63%) of data breaches over the previous three years involving "insider and privilege misuse" were financially motivated. The majority of other cases involve disgruntled employees and revenge. In one example given, a company in the middle of a buy-out received a tip that a middle manager was accessing and abusing the CEO’s email account.

Ultimately, investigators discovered that the manager was working in concert with an IT administrator to access the CEO’s email account by taking advantage of the spam filter.

 

5. Partner Misuse

Business partners and trusted vendors are essential for business, but unscrupulous partners can be disastrous. One oil and gas company experienced a data breach at the hands of a partner gas station company. Several computer systems at the gas stations were able to access the parent networks, and one employee was ultimately found responsible.

Protecting Your Organization

These sobering scenarios suggest that companies must be on alert for data breaches caused by humans - whether accidental or intentional. Here are some steps companies can take to protect themselves:

  • Provide employee education on common social engineering methods
  • Thoroughly vet all business partners
  • Use multi-factor authentication for sensitive data and systems
  • Monitor all networks and limit privileged access

 

 download this entire page as a pdf_fairdinkum consulting

Bottom line: Keith knows his stuff. He gets things done quickly and efficiently and he gets it right the first time. He has been our primary contact for several years and has always been extremely reliable. We think of him as part of our team here- not just a consultant to our business. I would highly recommend him.
Erin Sauter

Erin Sauter

Keith was our primary contact when I was at Lux Research. He was the 'go to' guy for any and all IT things as we had no internal IT department. He was extremely responsive and always did a thorough job in servicing our needs. I would highly recommend Keith for any position based on my experience with him.
Patricia Constantino

Patricia Constantino

 

 

 

 

financial services audit checklist Fairdinkum consulting

Download Your Checklist