Three Ways Financial Companies Can Sharpen Their Security

The key is to start with a business strategy, then find a security solution that supports it

Morgan Stanley had a cybersecurity program in place when, last year, it was fined $1 million by the SEC. The fee, for failing to sufficiently protect client information, was essentially a slap on the wrist for the financial giant. Still, the gesture had resonance.

The company tried to be proactive by setting rules around which employees could access certain client data and implementing a full-stop that prevented the duplication of files onto certain devices. Nonetheless, an employee, noticing security gaps, illegally accessed 730,000 accounts (via 6,000 searches) over three years to snoop on his fellow financial advisors’ investment strategies. Russian hackers accessed that employee’s private files and leaked the information of about 900 clients onto the Internet.

With the Trump administration expressing an intent to limit regulations, states are stepping up to the plate. In a first-ever action of its kind, the New York State Department of Financial Services has enacted legislation requiring financial institutions to have a documented cybersecurity program, trained personnel, conduct risk assessments, and hold a chairperson or senior officer accountable for the implementation for all of the above.

The guidelines are vague, to be sure, which could feel like good news for anyone who works in money. But it’d be foolish to ignore an escalating situation. Financial companies deal with large amounts of data with legal entanglements. At the same time, they’re facing a sprawling array of risks including “confidential data, intellectual property, or corporate strategy”—often in the hands of persistent crime rings or organized nation states. This type of disruption threatens daily operations, and derailing financial transactions could easily destroy a company.

Deloitte’s recent risk-management survey puts things into perspective: 86% of those polled said their board of directors are devoting more time to the oversight of risk management than it did two years ago, and 36% cited compliance as a core risk that will become more important over the next two years. Meanwhile, SecurityScorecard’s 2016 Cybersecurity Report states that generic malware was found in 15 out of 20 commercial banks, with 22 major financial institutions suffering publicly disclosed breaches.

Instead of battening down the hatches with more security rules, financial institutions must become smarter in their security strategies. Here are three places to start:

Get Holistic Security
Financial institutes are increasingly working with big data to grow their businesses. Firewalls and SIEMs calibrated to thresholds cannot contain malware threats or support data growth. Implementing extensible, analytics-based security is an investment in the company’s future. A data-hungry platform that accurately spots anomalies will do so three-dimensionally: considering entities such as users, computers, files—and combinations therein. In the case of a swiftly detected breach, this factors out an expensive forensics process and provides risk context that will empower the company’s security and executive teams to keep moving forward.

Focus on Inside Threats
Financial companies are challenged by the many people—employees and third-party workers—who have access to sensitive information. In the case of Morgan Stanley, their culprit was a recklessly competitive employee who acted in extreme negligence. With malware rampant in business, even the most ethical employee must be trained to spot attempts at phishing. Additionally, the omnipresent visibility that comes with security analytics bolstered by machine learning cannot be understated. Attentive and inexhaustible, this type of platform will shape-shift with personnel and business changes, while almost immediately spotting covert behavior inside the enterprise.

Avoid Security That Requires Specific Skills
We’re currently seeing a spike in new Chief Risk Officers. Meanwhile, reports eFinancialCareers, “Goldman Sachs turned to the White House for its new cybersecurity lead, while Morgan Stanley hired a counter-terrorism expert.” In reality, these high-profile hires only make sense if they work with teams that can deploy, and glean learnings from, security solutions. Too often, these platforms require technical unicorns: employees with very specialized skills. This has become a huge problem. According to a Deloitte study, 70% of respondents said that finding and retaining risk-management employees with the right skills has become a top priority. Companies can circumvent this issue through an easily integrated solution that yields transparent, actionable intelligence. This frees up security managers and directors to better address compliance laws and investor/board member updates, while working with other enterprise teams to hammer-out best practices. Intelligent security doesn’t trick down, it works its way up the latter.