BreachExchange mailing list archives
How to Curb Your Biggest Cybersecurity Threat
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 7 Aug 2015 14:01:27 -0600
http://www.investopedia.com/articles/professionals/080715/how-curb-your-biggest-cybersecurity-threat.asp Morgan Stanley (MS) suffered its worst data breach in years last December, when account information from about 900 of its wealth management clients—including account names and numbers—were stolen and briefly posted online. According to Forbes, the culprit was not an experienced hacker or foreign government, but a rogue 30-year financial advisor who had recently been promoted and may have been looking to sell the information to identity thieves. The term cybersecurity often evokes thoughts of viruses, hackers, and spyware that’s preventable by installing anti-virus software and using strong passwords, but as the anecdote above highlights, both malicious and naïve employees are often left with free rein when it comes to client data. At the same time, less than a third of financial advisors plan to invest in cybersecurity, according to a survey by Investment News, creating a potentially big security hole. (For related reading, see: 7 Cybersecurity Tips for Advisors.) In this article, we’ll take a look at how to train employees in order to avoid accidental data leaks while implementing security measures to deter malicious employees from taking any actions that could hurt the company. Training Employees The first step in preventing employee-related cybersecurity issues is ensuring that they are properly educated when it comes to security. By training employees with security best practices, companies can avoid unintentional data leaks that can cause major cybersecurity scares, while making life much more difficult for hackers looking to exploit weak passwords and other “human factors” to gain access to confidential information. Some common issues to address include: Virtual Private Network (VPN) – Ensure that users know how to securely access a corporate VPN when they are working remotely. Approved Password – Ensure that users generate strong passwords by instituting password length and complexity requirements for all online services. Security Contact – Ensure that users know who to call when they think they’ve made a mistake or have a security-related question. (For related reading, see: SEC to Advisors: Implement Cybersecurity Plans.) When it comes to phishing e-mails and similar scams, it can be difficult to train employees to recognize them due to the evolving nature of the fraud. The best way to prevent these problems is to improve system-level security by implementing better spam filtering and other tools designed to alert users, while encouraging users to immediately contact a security professional when they suspect that they may have done something wrong. Monitoring Systems The second step in preventing employee-related cybersecurity issues is implementing monitoring software to keep tabs on employees themselves. While employers should generally be trusting of their employees, it’s never a bad idea to monitor them when they’re using workplace machines, at least on some level. Chief Compliance Officers or Chief Information Officers should be responsible for these types of undertakings. Some tips for tracking employees include: Monitor Logs – Many cloud-based software solutions provide activity logs for all advisor logins, which compliance officers should regularly check for abnormalities. Restrict Content – Companies can block certain websites or enable advisors to only access white-listed websites to prevent unauthorized distribution of data. Track Everything – Some companies may want to install software to track e-mails, IM sessions, and even log keystrokes to identify potential problems in advance. (For related reading, see: Educating Your Clients About Cybersecurity.) Employees should be clearly advised about why and how they are being monitored on their workplace machines. Unless a specific employee poses a serious threat the requires covert monitoring, companies should outline these details in an employee handbook or other form of hard documentation that can be easily referenced. These documentation efforts can also serve as a deterrent of their own against making malicious actions. The Bottom Line Most people think of viruses and hackers when considering cybersecurity, but employees can equate to a commonly-exploited loophole. Financial advisory firms should educate employees about security best practices in order to prevent any accidental data leaks. Lastly, firms should consider implementing security software and outlining their policies to deter any malicious employees from taking action. (For related reading, see: Finding and Retaining High Net Worth Clients.)
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- How to Curb Your Biggest Cybersecurity Threat Audrey McNeil (Aug 17)