CYBERSECURITY NEWS ALERT: December 2018

Cybersecurity News Alert December 2018:

On December 20th, the Financial Industry Regulatory Authority (“FINRA”) released a report detailing the effective cybersecurity practices and common risks observed during recent examinations. The report focused on the following key areas:

  1. Branch Controls
  2. Phishing Attacks
  3. Insider Threats
  4. Penetration Testing
  5. Mobile Device Security

Branch Controls: Maintaining rigorous cybersecurity controls are a firms best defense against attacks and human error. Establishing policies, controls, and an overall cybersecurity program promotes firm cybersecurity awareness and fosters a “security first” environment. In this section FINRA reviews:

Cybersecurity News Alert December 2018:

  • Policies and Procedures (Information Security Policy, Incident Response Plan, etc.)
  • Asset Inventory
  • Third-Party Risk Management
  • Technical Controls (Encryption, Strong Passwords, etc.)
  • Patch Maintenance

Phishing Attacks: Phishing is one of the most common threats to firms. This section details specific types of phishing (“spear phishing” and whaling”) as well as controls that FINRA recommends firms should implement in order to combat phishing attacks. In this section FINRA reviews:

  • Email and Browser Protection
  • Network Security
  • Risk Assessments
  • Endpoint Malware Protection

Insider Threats: Insider threats remain a major cybersecurity concern for firms. Bad actors who had or may still have authorized access to the firms network represent a very present and capable threat to the firms network security. Among other methods detailed by FINRA, regularly reviewing access rights is imperative to combating insider threats. In this section FINRA reviews:

  • Identity and Access Management (Access Rights and Controls)
  • Secure System Configuration
  • Data Protection (Encryption, Backup Retention, etc.)
  • Security Awareness Training

Penetration Testing: Penetration testing and vulnerability scanning are an important part of a firms cybersecurity program. Testing and scanning the firms network allows the firm to identify specific deficiencies and target areas for improvement. In this section FINRA reviews:

  • Vulnerability Scanning
  • Selecting Security Vendors/Due Diligence

Mobile Device Security: Mobile devices are a part of everyday life and, in many cases, essential to a firms business and work flow. However, with increased mobility comes increased risk as mobile devices are particularly susceptible to risks like spam, spoofed calls and emails, viruses, etc. Implementing mobile device security controls and establishing a “security first” approach to mobile device use is essential to mobile device security. In this section FINRA reviews:

  • MDM
  • Remote wipe
  • Password requirements
  • Security software on devices

For additional information, please visit: http://www.finra.org/newsroom/2018/finra-publishes-report-selected-cybersecurity-practices-2018