Top 4 Cybercrime Methods Accountants Need To Protect Against

Cybercrime Methods Accountants Need To Protect Against

The fact is that the cybercrime business has never been bigger – it’s estimated that the global cybercrime industry will cause up to $6 trillion in damages in just a few years.

What Cybercrime Methods Do You Need To Know About?

1. Corporate Account Takeover

Corporate Account Takeover has reportedly caused more than $5 billion in damage in just one year alone. All a hacker has to do is get someone’s login info, impersonate them, and then transfer funds that they’re given control over.

Cybercriminals acquire the log-in credentials through social engineering:

  • Phishing: Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources.
  • Spear Phishing: This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.

2. Identity Theft

Identity Theft complaints rank among the highest logged every to year by the FTC. After gaining your personal information the cybercriminal can then use that info for financial gain:

  • Opening a line of credit
  • Rent products or property
  • Extorting you directly

3. Data Theft

Instead of trying to access your funds, cybercriminals may also opt just to steal your data and sell it directly.

Recently, cyber thieves released a huge list of compromised emails and passwords that contained 773 million records. If your information has ever been breached, it’s most likely on this new list – and that list is for sale on the Dark Web.

4. Ransomware

Ransomware infects the target system with malware that encrypts the data and holds it for ransom. Ransomware penetrates systems either through phishing or through vulnerabilities in many web browsers. Hackers spam users with pop-ups informing them of an “infection” or “security alert” prompting them to click a link, which infects them with the ransomware.

How Can You Protect Against Cybercrime?

Be sure to follow these tips, which are applicable to organizations, employees and individual computer users:

1. Implement Security Solutions

  • Email filtering
  • Two-factor authentication
  • Password management
  • Patch/update all IT and security systems
  • Manage access and permission levels for all employees.

2. Set A Security Policy

Every organization should set a security policy, including things such as:

  • Not opening attachments or clicking on links from an unknown source.
  • Not using USB drives on office computers.
  • Required security training for all employees.

3. Training For All Users

User education plays a big part in minimizing the danger, so start here:

  • Train users on the basics of cyber and email security.
  • Train users on how to identify and deal with phishing attacks with New-School Security Awareness Training.
  • Implement a reporting system for suspected phishing emails.
  • Frequently phish your users to keep awareness in mind.

Like this article? Check out the following blogs to learn more:

The New Ways Cybercriminals Pose a Threat to Organizations

Are You Keeping Up With FINRA’s Cybersecurity Best Practices?

Using Managed IT Services to Save You Money

Managed Services SLAs: What Should You Expect to See?

 

Key Things to Look for in Your Managed Services SLA

 

When you hire an MSP, you must sign a service level agreement. Here’s how to evaluate your SLA and ensure you’re getting what you expect from this relationship.  

 

 

As if choosing the right managed service provider wasn’t enough, it’s also crucial to make sure that the SLA (service level agreement) you develop between your company and your managed service provider is sound and satisfactory.

 

Below, we’ll go over what you should expect to see within your managed services contract (SLA). We’ll also discuss how you should review this document with your lawyer to ensure you’re getting the proper value out of this relationship and doing what’s best for your business.

 

What does an SLA set out to do?

 

The core goal of a service level agreement between a company and the managed service provider they are hiring is this:

 

To outline the payment structure and service responsibilities of both parties and to specifically define and document exactly what services the MSP will offer, including what hardware and software is covered, daily monitoring services, troubleshooting services in emergency situations, response times, and more.

 

Of course, all service level agreements will be slightly different. Some will offer more or less information. Certain SLAs will include information about items such as liability protection for the managed services company. Still others will go into detail about expected performance standards.

 

What should you look for in your managed services SLA?

 

Your managed service provider will draw up the service level agreement. Ostensibly, this is a service level agreement they use and have used with all of their clients. It will, of course, be modified to fit the parameters and needs of your business and the unique relationship the MSP has with your business.

 

However, it should follow a general format. When your MSP shows you the service level agreement they have drawn up, you should expect to see the following:

 

Services Provided by the MSP

 

This section will outline exactly what services the MSP will be providing to you on a regular basis. This will often be based on the specific level of service that you have agreed to pay for.

 

For example, if you own a medium-sized business and the MSP you are working with has three levels of service, you may choose the mid-level of service as you don’t need the extent of services offered to larger businesses.

 

How Problems Are Managed

 

The overall services your MSP will provide will be based on daily, monthly, quarterly, etc. services. These are systematic tasks that will be undertaken regularly (such as monitoring security or providing software updates).

 

On the other hand, your SLA also needs to outline how troubleshooting and problems will be handled by your managed service provider. If you have an issue, for example, you’ll need a protocol for managing:

 

  • Responsibility: What areas of your company’s IT are they (your MSP) managing and monitoring?
  • Emergencies: What constitutes an emergency?
  • Response Time: If and when you report an emergency, what is the minimum timeframe that your managed service provider will respond within?
  • Reporting Method: How do you report an emergency? Will this vary based on the time of day or week? What information do you need to provide?

 

When Your MSP Is Available

 

Lastly, your SLA should outline when your MSP will be available on a daily, weekly, and yearly basis. What if you have problems in the evening after business hours? On the weekend? On a holiday? All availability times and any applicable extra charges should be documented.

 

Going over your SLA with your lawyer

 

Once you are satisfied with the service level agreement you have been provided with by your MSP, make sure to go over it with your lawyer. They’re on your side and will, therefore, be able to determine if any aspect of the SLA is unfair to you legally or could present potential problems.

 

Taking your time when reviewing your service level agreement will put your mind at ease and increase the likelihood that you and your managed service provider will enjoy a strong working relationship.

Free Microsoft Software Training

Every month, we host Microsoft Office and other technology training sessions. Our training sessions are completely free of charge and are available “on-demand”.  Yes, you can tune-in whenever and wherever you like.

 

This month’s training session: 4 Ways To Use Microsoft Outlook Efficiently.

Our in-house Microsoft training specialist, Dawn, will guide you through some very important tips and tricks, such as:

  • Quick Parts
  • Templates
  • Automated Responses
  • Signatures

 

Using the Cloud to Boost Business

 

Boost Business with the Cloud

 

Using the cloud offers a variety of benefits for your business. Find out more about how you can use cloud technology to boost business.  

 

 

The cloud has grown in popularity among businesses in all industries. However, if you have not already transferred your business’s data and operations to the cloud, you may wonder if this technology is really in your best interest to expend the time and energy you will need to invest in order to implement cloud computing.

 

Below are some of the ways the cloud can boost business for your company, making it well worth the investment.

 

1. The cloud saves you money.

Implementing the cloud for your business prevents you from needed to invest in the same expensive infrastructure and programming of a company with in-house operations. This can save your company a significant amount of money over time.
The cloud can also save your company money by eliminating the need for in-house IT personnel. When you make the move to cloud computing, all of the programs and services you use will be maintained by your provider. Thus, you won’t need your own full-time IT staff.

 

2. The cloud boosts productivity.

The programs and processes you are able to access when you utilize the cloud are often more advanced and efficient than those you could afford on your own. In addition, if you choose the right provider, your programs will also be more reliable and kept up-to-date at all times. This leads to enhanced productivity overall.

 

3. The cloud improves collaboration.

 

With the cloud, it is easier to connect with colleagues, share information and work on projects with others. These improvements lead to more collaboration within your company, which in turn improves outcomes.

 

4. The cloud grows with your company.

One of the best things about cloud computing is its scalability. You pay only for the services you need, making it much more cost-effective. These services can also be scaled up or scaled down easily when your needs change, allowing for easier growth.
Moving your company to the cloud may seem overwhelming at first, but the potential benefits are clear. If you are not already using the cloud, it is time to start exploring this option and considering how it can improve your business. Before making the switch, be sure to investigate different providers so you can find the one that offers the best services at a fair price.

Is Your Patient Portal Putting You At Risk?

Is Your Patient Portal A Security Risk?

As convenient as patient portals are for communication with those you care for, they can also pose serious risks to you and your healthcare organization. Are you sure your patient portal is secure?

A key priority in any effective healthcare organization is keeping in touch with patients. No matter what type of medicine you practice, communicating with patients and allowing them to access their data is a must.

That’s why patient portals are so valuable in the healthcare industry. However, as with any technology that offers access and convenience, it’s vital that you make sure there’s no accompanying security risk.

What Is A Patient Portal?

The patient portal is a secure website through which patients can access their electronic health record (EHR). Additionally, depending on the type of medical practice and software involved, the patient portal may also allow for a range of different associated tasks to be carried out, such as requests for prescription refills, appointment scheduling, and direct messaging.

Why Do Patient Portals Put You At Risk?

This is the case with any technology that provides access in a convenient manner. A fundamental ongoing battle in consumer technology is between security and convenience.

The fact is that greater security often means less convenience – albeit, in small ways. Regardless, when it comes to something like a patient portal, the priority is usually to enhance the user experience, rather than configure the best security settings possible.

Here’s a basic example – when it comes to Wi-Fi connectivity settings, would you prioritize security or convenience? On one hand, it’s much more convenient to users if the device in question is configured to automatically connect to open and available Wi-Fi hot spots.

But that’s not very secure, is it?

Are Patient Portals Actually Exposing Patient Data?

In a word? Yes.

2019 is a landmark year for the lack of security around patient data, with more than 25 million patient records breached in the last 6 months alone. This is more than a 66% increase when compared just to 2018.

What Does HIPAA Say About Patient Portal Security?

HIPAA, as you likely know, is not often as specific in its stipulations as you might like. If you’re subject to HIPAA, then you’re expected to employ security measures that reasonably and appropriately meet the HIPAA Security Rule standards and implementation specifications.

What does that mean?

Due to the statistics stated above, these portals have been neither reasonable nor appropriate – in other words, just having a portal with a login isn’t enough. How do you beef up that security to become ‘reasonable and appropriate’? Keep reading.

In the report, “The State of Patient Identity Management”, the surveyed healthcare organizations reported using the following security measures in patient portal authentication processes:

  • Username and password (93%)
  • Knowledge-based authentication questions and answers (39%)
  • Email verification (38%)

While that could be considered the standard when it comes to protecting access to patient portal data, if one of these surveyed organizations were to experience a breach, it would be proven otherwise.

The good news is, you can do more to protect your patients’ data.

What Can I Do To Secure Patient Portal Access?

One of the best ways to add security to user authentication processes is with Multi-factor Authentication (MFA). MFA requires the user to utilize two methods to confirm that they are the rightful account owner.

There are three categories of information that can be used in this process:

  • Something you have: Includes a mobile phone, app, or generated code
  • Something you know: A family member’s name, city of birth, pin, or phrase
  • Something you are: Includes fingerprints and facial recognition

How Does A Multi-Factor Authentication Solution Work?

  1. User logs into the session with primary credentials.
  2. The session host validates credentials with Active Directory.
  3. Then, it sends credential validation to the cloud via the login app.
  4. The MFA client sends its secondary authentication to the user. User approves.
  5. The MFA client sends approval back to the session host via the login app.
  6. The user accesses their session very securely.

Though MFA does make it harder for the account owner to access the account, it also makes it difficult for cybercriminals to gain access to patient data. Their job becomes much tougher because they now need to do more than just hack the user’s password. They’ll need personal information about the account owner as well.

With so many accounts being too easy to break into, hackers are more likely to just move on instead of trying to break through the multiple factor authentication process.

Like this article? Check out the following blogs to learn more:

A World of Possibilities for Law Students and Young Lawyers

How to Automate Microsoft Outlook Email Responses Part 2

Automate Email Replies in Four Ways to Share Information Better

 

Learn how to use four powerful tools to automate Microsoft Outlook email responses, including Automatic Replies, Quick Parts, Signatures and Templates  

 

Managing email responses, especially if you are a busy executive looking to keep in touch with clients, colleagues, investors and partners.

 

With Microsoft Outlook, you have multiple opportunities to automate your email responses. Here’s a look at four of the most effective ways to automate your email responses.

 

How Can I Use Templates to Automate Email Responses?

 

Templates are a simple way to create automated messages.

 

You can start with templates by creating a new message or replying to one.

 

On the ribbon, click on the View Templates button. This will bring up a new window with a section called My Templates, with a few common responses listed.

 

You can edit or remove these templates or create your own. For each template, you can give it a title and in the text box enter in any standardized response you choose, including copying and pasting from other documents.

 

Once you have your templates selected, you can add them to a new email or response quickly and edit them within the body of the message. For frequent phrasing and responses, the templates option helps to accelerate your communication.

 

The advantage of templates is that they are very easy to use, edit, update and delete. The downside is that they are very basic and include no formatting options within the template itself.

 

How Can Signatures Be Automated?

 

Preset signatures can help create various messages for different situations. In most cases, a default signature will be applied to all your outgoing messages. These signatures typically contain the following:

  • Full name
  • Title
  • Phone numbers
  • Website
  • Social media links

 

Often these signatures are standardized throughout an organization or division, and often contain specific marketing or legal language.

 

Signatures are highly formattable and can contain graphics or photos to convey further messages.

 

You can use signatures to be more productive and create messaging that varies based on the email recipient or whether the email is for business or personal reasons.

 

To create, modify or delete signatures, there are several ways to proceed. If you’re in a new message, go to the Message tab and click on the Signature button. This will bring up any existing signatures already in your account. To create a new one, click on the Signatures … selection at the bottom of the menu.

 

Another way to access the Signatures functionality is to use the File menu, clicking on Options, then Mail then Signatures.

 

No matter which option you choose, you’ll reach a new screen where you can select an existing signature to edit, rename or delete, or create a new signature. In the bottom box, you can:

  • Add text and images
  • Adjust the font and size
  • Insert hyperlinks
  • Set the signature’s alignment

 

Signatures are listed alphabetically, so naming conventions are important, especially for employees managing emails for other people or corporate accounts.

 

The top right section of the Signatures screen allows you to choose the email account to use and the default signature to use for new messages and replies or forwards.

 

Signatures have additional functionality. For messages that are sent repeatedly, the Signatures tool helps automate communication. The signature box can be used to include copy that is used for regular messages — a much faster option than saving text to a draft message or copying and pasting from a Word document. You can create multiple response signatures for typical inquiries.

 

What Is Quick Parts?

 

Quick Parts, formerly known as Building Blocks and Auto Text, helps you copy and save repeated boilerplate text blocks that can be inserted into an email. This is helpful for messages that include requests for information or other repetitive content.

 

To create a new Quick Part, reply to a message or create a new one. Type new text or highlight and copy existing text that you want to retain. Formatting will remain. In the ribbon, under the Text group, click on the Quick Parts button. This action brings up a list of existing Quick Parts, sorted by category, and allows you to create a new entry. A new window appears, where you can create a name, gallery category and description for the entry. (You can create new categories from this screen, too.)

 

Finally, you can determine in what email template you want the Quick Part available and some options for insertion.

 

Once saved, the Quick Part is now available for use. Create a new message, click on the Insert button and then the Quick Parts option to see a list of options for you to insert.

 

Quick Parts has several advantages. It allows for the inclusion of long entries with retained formatting for text and graphics. It also allows you to add multiple Quick Parts to the same message.

 

Right-clicking on any of the Quick Parts pops open options for where to insert the quick part, edit its properties or organize your available items. Quick Parts can also be inserted into Calendar entries or Tasks.

 

How Do Automatic Replies Work?

 

Automatic Replies are a standard staple in most offices. It’s an excellent time-management tool that quickly lets those within and outside your organization know your status.

 

To use Automatic Replies, you’ll need to be using an Outlook version that includes Microsoft Exchange server account or Exchange Online through Office 365. Standalone versions of Outlook do not support this feature.

 

Access Automatic Replies by going to the File tab and choosing Automatic Replies (Out of Office) from the Info tab. Select the Send automatic replies button and if you prefer, enter the dates and times you want the feature to be used in response to incoming messages.

 

The window defaults to the message you want sent inside your organization. You can add the text you need and apply basic formatting (font, size, effect, bullets or numeration, and indentation.

 

Remember to review the content so you don’t use an old message.

 

You can also opt to have a different message for those outside the organization. You can cut and paste between the two audience windows to create customized communications options.

 

The basic information to include in an Automatic Reply message is:

  • The length of your absence
  • When you will return
  • Who to contact for urgent matters

 

The Automatic Reply message is also a great way to share other information, such as social media links, news or other high-value content.

 

You can also set rules regarding your messages, such as whether to alert or copy a coworker regarding messages from specific senders or to reply with a specific template.

 

Once turned on, you’ll see a message bar in yellow at the top of your Inbox reminding you that Automatic Replies are turned on, along with an option for turning them off.

 

Automation is a powerful way to save time, deliver important messages and improve communication in your email responses. Using the four featured solutions here, either independently or together, can keep projects moving and share information.

Microsoft Outlook Training

How to Automate Microsoft Outlook Email Responses

 

Automate Email Replies in Four Ways to Share Information Better

 

Learn how to use four powerful tools to automate Microsoft Outlook email responses, including Automatic Replies, Quick Parts, Signatures and Templates  

 

Managing email responses, especially if you are a busy executive looking to keep in touch with clients, colleagues, investors and partners.

 

Watch the video below or click here to view on YouTube.

 

 

With Microsoft Outlook, you have multiple opportunities to automate your email responses. Here’s a look at four of the most effective ways to automate your email responses.

How Can I Use Templates to Automate Email Responses?

 

Templates are a simple way to create automated messages.

 

You can start with templates by creating a new message or replying to one.

 

On the ribbon, click on the View Templates button. This will bring up a new window with a section called My Templates, with a few common responses listed.

 

You can edit or remove these templates or create your own. For each template, you can give it a title and in the text box enter in any standardized response you choose, including copying and pasting from other documents.

 

Once you have your templates selected, you can add them to a new email or response quickly and edit them within the body of the message. For frequent phrasing and responses, the templates option helps to accelerate your communication.

 

The advantage of templates is that they are very easy to use, edit, update and delete. The downside is that they are very basic and include no formatting options within the template itself.

How Can Signatures Be Automated?

 

Preset signatures can help create various messages for different situations. In most cases, a default signature will be applied to all your outgoing messages. These signatures typically contain the following:

  • Full name
  • Title
  • Phone numbers
  • Website
  • Social media links

 

Often these signatures are standardized throughout an organization or division, and often contain specific marketing or legal language.

 

Signatures are highly formattable and can contain graphics or photos to convey further messages.

 

You can use signatures to be more productive and create messaging that varies based on the email recipient or whether the email is for business or personal reasons.

 

To create, modify or delete signatures, there are several ways to proceed. If you’re in a new message, go to the Message tab and click on the Signature button. This will bring up any existing signatures already in your account. To create a new one, click on the Signatures … selection at the bottom of the menu.

 

Another way to access the Signatures functionality is to use the File menu, clicking on Options, then Mail then Signatures.

 

No matter which option you choose, you’ll reach a new screen where you can select an existing signature to edit, rename or delete, or create a new signature. In the bottom box, you can:

  • Add text and images
  • Adjust the font and size
  • Insert hyperlinks
  • Set the signature’s alignment

 

Signatures are listed alphabetically, so naming conventions are important, especially for employees managing emails for other people or corporate accounts.

 

The top right section of the Signatures screen allows you to choose the email account to use and the default signature to use for new messages and replies or forwards.

 

Signatures have additional functionality. For messages that are sent repeatedly, the Signatures tool helps automate communication. The signature box can be used to include copy that is used for regular messages — a much faster option than saving text to a draft message or copying and pasting from a Word document. You can create multiple response signatures for typical inquiries.

What Are Quick Parts?

 

Quick Parts, formerly known as Building Blocks and Auto Text, helps you copy and save repeated boilerplate text blocks that can be inserted into an email. This is helpful for messages that include requests for information or other repetitive content.

 

To create a new Quick Part, reply to a message or create a new one. Type new text or highlight and copy existing text that you want to retain. Formatting will remain. In the ribbon, under the Text group, click on the Quick Parts button. This action brings up a list of existing Quick Parts, sorted by category, and allows you to create a new entry. A new window appears, where you can create a name, gallery category and description for the entry. (You can create new categories from this screen, too.)

 

Finally, you can determine in what email template you want the Quick Part available and some options for insertion.

 

Once saved, the Quick Part is now available for use. Create a new message, click on the Insert button and then the Quick Parts option to see a list of options for you to insert.

 

Quick Parts has several advantages. It allows for the inclusion of long entries with retained formatting for text and graphics. It also allows you to add multiple Quick Parts to the same message.

 

Right-clicking on any of the Quick Parts pops open options for where to insert the quick part, edit its properties or organize your available items. Quick Parts can also be inserted into Calendar entries or Tasks.

How Do Automatic Replies Work?

 

Automatic Replies are a standard staple in most offices. It’s an excellent time-management tool that quickly lets those within and outside your organization know your status.

 

To use Automatic Replies, you’ll need to be using an Outlook version that includes Microsoft Exchange server account or Exchange Online through Office 365. Standalone versions of Outlook do not support this feature.

 

Access Automatic Replies by going to the File tab and choosing Automatic Replies (Out of Office) from the Info tab. Select the Send automatic replies button and if you prefer, enter the dates and times you want the feature to be used in response to incoming messages.

 

The window defaults to the message you want sent inside your organization. You can add the text you need and apply basic formatting (font, size, effect, bullets or numeration, and indentation.

 

Remember to review the content so you don’t use an old message.

 

You can also opt to have a different message for those outside the organization. You can cut and paste between the two audience windows to create customized communications options.

 

The basic information to include in an Automatic Reply message is:

  • The length of your absence
  • When you will return
  • Who to contact for urgent matters

 

The Automatic Reply message is also a great way to share other information, such as social media links, news or other high-value content.

 

You can also set rules regarding your messages, such as whether to alert or copy a coworker regarding messages from specific senders or to reply with a specific template.

 

Once turned on, you’ll see a message bar in yellow at the top of your Inbox reminding you that Automatic Replies are turned on, along with an option for turning them off.

 

Automation is a powerful way to save time, deliver important messages and improve communication in your email responses. Using the four featured solutions here, either independently or together, can keep projects moving and share information.

Microsoft Outlook Training

The New Ways Cybercriminals Pose a Threat to Organizations

 

Cybercriminals no longer act alone. Find out the strategies and means cybercriminal networks are using to launch dangerous attacks against your organization. 

Cybercriminals business

 

According to technology industry blogs, cybercrime incidents are growing by 15 percent each year and cybercrime has become the most profitable type of criminal activity around the globe. Cybercriminals are no longer acting alone and carrying out destructive activities that are relatively simplistic. Instead, cybercriminals have become more sophisticated in their approach. Activities are more damaging and organized. IBM’s CEO and president has stated that the new cybercriminal dangers are “the greatest threat to every profession, every industry, every company in the world.” Being aware of the fact that cybercriminal activity is now executed using the same types of structures and approaches seen in businesses can help IT leaders guard against the dangers cybercrime presents.

 

Common Types of Cybercriminal Activities

 

The scale and scope of cybercriminal activities have evolved swiftly since the 1990s. Back then, cybersecurity-related attacks entailed destroying websites and executing simplistic codes that reflected a strong dislike of the corporate culture. Now, modern cybersecurity-related attacks have not only embraced the notion of the corporate model, but have exploited the corporate world’s reliance on digital connectivity. Common cybercriminal activity now involves extortion, the theft of data and information, and sabotage. The design and spread of ransomware through electronic means reaps over $11 billion annually.

 

Hierarchical Structures

 

Besides using more sophisticated and profitable methods of wreaking havoc, cybercriminals have formed networks that resemble hierarchical structures within traditional organizations. Many groups of cybercriminals are led by someone who operates as a pseudo executive of a firm who designs an overarching strategy and tasks that are delegated to other leaders who resemble middle managers. In turn, those who work on developing malware and ransomware code are concentrated in a single “department,” while another group is focused on developing and executing distribution methods. Each group represents and operates like a functional department within an organization. Training and recruitment programs are also developed and executed for hackers that wish to join these extensive cybercriminal networks. Knowing that these networks are employing the same strategies and tactics as an experienced corporate marketing department means that any cybersecurity defense plan has to respond in an identical fashion.

 

The corporate structure and mentality have resulted in the equivalent of million-dollar salaries for some. Cybercriminals are also starting to incorporate other types of illegal activities into their “business models.” Some of those activities include illegal drug production and distribution, human trafficking, and counterfeit goods. Stopping and removing the threats that cybercriminals pose mean considering the possibility that these cybersecurity threats are occurring in conjunction with seemingly unrelated activities. Any defense plan must consider all possibilities and guard all potential and vulnerable points of access.

Are You Keeping Up With FINRA’s Cybersecurity Best Practices?

FINRA’s Cybersecurity Best Practices

FINRA and cybersecurity are very closely related – the more secure your financial firm is, the more likely you’re fully compliant. Check out the latest recommendations from FINRA on improving your firm’s security

The Financial Industry Regulatory Authority (FINRA), is a private self-regulatory organization that regulates certain aspects of the securities industry and is the successor to the National Association of Securities Dealers, or NASD.

As the non-governmental organization that regulates member financial firms and exchange markets, FINRA is responsible for ensuring customer data is kept secure and available. Failure to comply with their regulations that uphold these standards can be met with serious fines.

That said, it’s not like they’re unwilling to help you out – in fact, in their Report on Selected Cybersecurity Practices – 2018, FINRA tells you exactly how to improve your cybersecurity right now.

What does FINRA Have To Do With Cybersecurity?

Given the ever-evolving range of cybercrime dangers that threaten firms that FINRA monitors — those that are CFTC, SEC OCIE & NYS DFS regulated — it has quickly become evident that cybersecurity can’t be ignored.

To meet FINRA & SEC regulations, you must first understand what they require of investment firms and financial services organizations like yours. You must realize what’s classified as a violation of FINRA & SEC regulations, and make sure you put solutions in place to mitigate the risks of noncompliance.

However, knowing and understanding these regulations isn’t enough – you have to be able to meet the standards in place as well. Financial services and technology are truly inseparable. You depend on technology to help you communicate with clients and partners, streamline processes and procedures, and work efficiently while meeting the needs of those you serve.

FINRA takes into account how capable a firm is of protecting the confidentiality, integrity, and availability of sensitive customer information.

That means determining how well firms meet the following SEC regulations:

  • Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
  • Regulation S-ID (17 CFR §248.201-202), which outlines a firm’s duties regarding the detection, prevention, and mitigation of identity theft
  • The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format

5 Cybersecurity Best Practices Recommended By FINRA

1. Branch Controls

No matter how robust your headquarters’ cybersecurity measures are, it’s not a guarantee that those controls extend to your branches. It’s more than likely that, as you may have left cybersecurity and FINRA compliance to each branch to maintain independently, they may have missed the mark on a few considerations.

That’s why developing Written Supervisory Procedures (WSPs) can be so worthwhile. This type of documentation can dictate exactly how branches are to maintain cybersecurity, based on proven and accepted best practices and standards. This could include:

    1. Mandatory security controls
    2. Notifications concerning issues and breaches
    3. Accepted security settings and vendors
    4. Assignment of duties and responsibilities pertaining to cybersecurity controls
    5. Training curriculum and testing protocols

You should also make sure an inventory of cybersecurity assets (hardware and software) is made, detailing the state and expected lifetime of such assets so that they can be maintained, updated and replaced as need be.

With these baselines for practices and assets developed, it is recommended that you implement a branch review program which will double-check whether your branches are maintaining cybersecurity standards.

2. Phishing

Phishing is a method in which cybercriminals send fraudulent emails that appear to be from reputable sources in order to get recipients to reveal sensitive information and execute significant financial transfers.

Phishing attacks are mass emails that request confidential information or credentials under pretenses, link to malicious websites or include malware as an attachment.

With only a surprisingly small amount of information, cybercriminals can convincingly pose as business members and superiors in order to persuade employees to give them money, data or crucial information.

Do your employees have the knowledge they need to spot phishing emails?

If you’re not sure, then they may need training. Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites.

They learn how to handle security incidents when they occur. If your employees and volunteers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.

A comprehensive cybersecurity training program will teach your staff how to handle a range of potential situations:

  • How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
  • How to use business technology without exposing data and other assets to external threats by accident.
  • How to respond when you suspect that an attack is occurring or has occurred.

3. Insider Threats

Your own staff members, whether maliciously or by accident, can have a major effect on your cybersecurity as well. There are a number of factors that contribute to the frequency, damage, and potential of malicious insider threats, but the three key aspects are:

    1. Depending on how duties are assigned, what form of supervision is present, and how often employee (or even ex-employee) work is audited, the damage they cause can take a long time to discover. Often, the longer it has been, the harder the damage is to reverse.
    2. Once discovered, the response can be difficult to execute. The employee in question can often easily claim it as a mistake, or (and again, depending on the division of labor and supervision) can even appear to be doing their job as usual if they’re considered the “expert” in that work.
    3. In any case, poor management policies usually leave the door open for disgruntled employees to do damage. Low-level staffers given admin access, third-party vendors provided with authority for data they don’t actually need, and login credentials for recently terminated staff members are all common and dangerous occurrences.

The fact is that misuse of privilege is often one of the most common ways for cybercriminals to penetrate a network. Either by tricking a user with administrative privileges to download and run malware or by elevating privileges on a compromised non-admin account, hackers regularly make use of this highly common unsafe business practice.

You need to have a carefully implemented process to track the lifecycle of accounts on your network.

  • Follow a careful system for how accounts are created for new members, how their security is maintained and verified through their life, and how they are removed when no longer needed.
  • Implement secure configuration settings (complex passwords, multi-factor authentication, etc.) for all accounts.
  • Implement controls for login and use, such as lockouts for too many unsuccessful logins, unsuccessful login alerts, and automatic log-off after a period of inactivity

4. Penetration Testing

The penetration test is an authorized attack on your organization’s technology and staff and is one of the best ways to accurately evaluate your security controls. This allows you to double-check each and every aspect of your cybersecurity posture.

FINRA recommends running penetration tests both on a regular basis, as well as after key events – anything really that makes significant changes to your firm’s infrastructure, staffing, access controls, or other cybersecurity-based considerations.

5. Mobile Devices

Having your staff use their own personal devices for work means that you don’t have to pay for the technology they’d be using otherwise. Depending on the size of your practice, that could mean potential savings of thousands of dollars that would have been necessary to pay for tablets and work phones.

No matter what kind of cybersecurity you have in place at the office, it won’t extend to the mobile devices that have access to your data.

This is a critical limitation of your cybersecurity software, and it’s obvious when you think about it – if your firewall is only installed on your work devices, but you let employees use personal devices and home workstations to access business data, then obviously you won’t be totally secure.

Set a policy for when and how mobile devices will be used. Integrated into your internal network, these devices can be used to access, store, transmit, and receive business data.

You’ll need to have policies in place to regulate how employees use their devices to interact with sensitive data. Take the time to consider the risks associated with mobile device use, such as the potential for devices containing business data to be lost or stolen, infected with malware, or the potential for accidental disclosure of confidential information through sharing a device with a family member or connecting to an unsecured wireless network.

You also need to consider how mobile device use can pose risks to your data. A risk analysis will help you identify vulnerabilities in your security infrastructure, and help you determine the safeguards, policies, and procedures you’ll need to have in place.

Whether the devices in question are personal devices or provided by your Fort Lauderdale IT company, you will still need to have a clear idea of how they’re being used to communicate with your internal network and systems.

Assessments should be conducted periodically, especially after a new device is granted access, a device is lost or stolen, or a security breach is suspected.

Lastly, make sure you develop, document, and implement mobile device usage policies and procedures. Policies that are designed for mobile devices will help you manage risks and vulnerabilities specific to these devices.

These policies should include processes for identifying all devices being used to access business data, routinely checking that all devices have the correct security and configuration settings in place, whether or not staff can use mobile devices to access internal systems, whether staff can take work devices home with them, and how you will go about deactivating or revoking the access of staff members who are no longer employed.

Regardless of what type of cybersecurity solutions you put into place, they should be optimized for future technologies and content types. They also should be easy to update and scalable. Static or multiple standalone options that only target individual needs or requirements won’t be enough.