Category: Blog

FINRA’s Cybersecurity Best Practices

FINRA and cybersecurity are very closely related – the more secure your financial firm is, the more likely you’re fully compliant. Check out the latest recommendations from FINRA on improving your firm’s security

The Financial Industry Regulatory Authority (FINRA), is a private self-regulatory organization that regulates certain aspects of the securities industry and is the successor to the National Association of Securities Dealers, or NASD.

As the non-governmental organization that regulates member financial firms and exchange markets, FINRA is responsible for ensuring customer data is kept secure and available. Failure to comply with their regulations that uphold these standards can be met with serious fines.

That said, it’s not like they’re unwilling to help you out – in fact, in their Report on Selected Cybersecurity Practices – 2018, FINRA tells you exactly how to improve your cybersecurity right now.

What does FINRA Have To Do With Cybersecurity?

Given the ever-evolving range of cybercrime dangers that threaten firms that FINRA monitors — those that are CFTC, SEC OCIE & NYS DFS regulated — it has quickly become evident that cybersecurity can’t be ignored.

To meet FINRA & SEC regulations, you must first understand what they require of investment firms and financial services organizations like yours. You must realize what’s classified as a violation of FINRA & SEC regulations, and make sure you put solutions in place to mitigate the risks of noncompliance.

However, knowing and understanding these regulations isn’t enough – you have to be able to meet the standards in place as well. Financial services and technology are truly inseparable. You depend on technology to help you communicate with clients and partners, streamline processes and procedures, and work efficiently while meeting the needs of those you serve.

FINRA takes into account how capable a firm is of protecting the confidentiality, integrity, and availability of sensitive customer information.

That means determining how well firms meet the following SEC regulations:

• Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
• Regulation S-ID (17 CFR §248.201-202), which outlines a firm’s duties regarding the detection, prevention, and mitigation of identity theft
• The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format

5 Cybersecurity Best Practices Recommended By FINRA

1. Branch Controls

No matter how robust your headquarters’ cybersecurity measures are, it’s not a guarantee that those controls extend to your branches. It’s more than likely that, as you may have left cybersecurity and FINRA compliance to each branch to maintain independently, they may have missed the mark on a few considerations.

That’s why developing Written Supervisory Procedures (WSPs) can be so worthwhile. This type of documentation can dictate exactly how branches are to maintain cybersecurity, based on proven and accepted best practices and standards. This could include:

1. 1. Mandatory security controls
   2. Notifications concerning issues and breaches
   3. Accepted security settings and vendors
   4. Assignment of duties and responsibilities pertaining to cybersecurity controls
   5. Training curriculum and testing protocols

You should also make sure an inventory of cybersecurity assets (hardware and software) is made, detailing the state and expected lifetime of such assets so that they can be maintained, updated and replaced as need be.

With these baselines for practices and assets developed, it is recommended that you implement a branch review program which will double-check whether your branches are maintaining cybersecurity standards.

2. Phishing

Phishing is a method in which cybercriminals send fraudulent emails that appear to be from reputable sources in order to get recipients to reveal sensitive information and execute significant financial transfers.

Phishing attacks are mass emails that request confidential information or credentials under pretenses, link to malicious websites or include malware as an attachment.

With only a surprisingly small amount of information, cybercriminals can convincingly pose as business members and superiors in order to persuade employees to give them money, data or crucial information.

Do your employees have the knowledge they need to spot phishing emails?

If you’re not sure, then they may need training. Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites.

They learn how to handle security incidents when they occur. If your employees and volunteers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.

A comprehensive cybersecurity training program will teach your staff how to handle a range of potential situations:

• How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
• How to use business technology without exposing data and other assets to external threats by accident.
• How to respond when you suspect that an attack is occurring or has occurred.

3. Insider Threats

Your own staff members, whether maliciously or by accident, can have a major effect on your cybersecurity as well. There are a number of factors that contribute to the frequency, damage, and potential of malicious insider threats, but the three key aspects are:

1. 1. Depending on how duties are assigned, what form of supervision is present, and how often employee (or even ex-employee) work is audited, the damage they cause can take a long time to discover. Often, the longer it has been, the harder the damage is to reverse.
   2. Once discovered, the response can be difficult to execute. The employee in question can often easily claim it as a mistake, or (and again, depending on the division of labor and supervision) can even appear to be doing their job as usual if they’re considered the “expert” in that work.
   3. In any case, poor management policies usually leave the door open for disgruntled employees to do damage. Low-level staffers given admin access, third-party vendors provided with authority for data they don’t actually need, and login credentials for recently terminated staff members are all common and dangerous occurrences.

The fact is that misuse of privilege is often one of the most common ways for cybercriminals to penetrate a network. Either by tricking a user with administrative privileges to download and run malware or by elevating privileges on a compromised non-admin account, hackers regularly make use of this highly common unsafe business practice.

You need to have a carefully implemented process to track the lifecycle of accounts on your network.

• Follow a careful system for how accounts are created for new members, how their security is maintained and verified through their life, and how they are removed when no longer needed.
• Implement secure configuration settings (complex passwords, multi-factor authentication, etc.) for all accounts.
• Implement controls for login and use, such as lockouts for too many unsuccessful logins, unsuccessful login alerts, and automatic log-off after a period of inactivity

4. Penetration Testing

The penetration test is an authorized attack on your organization’s technology and staff and is one of the best ways to accurately evaluate your security controls. This allows you to double-check each and every aspect of your cybersecurity posture.

FINRA recommends running penetration tests both on a regular basis, as well as after key events – anything really that makes significant changes to your firm’s infrastructure, staffing, access controls, or other cybersecurity-based considerations.

5. Mobile Devices

Having your staff use their own personal devices for work means that you don’t have to pay for the technology they’d be using otherwise. Depending on the size of your practice, that could mean potential savings of thousands of dollars that would have been necessary to pay for tablets and work phones.

No matter what kind of cybersecurity you have in place at the office, it won’t extend to the mobile devices that have access to your data.

This is a critical limitation of your cybersecurity software, and it’s obvious when you think about it – if your firewall is only installed on your work devices, but you let employees use personal devices and home workstations to access business data, then obviously you won’t be totally secure.

Set a policy for when and how mobile devices will be used. Integrated into your internal network, these devices can be used to access, store, transmit, and receive business data.

You’ll need to have policies in place to regulate how employees use their devices to interact with sensitive data. Take the time to consider the risks associated with mobile device use, such as the potential for devices containing business data to be lost or stolen, infected with malware, or the potential for accidental disclosure of confidential information through sharing a device with a family member or connecting to an unsecured wireless network.

You also need to consider how mobile device use can pose risks to your data. A risk analysis will help you identify vulnerabilities in your security infrastructure, and help you determine the safeguards, policies, and procedures you’ll need to have in place.

Whether the devices in question are personal devices or provided by your Fort Lauderdale IT company, you will still need to have a clear idea of how they’re being used to communicate with your internal network and systems.

Assessments should be conducted periodically, especially after a new device is granted access, a device is lost or stolen, or a security breach is suspected.

Lastly, make sure you develop, document, and implement mobile device usage policies and procedures. Policies that are designed for mobile devices will help you manage risks and vulnerabilities specific to these devices.

These policies should include processes for identifying all devices being used to access business data, routinely checking that all devices have the correct security and configuration settings in place, whether or not staff can use mobile devices to access internal systems, whether staff can take work devices home with them, and how you will go about deactivating or revoking the access of staff members who are no longer employed.

Regardless of what type of cybersecurity solutions you put into place, they should be optimized for future technologies and content types. They also should be easy to update and scalable. Static or multiple standalone options that only target individual needs or requirements won’t be enough.

How Using Managed IT Services Saves You Money in the Long Term

Wondering how to make your business’ IT run better without costing more? One popular option to consider is managed IT services companies. 

Digitization. Network. Security. Mobile. As the average business sees more and more complexity in their IT requirements, it can become harder and harder to keep up with the necessary changes to protect your business’ interests and sensitive data. But what if the process could be easy without costing an arm and a leg? Managed IT services can provide this level of care, often at the same or even a lower cost than you would see using in-house employees. Here’s a quick look at how managed IT services can help make your business more efficient and effective.

How to Use Managed IT Services to Save You Money

Let’s start by defining what a managed IT service is and is not. A managed IT service provides you with a range of services. You pay a monthly subscription cost, and in exchange, the service takes care of your IT needs that are covered under those services. These services can include software updates, managed software-as-a-service options, backup services, website management and similar possibilities. Because they are responsible for these IT assets, these assets are carefully managed to provide you with optimum performance, security and efficiency.

Increase team efficiency by reducing downtime.

Well-run IT systems allow your employees to work at their highest levels of efficiency instead of focusing on computer problems and wasting their time updating systems and on hold with a help desk. Wouldn’t you rather have your people focusing on what your company is best at, promoting growth? When there’s a problem with your IT assets under your managed IT service, your employees don’t have to worry about fixing the problem – the managed IT service handles the entire process.

Every week, 140,000 hard drives fail. An estimated 44% of companies believe that an hour of downtime costs them about $10,000. Instead of having your companies having to stop their work and deal with distractions caused by an IT failure, they can simply continue on another device while the managed IT service takes care of the problem.

Enjoy peace of mind with better network and data security

Every day, we hear about another company that has had its data exposed through a security breach. In fact, in the first four months of 2018, over 260 million records containing sensitive data were exposed. You don’t want your company to be the source of the next big data breach, losing your company’s credibility and trustworthiness in the market, do you?

When you work with a managed IT service, their primary focus is making sure that your IT assets are current on all security patches, updates and anti-virus software, not the rest of the activities that your company undertakes. That allows you to focus on building your business, rather than about whether you’ll be one of the 60% of companies that go out of business within six months of a major data disaster.

Lower your company’s overall IT costs.

Though it seems counterintuitive that hiring out your company’s IT needs would save your business money, it’s actually been proven time and again. If you don’t hire a professional into your company, thinking it’s an unnecessary expense for a small business, then you’ll have employees wasting time trying to troubleshoot their own computer issues or waiting on hold for help desk personnel. Even if you do hire in a professional to handle your in-house work, how will they spend their time if there isn’t enough work to keep them occupied?

For these reasons, businesses typically find that the expense of a managed IT service is lower than that of trying to manage their own IT assets in-house. Because the managed service is only focused on the IT costs of your company and is focused on improving their own efficiency, these companies are focused on providing you with the most efficient service possible. They’re able to share the cost of education, new technology and equipment across a number of clients, reducing the cost.

As you can see, working with a well-run managed IT service can save your company time, money and potential risk. Are you ready to consider the options that are available to you? We offer a range of services, either in a package form or a la carte, should you only want help with a couple of areas. Please feel free to reach out today to discover how we can help your business get ahead through solid managed IT service solutions.

Do You Know the 4 Ways IT Outsourcing Improves Business Success?

Many small and mid-sized companies underestimate the drawbacks of not having top-tier IT professionals in place. These 4 benefits highlight the need for change.  

Are a business decision-maker wondering about when the best time to outsource your IT needs? It was yesterday, and you are already late to enjoy the benefits of working with a third-party tech outfit that specializes in IT managed services.

It’s not uncommon for small and mid-sized companies to operate under the assumption that modest IT needs do not warrant creating a budget line-item on their behalf. Some designate an in-house person with seemingly good computer skills to run virus scans and update applications. Other outfits hire a single technology person to handle the responsibility of overseeing their entire network. Both of these policies are inherently flawed for a variety of reasons. After reviewing the following 4 ways IT outsourcing helps your business, you may gain clarity as to why working with a third-party expert is in your best interest.

1: Removes Peripheral Distractions from Profitable Goal Achievement

As upstart organizations begin to grow into mid-level outfits, the visionaries that propelled their success forward are increasingly beset by issues that detract from primary goals. Budget management, contract negotiations, and supply chains are top-tier items that further a company’s profit-enhancing goals. Tackling these items tends to be a good use of time and energy. If industry leaders are also tasked with maintaining and repairing the tools of the trade, essential issues cannot enjoy the laser focus they deserve.

When an organization shuffles computer and network duties to an employee or even a designated in-house tech person, network problems become part of routine oversight. An experienced third-party managed services provider takes proactive measures to maintain and repair your devices and network without you lifting a finger. Your vision drives the organization. That’s why it’s crucial to all of the key stakeholders involved that IT distractions are a non-factor.

2: Improves Network Efficiency and Productivity

Imagine traveling the road of handing off-network duties to an untrained employee or a designated tech person. Now imagine they call in sick during a critical business productivity cycle. Imagine further, they take a two-week vacation. What happens when your network starts to suffer glitches or goes dark altogether? The answer is simple: You lose revenue.

The reality of owning or operating a business in the technology age is that networks never sleep, they don’t call in sick, and they don’t go on vacation. Maximum productivity and efficiency require organizations to have 24-7 managed IT services in place. When you negotiate an ongoing services agreement with an experienced IT contractor, they can conduct remote updates, scans, and effect problem solving anytime your network runs amok. But that will happen a lot less frequently because high-level maintenance is usually part of the outsourcing package. Experienced IT experts deliver the laser focus to systems that help make your organization successful.

3: Reduces Risk of Cyber Threats and Financial Losses

According to reports, more than 317 million pieces of malware were created in 2018 alone. To put that staggering number into perspective, nearly 100 infectious threats were developed daily. Now add that business risk to the fact that companies suffered financial losses above $600 billion in 2018 and that figure upticked by $100 billion from 2014.

Compounding the genuine risk of doing business with technology is that too many small and mid-sized organizations incorrectly assume that cybersecurity breaches are almost exclusively targeted at large corporations with vast assets. The common misconception may be attributed to heavy media coverage of the massive violations suffered by household-name corporations.

While billion-dollar cybertheft makes splashy headlines, the overwhelming majority of cybersecurity thieves targets small and mid-sized outfits. Hackers, who may be sitting in an internet café halfway around the world, search for subpar network defenses and attack. In plain terms, you are the low-hanging fruit ripe for the plucking.

Outsourcing IT security to a third-party provider improves your cyber defenses from among the weakest links to the strong. Having the latest anti-virus, anti-malware, and next-generation cybersecurity protections in place quietly takes you off hacker hit lists. If these nefarious computer thieves are anything, it’s lazy. They’ll move on from your network and attack someone less secure.

4: Keeps Technology on Cutting Edge

An effective business network enhances employee engagement and productivity. If that sounds like a pie-in-the-sky idea about working on computers, consider the alternative.

When emails are slow to download, or that tedious “buffering” icon spins around, employees tend to disengage from work-related tasks. One moment they are plugging along on your company desktop, the next they are checking text messages, and social media posts on their phone. When that happens, employee engagement and productivity is not diminished — it’s non-existent. It may be even more unsettling to know that experts say that it can take more than 20 minutes to get back on track after task disruption. Sadly, that unnecessary loss of productivity could have been avoided by outsourcing your IT needs to a professional.

Outsourcing Managed IT Services Improves Business Goal Achievement

Industry leaders require a laser-focus on profit-driving initiatives. Outsourcing an organization’s IT oversight saves time, money, and keeps everyone on task.  

Whether you are a decision-maker for an upstart, mid-sized, or large corporation, outsourcing IT support, maintenance, and cybersecurity oversight can improve your operation. Managed services conducted by a third-party outfit with experience and expertise, brings high-level knowledge to the table that most business team members lack.

That’s generally because industry leaders staff their organizations with people who deliver profit-driving benefits. Managing an in-house IT team tends to distract from the goal-achievement tasks that keep an operation competitive and successful. Owners, CEOs, and other captains of industry with heightened IT needs would be wise to consider these five benefits of outsourcing.

1: Risk Reduction

Every business operates with a certain degree of risk. Those risks include fines for not meeting changing government regulations or falling behind competitors in cost-effective technology applications, among others. But perhaps the greatest threat that businesses of all sizes and every sector face are data theft and hacks. Without a doubt, less-than-adequate cybersecurity applications, protocols, and employee preventative training present the greatest threat to your organization.

2: Cost Consistent Budgeting

Entrepreneurs working hard to grow fledgling operations often have thin budgets. Every dollar counts and financial constraints generally do not allow for overspending. People in the private sector are fully aware they cannot manage a thriving enterprise using the faulty methods of the federal government. Either you have the revenue, or you don’t.

Managed IT service contracts allow decision-makers to allot a specific sum toward computer network oversight. There are no excessive payroll taxes, or unexpected overtime hours to strain the company’s resources. You write one monthly check and renegotiate when your managed services agreement expires.

3: Heightened Expertise

Perhaps the greatest difference between hiring an in-house IT team and outsourcing is the improved access to specialized knowledge. Some small and mid-sized operations think it’s savvy to hire a recent technical school graduate who has been immersed in the latest trends and technologies. That thinking seems reasonable on its face.

But the inherent flaw is that your outfit often requires that person, or team, to focus exclusively on your system and operations. What you lose over time is their immersion in trends, new applications, heightened cybersecurity threats, and other pertinent issues. A third-party managed service provider invests its time, resources, and people into cutting-edge training. When a managed services expert reviews your system, they bring the latest knowledge to every task. It’s simply not cost-effective to pay an IT team and then have them attend far-away seminars for weeks at a time.

4: Avoid Potential Downtime

After cyber-theft and hacks, downtime ranks among the most costly setback a company can experience. Imagine for a moment, you are looking out over your offices and employees are unable to work because the system is down. Now imagine you are paying them to not perform the necessary tasks to meet the business’ financial necessities.

When you outsource your IT needs to a third-party provider, it’s not uncommon for them to conduct due diligence, and preventive maintenance while your profit-driving staff is not on the clock. Smooth functioning networks are a type of hidden benefit that companies gain by having 24-7 IT services.

5: Improved Business Focus

Goal-oriented thought leaders enjoy improved success when they are able to focus on the things that make a company successful. Unless you are running a managed services outfit, computer issues, cybersecurity, and managing an IT team is not the best use of your time and brainpower.

Business visionaries achieve goals and enjoy the fruits of their innovation and labor by maintaining a laser-focus on industry trends, cost reduction, improved production, services, and staying ahead of their sector’s learning curve. It’s essential not to get bogged down in seemingly peripheral issues such as IT. Maximizing your skillset and outsourcing IT maintenance and oversight to a professional is the smart play.

Maximizing budgetary resources in a way that delivers the cutting-edge IT needs of today’s business community may be best left to professionals. When industry leaders take the time to do the math on best practices and profitable outcomes, third-party managed IT services remain a tried-and-true practice.