Friday, August 08, 2014

SIFMA Offers Cybersecurity Guidance to Increasingly Targeted Small Financial Firms

[This story previously appeared in Securities Regulation Daily.]

By John Filar Atwood

Cyber criminals are increasingly targeting smaller companies, according to data compiled by security firm Symantec, and the Securities Industry and Financial Markets Association (SIFMA) is taking steps to help small financial firms ensure that they adequately protected. SIFMA released guidance with eight action items for small companies that will improve their defenses against network intrusions.

Cyber attack statistics. Cyber attacks against companies with fewer than 250 employees accounted for 31 percent of all cyber attacks in 2012, according to Symantec, up from 18 percent the year before. In addition, research from Ponemon Institute indicates that small companies incur a higher cost per capita than larger organizations—$1,564 to $371, respectively—due to cyber attacks.

As a result of this data, SIFMA has prepared cybersecurity guidance based on a framework developed by the National Institute of Standards and Tech­nology’s (NIST). That framework is built around the five principles of identify, protect, detect, respond and recover, and SIFMA has tailored it to fit small financial firms.

In a press release, SIFMA advised firms to apply the best practices in the guidance in a risk-based, threat-informed approach based on the resources available and in support of the firm’s overall business model. SIFMA said that its goal is not compliance to a standard, but to increase firms’ cybersecurity and ensure the protection of their customers.

Action steps. Verizon’s 2013 data breach investigations report indicates that 76 percent of network intrusions and the top five methods of hacking both used weak or stolen credentials. Consequently, SIFMA drafted its guidance to help firms try to combat these intrusions. It acknowledged that the action steps will not protect against all types of attacks, but will defend against the most common ones.

SIFMA recommends that firms strictly enforce robust password security in accordance with NIST standards, and allow only trusted software to execute on operating systems through the use of application whitelists. Firms also should restrict administrative and privileged access to systems and data through preventative and detective controls to prevent unauthorized access or alteration of systems and/or data.

Another recommended action step is updating anti-virus software, in addition to web security software, to reduce the risk of unintentional and intentional computer infection. SIFMA’s guidance also suggests that firms use trusted, up to date operating systems that meet common criteria. Using unsupported or outdated operating systems, such as Windows XP, presents risks to the network and critical data, SIFMA said.

Smaller firms should use automatic software updates and check that the updates are applied frequently to ensure software currency, and should invest in and use cloud or physical external hard-drive backup systems. Finally, SIFMA recommends that companies ensure that mobile devices are secure with passwords and the data is encrypted in the event of loss.