IT Company In Spokane Can Help You Comply With FINRA’s Cybersecurity Best Practices
FINRA compliance and cybersecurity are very closely related for financial firms like yours. If you want to be FINRA compliant, then you need to be secure, simple as that. Your IT company in Spokane should be supporting your compliance and cybersecurity – are they?
The good news is that FINRA doesn’t expect you to do this all on your own. They periodically release resources to help you make sure your cybersecurity is effective, such as their Report On Selected Cybersecurity Practices, released in December of 2018.
The bad news is that these resources aren’t always easy to understand, and their recommendations and requirements aren’t always easy to implement. But it’s still important to do so – do you understand what FINRA expects of your financial firm’s cybersecurity?
Understanding FINRA’s Cybersecurity Best Practices
To start, let’s touch base on what are considered to be the most high-level, and foundational aspects of FINRA compliance. In a nutshell, if compliance is determined by your firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information, then it means following these three regulations:
- You Need A Written Policy
Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access - You Need To Protect Against Identity Theft
Regulation S-ID (17 CFR §248.201-202), which outlines a firm’s duties regarding the detection, prevention, and mitigation of identity theft - Your Data Needs To Be Stored The Correct Way
The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format
That’s the simplest way to look at it. Implementing best practices in order to comply with these regulations is a little more complicated…
The Changing Nature Of Cybersecurity (And How Your IT Company In Spokane Can Help)
One of the most frustrating aspects of cybersecurity is that it’s always changing. Wouldn’t it be so much easier if you could invest in a set of cybersecurity solutions and never have to think about them again?
Unfortunately, that’s not how it works – cybersecurity and cybercrime are locked in an ongoing arms race, with one side developing better defenses, and the other side figuring out how to penetrate them, day after day, year after year.
Cybercriminals are constantly coming up with new ways to hack into newer generations of systems and newer types of technologies. The use of cloud services and mobile devices in the modern workplace only makes this more complicated.
This is why FINRA has to release resources like their Report On Selected Cybersecurity Practices – it recognizes that cybersecurity is fluid, and needs updating in order to protect against newer threats.
What Cybersecurity Practices Does FINRA Recommend?
1. Protect Data At The Branch Level
The fact is that your onsite cybersecurity measures will not protect your data at the branch level. That’s why Written Supervisory Procedures (WSPs) are so important. They dictate exactly how branches are expected to protect data. Requirements could include:
- Mandatory security controls
- Notifications concerning issues and breaches
- Accepted security settings and vendors
- Assignment of duties and responsibilities pertaining to cybersecurity controls
- Training curriculum and testing protocols
2. Protect Against Phishing
Phishing emails are typically crafted to deliver a sense of urgency and importance, tricking the user into doing what the cybercriminal wants them to. The message within these emails often appears to be from the government, a bank or a major corporation and can include realistic-looking logos and branding.
Phishing succeeds when a cybercriminal uses fraudulent emails or texts, and counterfeit websites to get the user to share their personal or business information like their login passwords, Social Security Number or account numbers. They do this to rob an user or organization of their identity and/or steal their money.
The key phishing’s effectivity is how unsuspecting the target is. The fact is that businesses aren’t learning to protect themselves, which is why the number of reported phishing attacks has gone up by 65% in the past few years.
Unfortunately, many users aren’t skeptical enough to spot a scam. In fact, more than half of all Americans say they’ve been the victim of a scam. That’s why comprehensive security awareness training is so important – it teaches your staff members to identify phishing emails and learn how to contribute to your cybersecurity.
Cybersecurity awareness training is becoming a more and more common part of modern IT services. The fact is that users are a key target for cybercriminals; the more they know about cybercrime tactics, the better defended your organization will be.
3. Protect Your Firm From Its Users
More often than anything else, security isn’t a matter of antivirus software, or unhackable blockchains, or anything else like that. The truth is that security facets like that are surface-level – what’s at the core of security?
The user. Think about it – how many times have you used a password that’s easy to remember, but not really secure enough for the information it’s supposed to protect? How often have you stayed logged in to an app out of convenience, even when it posed a theoretical security risk to the data accessible therein? When was the last time you misplaced a smartphone, or a tablet, or a laptop? If it belongs to the business you work for, have you considered what’s at risk?
This is why you need to have a carefully implemented process to track the lifecycle of accounts on your network.
- Follow a careful system for how accounts are created for new members, how their security is maintained and verified through their life, and how they are removed when no longer needed.
- Implement secure configuration settings (complex passwords, multi-factor authentication, etc.) for all accounts.
- Implement controls for login and use, such as lockouts for too many unsuccessful logins, unsuccessful login alerts, and automatic log-off after a period of inactivity
4. Test Your Defenses
You can’t just assume your cybersecurity is effective – you need to test and find out for sure. Penetration testing is a valuable exercise in which you let an IT company in Spokane attempt to break through your organization’s cybersecurity defenses, determining precisely where your vulnerabilities may be.
FINRA recommends running penetration tests both on a regular basis, as well as after key events – anything really that makes significant changes to your firm’s infrastructure, staffing, access controls, or other cybersecurity-based considerations.
5. Protect Your Data On Mobile Devices
It’s no surprise that mobile devices are continuing to become a central and necessary part of the business world. What might be surprising is how unprepared some businesses are for that reality.
No matter what kind of cybersecurity you have in place at the office, it won’t extend to the mobile devices that have access to your data. This is a critical limitation of your cybersecurity software, and it’s obvious when you think about it – if your firewall is only installed on your work devices, but you let employees use personal devices and home workstations to access business data, then obviously you won’t be totally secure.
That’s why mobile security is so important. Maintaining mobile security isn’t just about having the right apps – it means following the right protocols, to eliminate unknown variables and maintain security redundancies:
- Review installed apps and remove any unused ones on a regular basis.
- Review app permissions when installing, and when updates are made.
- Enable Auto Update, so that identified security risks are eliminated as quickly as possible.
- Keep data backed up to the cloud or a secondary device (or both).
You can’t afford to overlook these best practices. Not just because it involves your FINRA compliance, but also because it’s a matter of protecting your firm’s data. If you need help with FINRA compliance or your cybersecurity in general, reach out to an IT company in Spokane like Philantech3 – we have experience working with financial firms like yours in managing compliance and cybersecurity best practices.
Like this article? Check out the following blogs to learn more:
What Is A Third Party IT Due Diligence Assessment?
What Are The Key Differences Between Leadership And Management?
Are You Getting The Peer Advantage?
Information Technology Aligned With Your Business Goals?
Philantech3 is a complete IT services & IT support company working with organizations in Spokane.