The financial and energy sectors are among the most commonly targeted industries for cyberattack, and they’ve built amazing cyber defenses.
When looking for network security best practices, a federal task force went straight to experts in both industries to find what defenses worked best.
Formed by the U.S. Congress, the Health Care Industry Cybersecurity (HCIC) Task Force published its results in the Report on Improving Cybersecurity in the Health Care Industry in June 2017.
The team focused on security best practices from the finance and energy sectors for a few reasons:
Below we highlight five cybersecurity best practices noted in the Task Force’s report.
Information security practices should not be random and ad hoc. A system of governance must be in place to efficiently manage threats and risks.
In the financial services sector, about 90% of organizations follow a cybersecurity framework that includes:
Compliance is not security
Organizations in industries such as retail or healthcare may think they are following this network security best practice. Compliance with PCI DSS or HIPAA should have you covered, right?
Not exactly – HIPAA and PCI are regulatory frameworks. They are not comprehensive security standards. Following them will ensure compliance but not necessarily security.
We recommend the NIST 800-171 framework for most organizations.
Also, in August, NIST published an updated 800-53 framework, the larger framework on which the 171 version is based.
Information sharing is a crucial network security best practice that empowers security professionals and services such as anti-virus software to identify and block threats.
This best practice requires ongoing coordination with those who experience cyber threats and those who create security solutions.
In financial services, about 60% of large institutions participate in information sharing to track and disseminate data on cybersecurity threats and vulnerabilities.
Only about 25% of small financial organizations participate in an information sharing organization.
The industry has its own entity for this purpose: the Financial Services Information Sharing and Analysis Center. It provides subscription feeds and resources from the government and member organizations.
To learn more, check out NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing. It has guidelines for creating and maintaining info-sharing relationships.
This best practice almost goes without saying. Technology, of course, plays an important role in stopping cyber threats.
Everything from network firewalls to VPN tunnels and anti-virus software – it all helps defend against threats and monitor, isolate, and log them.
According to the report, the vast majority of financial service organizations use the following tools:
AccessEnforcer UTM Firewall helps check several of these best practices off your list.
Reviewing and testing the assets on the network and their connections helps organizations establish a baseline for normal activity to guide monitoring efforts. This makes it easier to detect threats.
A confidence-inspiring 100% of large and medium financial organizations surveyed report using penetration testing.
About 91% of small financial organizations also reported following this network security best practice.
The numbers are less encouraging when we dive further. Only 80% of organizations conduct such tests annually.
Help and guidelines for assessments are published in the Cyber Security Assessment Tool from the Federal Financial Institutions Examination Council. The tool was updated in May 2017.
Cyber security defenses are only as strong as the weakest link in the chain. If your chain is full of vendors and partners with lax security standards – then you need to limit your exposure to them—or get them to shape up.
Either way, for third parties who have access to critical systems and networks, you should have a way to confirm they are adhering to security best practices and will take responsibility for using your systems responsibly.
One way is to require third parties to conduct a risk assessment and provide you with the results.
In addition to the assessment tool linked above, NIST also has a Guide for Conducting Risk Assessments.
In financial services, 84% of broker-dealers require cybersecurity risk assessments of their vendors, if the vendors have access to the firm’s networks. However, only 32% of advisors require the same.
Security incidents are inevitable – and you can safely bet a data breach is in your future as well. You must plan ahead, expect the worst, and have practices in place to minimize the damage and accelerate your recovery.
Set clear actions to take in response to threats, and define a chain of command for when crisis strikes. Also define a chain of command with partners and other important contacts – so you know who to call when problems arise.
You can find more information in the NIST Guide for Cybersecurity Event Recovery published in Dec. 2016.