FINRA’s Cybersecurity Recommendations

If you want to be FINRA-compliant, then you need to make sure your firm is secure. However, neither effort is necessarily simple.

At first glance, FINRA requirements can be very complicated. At the same time, cybersecurity is a multi-faceted undertaking, involving hardware, software, and your users.

Do you know where to begin?

FINRA Cybersecurity Recommendations Followed By Boston Organization

5 FINRA Best Practices For Your Firm To Follow

1. Don’t Forget About Branch Cybersecurity

No matter how secure your main location is, that defense doesn’t automatically extend to the branches you work with. As a part of your “supply chain”, branches need to be as secure as you are.

That’s the point of Written Supervisory Procedures (WSPs). They make sure your branches are as secure as your primary location. No matter how good your onsite cybersecurity is, that doesn’t mean anything to your branches.

Double-check that your branches have the following in place:

  • Mandatory security controls
  • Notifications concerning issues and breaches
  • Accepted security settings and vendors
  • Assignment of duties and responsibilities pertaining to cybersecurity controls
  • Training curriculum and testing protocols

2. Defend Against Phishing

Phishing (and all social engineering techniques) is about the element of surprise.

It’s a method in which cybercriminals send fraudulent emails that appear to be from reputable sources in order to get recipients to reveal sensitive information and execute significant financial transfers.

That’s why cybersecurity awareness training is becoming a more and more common part of modern IT services. The fact is that users are a key target for cybercriminals; the more they know about cybercrime tactics like phishing, the better defended your organization will be.

3. Don’t Make Assumptions

No matter how much you’ve invested in your cybersecurity, you can’t just assume it’s effective enough to protect you against cybercriminals. A key best practice for cybersecurity is to regularly test your measures to make sure they hold up in the event of an attack, and to identify any unseen vulnerabilities that are putting you at risk.

That’s why FINRA recommends running penetration tests (an authorized attempt to break through your organization’s cybersecurity defenses) both on a regular basis, as well as after key events – anything really that makes significant changes to your firm’s infrastructure, staffing, access controls, or other cybersecurity-based considerations.

4. Involve Your Staff In Cybersecurity

Do your employees have the knowledge they need to defend your firm?

If you’re not sure, then they may need training. Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites.

A comprehensive cybersecurity training program will teach your staff how to handle a range of potential situations:

  • How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
  • How to use business technology without exposing data and other assets to external threats by accident.
  • How to respond when you suspect that an attack is occurring or has occurred.

5. Keep Data Protected On Mobile Platforms

It’s no surprise that mobile devices are continuing to become a central and necessary part of the business world. What might be surprising is how unprepared some businesses are for that reality.

No matter what kind of cybersecurity you have in place at the office, it won’t extend to the mobile devices that have access to your data.

This is a critical limitation of your cybersecurity software, and it’s obvious when you think about it – if your firewall is only installed on your work devices, but you let employees use personal devices and home workstations to access business data, then obviously you won’t be totally secure.

That’s why you need to have the right mobile cybersecurity measures in place:

  • Virtual Private Network
    A VPN creates a secure tunnel for your data to transit the Internet, using a network of private servers.That makes it harder for an attacker to identify you as the source of the data – no matter whether you’re on your mobile device’s data connection, or using an unsecured retail Wi-Fi network while you’re in line for coffee. Even if attackers can intercept your data, the encryption means the attackers can’t understand your data or use it to their advantage.
  • Find My Phone
    These types of apps allow you to remotely turn on your phone’s GPS to determine where it is. Furthermore, some of the more security-focused versions of these apps allow you to execute additional actions in order to eliminate security risks”.The right monitoring software for mobile devices will protect you from a number of dangerous scenarios, including:

    • Jailbreaking and rooting company devices
    • Unauthorized access to company data
    • Lost or stolen devices that need to be remotely wiped
  • Password Managers
    These programs store all of your passwords in one place, which is sometimes called a vault. Some programs can even make strong passwords for you and keep track of them all in one location, so then the only password or passphrase you have to remember is the one for your vault.The downside of using a password keeper program is if an attacker cracks your vault password, then he or she knows all of your passwords for all of your accounts.
  • Multi-Factor Authentication
    Multi-Factor Authentication is a great way to add an extra layer of protection to the existing system and account logins. 45% of polled businesses began using MFA in 2018, compared to 25% the year prior.By requiring a second piece of information like a randomly-generated numerical code sent by text message, you’re better able to make sure that the person using your employee’s login credentials is actually who they say they are. Biometrics like fingerprints, voice, or even iris scans are also options, as are physical objects like keycards.

Like this article? Check out the following blogs to learn more:

Are you starting the New Year with Old Technology?

The Cost of Running Outdated Technology in Your Construction Company

Do You Have A Plan For Microsoft Server 2008 End Of Life?