IT Companies In San Francisco Can Help With FINRA Cybersecurity Compliance
Being secure and being FINRA compliant are almost the same thing. FINRA’s all about protecting the customer’s information (and what happens when you can’t), which is really a matter of your cybersecurity. Whichever of the local IT companies in San Francisco you work with should be helping you stay compliant and secure - are they?
Whether you have expert support or not, the good news is that you don’t have to start from scratch on your own. FINRA has some resources available to help you develop effective and compliant cybersecurity, such as their Report On Selected Cybersecurity Practices.
Have you read and understood this resource?
A FINRA Cybersecurity Primer
Before we get to the recommended best practices, let’s examine the foundation of FINRA compliance. The bottom line is that compliance is determined by your firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information, then it means following these three regulations:
- Written Policy
Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
- Identity Theft Prevention
Regulation S-ID (17 CFR §248.201-202), which outlines a firm's duties regarding the detection, prevention, and mitigation of identity theft
- Data Storage
The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format
From there, we can examine the best practices that FINRA recommends…
5 Key Cybersecurity Best Practices Recommend By FINRA
1. Keep Data Safe Where Branches Are Concerned
Your onsite cybersecurity measures will not extend to the branch level. That’s why Written Supervisory Procedures (WSPs) are so important. They dictate exactly how branches are expected to protect data. Requirements could include:
- Mandatory security controls
- Notifications concerning issues and breaches
- Accepted security settings and vendors
- Assignment of duties and responsibilities pertaining to cybersecurity controls
- Training curriculum and testing protocols
2. Understand And Prevent Phishing Attacks
Phishing emails are typically crafted to deliver a sense of urgency and importance, tricking the user into doing what the cybercriminal wants them to. The message within these emails often appears to be from the government, a bank or a major corporation and can include realistic-looking logos and branding.
Phishing succeeds when a cybercriminal uses fraudulent emails or texts, and counterfeit websites to get the user to share their personal or business information like their login passwords, Social Security Number or account numbers. They do this to rob a user or organization of their identity and/or steal their money.
The key phishing’s effectivity is how unsuspecting the target is. The fact is that businesses aren't learning to protect themselves, which is why the number of reported phishing attacks has gone up by 65% in the past few years.
Unfortunately, many users aren’t skeptical enough to spot a scam. In fact, more than half of all Americans say they’ve been the victim of a scam. That’s why comprehensive security awareness training is so important - it teaches your staff members to identify phishing emails and learn how to contribute to your cybersecurity.
Cybersecurity awareness training is becoming a more and more common part of modern IT services. The fact is that users are a key target for cybercriminals; the more they know about cybercrime tactics, the better defended your organization will be.
3. Make Your Users A Cybersecurity Asset
More often than anything else, security isn’t a matter of antivirus software, or unhackable blockchains, or anything else like that. The truth is that security facets like that are surface-level – what's at the core of security?
The user. Think about it – how many times have you used a password that’s easy to remember, but not really secure enough for the information it’s supposed to protect? How often have you stayed logged in to an app out of convenience, even when it posed a theoretical security risk to the data accessible therein? When was the last time you misplaced a smartphone, or a tablet, or a laptop? If it belongs to the business you work for, have you considered what’s at risk?
This is why you need to have a carefully implemented process to track the lifecycle of accounts on your network.
- Follow a careful system for how accounts are created for new members, how their security is maintained and verified through their life, and how they are removed when no longer needed.
- Implement secure configuration settings (complex passwords, multi-factor authentication, etc.) for all accounts.
- Implement controls for login and use, such as lockouts for too many unsuccessful logins, unsuccessful login alerts, and automatic log-off after a period of inactivity
4. Confirm Your Cybersecurity Effectiveness
You can’t just assume your cybersecurity is effective - you need to test and find out for sure. Penetration testing is a valuable exercise in which you let one of the local IT companies in San Francisco attempt to break through your organization’s cybersecurity defenses, determining precisely where your vulnerabilities may be.
FINRA recommends running penetration tests both on a regular basis, as well as after key events – anything really that makes significant changes to your firm’s infrastructure, staffing, access controls, or other cybersecurity-based considerations.
5. Keep Data Protected On Mobile Platforms
It's no surprise that mobile devices are continuing to become a central and necessary part of the business world. What might be surprising is how unprepared some businesses are for that reality.
No matter what kind of cybersecurity you have in place at the office, it won’t extend to the mobile devices that have access to your data. This is a critical limitation of your cybersecurity software, and it’s obvious when you think about it – if your firewall is only installed on your work devices, but you let employees use personal devices and home workstations to access business data, then obviously you won’t be totally secure.
That’s why mobile security is so important. Maintaining mobile security isn’t just about having the right apps – it means following the right protocols, to eliminate unknown variables and maintain security redundancies:
- Review installed apps and remove any unused ones on a regular basis.
- Review app permissions when installing, and when updates are made.
- Enable Auto Update, so that identified security risks are eliminated as quickly as possible.
- Keep data backed up to the cloud or a secondary device (or both).
If you really want to, technically, you can ignore FINRA’s Report On Selected Cybersecurity Practices. But it wouldn’t be smart. This resource exists to help make FINA compliance simpler. Combined with expert support from one of your local IT companies in San Francisco, you achieve a cybersecurity and compliance posture robust enough that you don’t have to worry about it.
On Time Tech can help. Our team has experience successfully completing FINRA assessments, IT Security Audits, and delivering cybersecurity best practices consulting in both private and public sector environments of all sizes. Our streamlined assessment process can guide you through becoming compliant in as little as one day - all you have to do is reach out to our team.
Like this article? Check out the following blogs to learn more:
2020 Outlook: Why Are Countries Such as China Sponsoring Cyberterrorism Against Their Enemies?
The Cybersecurity Threats from China No One is Talking About
Cloud Security: Is the Cloud Safe to Store Your Data In?
.png?width=288&height=123&name=Valeo-Logo-White%20(1).png){kind=logo}