Data audits aren’t just best cybersecurity practice – they are New York law
When news of a data breach breaks, the fear that looms largest on consumers’ minds is whether any financial information was compromised. If the company that was attacked is in the financial sector, that fear climbs to even greater heights.
Credit card details, password information, bank account data, trading partners – that’s just the tip of the proverbial iceberg of sensitive data that’s stored and regularly accessed by financial services companies on private and public networks. Unfortunately, this valuable information is a prime target of cybercrime – the financial services industry is attacked 65 percent more often than any other sector, according to IBM’s latest Security Trends in the Financial Services Sector report.
More than 200 million records were breached in 2016, a staggering 937 percent increase over the previous year, the report found.
Faced with these alarming statistics, financial services companies are scrambling for ways to bolster their cybersecurity arsenal and prove to their customers that they are doing everything possible to protect private information. Federal and state lawmakers are also cracking down on cybersecurity lapses in the financial sector, slapping hefty fines on companies they believe ignored red flags or failed to take proper precautions to prevent cyber-attacks.
It’s no surprise that 23 NYCRR 500, New York’s first-in-the-nation cybersecurity law, specifically targets financial services, already one of the world’s most regulated markets. The new law, which is expected to serve as a model for national cybersecurity regulations, requires any company that reports to the state’s Department of Financial Services (DFS) to meet robust cybersecurity requirements. Federal laws impose mandates as well – the Gramm-Leach-Billey Act, for example, requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.
But in an industry that’s under cyber siege, how can financial services companies ensure that their information systems remain ready to confront evolving threats from increasingly sophisticated hackers?
New York lawmakers believe the answer lies in regular data audits. Companies covered by 23 NYCRR 500 must regularly assess their information systems and submit an annual report that proves to DFS that their cybersecurity program meets the mandate of the new law and is addressing any new vulnerabilities that were detected.
What is a data audit?
The goal of a data security audit is to identify and fix vulnerabilities in a company’s systems and applications before hackers can exploit them. TechTalk compares it to measuring the health of human beings through magnetic resonance imaging or blood analysis.
In today’s high-tech world, technology changes much faster than business policies, and software vulnerabilities are discovered daily. A regular data audit by an objective third party such as a cybersecurity vendor can help ensure that your company is using best practices to keep sensitive information safe. The key components of these audits include running security tests, developing an assessment report, resolving problems, and continuing to oversee compliance.
Which of my systems should be tested?
All of them. All it takes is one seemingly benign system, network segment, or security process to put everything else at risk. The scope of your audit should include external systems, internal systems, and systems hosted by third parties in the cloud, such as your CRM or Web site. Nothing should be off-limits, including your people, processes, and policies.
It is especially important to perform authenticated security testing or testing of the security practices of trusted users. Most data breaches are the fault of employees and contractors; even employees with good intentions do not always follow best practices. Careless users may not intend to access data for malicious purposes, but actions such as using login credentials from an unsecured device or logging off improperly can just as easily leave your network vulnerable to cyber-attacks.
What should the testing include?
Put simply, the main objective of audit testing is to look at your company’s systems from the perspective of a malicious user. Its goal is to expose weaknesses in your environment and demonstrate how they can be breached so they can be resolved. Initial testing can include vulnerability scans that aim to identify issues. That might include email phishing, password cracking, and wireless network analyses. There is a laundry list of other important areas for auditors to explore, such as reviewing the router configuration and logging procedures, documenting the disaster recovery process for the firewall and operating system, and reviewing the firewall’s configuration to evaluate possible exposures to unauthorized network connections.
New York’s new regulations require vulnerability assessments like systematic scans to be performed twice a year. The law also mandates that companies conduct annual penetration testing to evaluate system security. A cybersecurity professional can help you condense the results of your testing into a clear, concise risk analysis report that outlines and prioritizes the areas that need attention.
What do I do with the results?
A trusted cybersecurity company can help you strengthen your defenses against cybercrimes based on the results of your data audit. Many financial services companies are finding that potential partners and customers, frightened by the frequency of data breaches, insist upon seeing the results of an audit before they will agree to do any business that could put their assets at risk.
Achieving cybersecurity gold standards can also have a major impact on your bottom line. Cyber-attacks cost the average U.S. business, including enterprises, more than $7 million, according to the latest research by the Ponemon Institute. Small businesses face average costs from a breach of $36,000 to $50,000+. Not surprisingly, 60 percent of businesses are forced to close their doors after a significant breach.
What happens after the data audit?
In today’s constantly changing threat landscape, continued oversight is required to ensure ongoing security between data audits. That might include something as simple as tweaking existing software, or a thorough update of your policies and processes. Although it is impossible to prevent every breach, the best cybersecurity measures can quickly spot and shut down attacks before they become full-blown breaches – a critical advantage since every record that’s lost costs companies more money.
Consider: Insider involvement accounted for 58 percent of data breaches at financial services companies in 2016, according to the IBM study. The human error proved to be their biggest cybersecurity flaw, with 53 percent of the attacks caused by such careless mistakes as employees falling victim to phishing scams that install malware. By performing regular data audits, financial services companies can identify these and other easy-to-solve weaknesses before they lead to much bigger problems.
CyberGuard360’s clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.