5 Steps to Acing Cybersecurity Audit Exams
As fintech evolves and becomes more widespread, regulatory agencies are emphasizing cybersecurity to ensure that firms are protecting their customer and client information.
Both FINRA and the SEC are focusing on more than just anti-money laundering and books and records these days. They’re also increasingly examining firms’ abilities to mitigate and prevent cyber threats.
No matter how small a firm may be, being audited is always a possibility. Here are five strategies firms can use to reduce exposure to cyber threats — and ensure compliance.
1. Create an information security policy
Firms already know to have written supervisory procedures (WSPs) to define approved business activities and how those activities are monitored, reviewed and corrected. Similarly, firms should also have an information security policy, which is one of the first things tech-savvy auditors will ask to examine.
This policy establishes rules and guidelines to dictate how information technology assets and resources should be used, managed and protected. Key tips for creating an information security policy can include:
- Working with reputable privacy law firms
- Auditing all third-party technology vendors
- Avoiding using freeware
- Looking into cyber-security insurance
While documenting a policy is important, it’s also critical to have an enforcement and management strategy.
2. Practice simple device hygiene
With more offices shifting to hybrid work environments, it’s more important than ever for employees to lead the charge in protecting sensitive information. Many strategies to minimize accidental information leaks that work in the office can also work when employees are remote.
Employees should continue to:
- Lock device screens when they’re not using the device — and set their devices to automatically lock screens after 15 minutes of inactivity
- NOT install peer-to-peer software
- Enable antivirus, malware and firewall applications
- Only use trusted Wi-Fi networks
- Use VPN
Firms should also ensure their IT departments keep employee devices updated, including:
- Pushing OS updates or enabling automatic updates
- Taking inventory of all software installed on devices used for business
- Updating antivirus and malware definitions
IT should make it a point to check device settings weekly if not daily. This should be an ongoing project – not something that’s left for critical moments like an audit.
3. Use password management tools
Creating secure passwords is straightforward. Strong passwords often are:
- At least eight characters (the more the better)
- Complex, with a mix of lowercase, uppercase, numbers and symbols
- Routinely changed every two months
However, the challenge most people have is creating unique passwords for each account. As the financial industry becomes increasingly tech-savvy, employees will use a broader set of tools — each with their own set of login credentials.
Password managers are a great way to keep track of all the different passwords employees use throughout the day. A password manager acts as an encrypted digital vault that stores secure password login information to access apps and accounts on mobile devices, websites and other services.
4. Use encrypted networks
Employees working remotely can no longer rely on their office’s network to protect transmitted data. Remote employees should:
- Only connect to WPA2-enabled Wi-Fi networks
- Use single sign-on (SSL) or IPSec VPN connections
- Use secure remote desktop tools
While working from anywhere is gaining ground, employees should never use free Wi-Fi networks for transacting business. When using an approved mobile Wi-Fi hotspot, employees should also use a VPN service.
5. Utilize full encryption on all devices
One of the risks of working remotely is that devices such as laptops, tablets and smartphones — while mobile and convenient — are easier to misplace or be stolen.
By enabling device encryption, firms can protect data on devices so data stored on the device can only be accessed by people who have authorization.
- Use approved full-disk encryption on all devices
- Disk/volume encryption is better than file-level encryption
Ready to secure your organization?
Your firm may not face a cyber audit in the near future, but it’s a near certainty that it’s under threat of cyberattacks.
Learn how you can protect your organization with end-to-end monitoring, remediation and reporting on cyber risk.
Share this post!
Scalable for organizations of all sizes, the Smarsh platform provides customers with compliance built on confidence. It enables them to strategically future-proof as new communication channels are adopted, and to realize more insight and value from the data in their archive. Customers strengthen their compliance and e-discovery initiatives and benefit from the productive use of email, social media, mobile/text messaging, instant messaging and collaboration, web, and voice channels.
Smarsh serves a global client base that spans the top banks in North America and Europe, along with leading brokerage firms, insurers, and registered investment advisors. Smarsh also enables state and local government agencies to meet their public records and e-discovery requirements. For more information, visit smarshstage.wpenginepowered.com.
- Georgia Public Records: A Guide to Meeting Open Records Requirements and Improving Transparency - November 4, 2024
- Navigating Illinois Public Records Laws: Meet Open Records Requirements and Build Trust - October 28, 2024
- Smarsh Is A Category Leader in Communication Surveillance Solutions - October 24, 2024
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
More Resources
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US