- Why Abacus?
By Matt Hilsenrad, Director of Cybersecurity at Abacus Group
Data privacy should be at the forefront of any financial services firm’s priority list. Keeping your data, client information, and, by association, funds, secure will keep your business operational. Follow government guidance from organizations like CISA, the SEC, and FCA.
Utilize secure email configurations whenever possible. This includes requiring encryption with an appliance like Proofpoint, particularly for financial entities. Additional Abacus best practice configurations include utilization of SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) for email communication.
Treat each email with skepticism, if you are not sure of the sender or if something looks off, do not trust the content. Do not be afraid to verify with known associates that an email is legitimate, particularly with fund transfers. Report the email and/or delete if the content of an email seems off.
Multi-factor authentication (MFA) is an important technical control and should be enforced wherever possible. MFA should not be limited to banks, financial institutions, or Abacus-managed accounts. Many companies, like Apple, Google, and Microsoft all offer MFA. Ensure that you are only approving MFA prompts when you are certain you requested the logon.
Data availability is tied to data privacy. Have a plan in place to recover data when an incident occurs. Use top tier vendors like Zerto or Veeam to protect your data in a ransomware scenario. Your BCP (Business Continuity Plan) and IRP (Incident Response Plan) should account for multiple situations where recovering your data is necessary.
Have strong processes in place, especially when funds are exchanged. This includes verbally acknowledging large transfers, not trusting personal email accounts, ensuring that third parties are who they say they are, and sticking to the runbook/policy every time.
Use internal polices to encourage user engagement! If your employees see something phishy, they should speak up. Praise participation in cybersecurity education, attention to detail and diligence when completing forms. Make user training and phishing campaigns part of your defense-in-depth approach to cybersecurity and mandatory at least once per year.