6 Cyber Security Tips for Financial Institutions

The increase and sophistication of cyber-related attacks has raised a new level of awareness and the need to strengthen cyber security controls.  According to the Verizon’s 2015 Data Breach Investigations Report (DBIR), the Financial Services sector was one of the top three industries most affected by cyber security breaches in 2015. Some of the breaches reported by financial institutions involved Phishing, malware, unpatched systems, denial of service attacks, and weakness in third party service provider’s management.

Due to the increase in cyberattacks targeting the financial sector and following a Presidential Executive order for Improving Critical Infrastructure Cybersecurity, the Office of the Comptroller of the Currency (OCC) provided guidance requiring financial institutions to perform cyber security assessments. The Federal Financial Institutions Examination Council (“FFIEC”) released the Cyber Security Assessment Tool (CAT) in July 2015 to help financial institutions determine their level of cybersecurity preparedness. The National Institute of Standards and Technologies (NIST) also published a Framework for Improving Critical Infrastructure Cybersecurity, which serves as the basics to review, assess and implement the necessary security controls to help enhance organization’s cyber security posture. The CAT provides guidelines to determine the inherent risk profile and cybersecurity maturity of an organization, to ensure that the baseline levels of maturity are consistent with legal and regulatory requirements and to help minimize the risk.

Whether a direct result from cybersecurity attacks or due to new regulations, financial institutions should reassess their security posture, and make every effort to implement strong security controls in order safeguard sensitive information, maintain compliance with laws and regulations and manage risk.

The following are a few tips for improving your organization’s Cyber Security posture:

  • Assess the risk: Perform a Security Risk Assessment to identify weaknesses, vulnerabilities, assess threats and attacks vectors. The risk assessment will help you determine the inherent risk profile of your organization, as well as help you to develop a strategy to implement security controls to enhance your security posture. Performing a risk assessment is an essential part of building and maintaining a strong security program.
  • Define security controls: Develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include:
    1. Appropriate consideration of prevention, detection and response mechanisms.
    2. Implementation of the least permissions and least privileges concepts
    3. Layered controls that establish multiple control points between threats and organization assets
  • Perform periodic audits: Audits are not only a good practice, but they help identify weaknesses in IT controls. They are important to ensure security controls are working effectively, and ensure that security policies are in compliance with applicable standards, regulatory compliance laws and regulations.
  • Implement security monitoring: Continuous monitoring ensures continued effectiveness of all security controls. A robust security monitoring will also help enhancing your Incident Response capabilities.
  • Develop a strong service provider security oversight
    1. Determine if service providers’ contracts contain security requirements that at least meet the objectives of your information security program.
    2. Develop a Security Risk Assessment questionnaire and make it a requirement for every service provider connecting to your infrastructure.
    3. Ensure the service provider has implemented a security program and that the adequate controls, commensurate with the risk, are implemented.
  • Follow the guidance
    1. Make examiners and auditors happy by developing your security program, following the appropriate guidelines. 
    2. Map your information security program to the FFIEC Information Technology Examination Handbook (IT Handbook); ensure that every policy and procedure in your security plan addresses all security processes outlined in the handbook.
    3. Get ahead… be familiar with Examination Procedures listed in Appendix A of the handbook. You can be prepared for your annual examination by reviewing the examination procedures to ensure that your security program covers the spirit of the guidance.

Following these guidelines will help you fortify your organization’s security program. We know by experience that this is not a simple task; it requires strategic planning, time and resources in order to build, implement and maintain a strong program. I’d recommend seeking the support of a security partner to help you assess, develop, implement and/or enhance your cyber security program.


10 Tips to Choose the Right SIEM Solution


SWIFT Bank Messaging: If You Think You Are Secure, Think Again


Erick Bacallao joined Champion Solutions Group in 2015 after a career of Software Development in Cuba at the National Cancer Care Institute of Cuba, followed by moving to the States with allAware.


Champion acquired allAware and its properties and Erick has utilized his extensive background and expertise in IT and Software Development to rise to VP of Product Development in less than 5 years. During this time, Erick has been involved with key projects that led to the launch of numerous products including CSP Boss, Inscape platform and 365 Productivity Insights.


Erick has a Bachelor of Science in Computer Science from the University of Havana. He won Gold Medals for Programming from the Ministry of Education in Cuba, and he is certainly still a Gold Medalist for Champion!


As President and CEO, Chris is responsible for the development of key strategic alliances and solution portfolio. He leads Champion’s go-to market and execution strategies for integrated offerings in the cloud, in security, and in digital infrastructure, always focusing on improving the customer experience and driving transformative business outcomes.


He also aligns key partner initiatives with company strategy and oversees corporate marketing and messaging to gain mindshare with customers and partners. It’s his vision and innovativeness that have catapulted Champion up the ranks to become a $100M+ organization—and one of the most respected solution providers in the industry.


Over the past two decades, Chris has also focused on mergers and acquisitions, as well as innovative product development. He is the original founder and an active member on the Board of Managed Maintenance, Inc., a SAAS provider and consulting firm that utilizes their award-winning One-View Portal to help the IT Channel and its customers manage their IT Maintenance.


Chris is also the original founder and chief strategist behind one of the original storage cloud providers, Storage Access / BluePoint. During the course of a few short years, he had raised $20M and took that company public on the Toronto Stock Exchange. It has since been acquired by Pomeroy.


In 2012, Chris led the acquisition of MessageOps and continued the product development and worldwide launch of its premier SAAS, 365 Command. Built on Microsoft Azure, 365 Command is currently managing over 1 million seats of Microsoft’s Office 365. After achieving this phenomenal milestone, 365 Command and other MessageOps O365 utilities were sold to Kaseya.


Over the past 35 years, Chris as worked tirelessly to not only advance his own career, but those of his employees. In addition to leading a $100M organization, Chris can also be found sitting with sales teams, cold calling and coaching, and validating why Champion has been listed on Best Places to Work by both South Florida Business Journal and Computerworld.

Ultimately, the success garnered by Champion Solutions Group, its associated companies, and their employees is due in large part to the leadership of its President and CEO. Perhaps the most fitting award Chris has earned is South Florida Business Journal’s 2013 Ultimate CEO Award.