The 10 Layers of Online Security for Financial Management Firms

The FCA expect your firm to be able to protect the sensitive information you hold. They call it ‘cyber resilience’ – part of the overall operational resilience of financial services firms. 

This article highlights some common layers of online security financial services firms can adopt – all recommended by the FCA. The key lies in putting them together in a way that best suits your operation.

1. Multi-factor authentication

You may already be using this in your personal life. If you attempt to log into your bank account but it insists on sending you a verification code via SMS to confirm your identity, that’s a form of multi-factor authentication in action. (In this case, of the two-factor variety.)

This is the simplest and most effective way to prevent unauthorised logins to your email or other business critical systems. Turn it on if it’s available!

2. Email forwarder monitoring

If a hacker gains access to your email, they might be tempted to set up an email forwarder. This would result in a copy of every email you receive being sent to them. Monitoring unauthorised email forwarders will help you avoid this near undetectable and highly invasive cyber-attack.

3. Email back-ups

When was the last time you backed up your email? Have you ever done it? Unless you’ve bought an email backup service, your emails are probably not being backed up. Few people realise this!

A proper backup is vital because it’ll give your IT support team far more options if you’re hacked. The email account could be reset entirely, safe in the knowledge that nothing will be lost

4. Screening of emails via AI 

Artificial Intelligence (AI) is capable of spotting irregularities within email communication that might pass you by. For instance, if a regular contact, Pete, suddenly signs off an email with ‘Peter’, AI will spot that change and investigate the email further. Dodgy emails are getting harder to identify – unless you have the right tech in place.

5. More secure endpoints

It’s IT jargon, but important IT jargon. An endpoint could be your desktop computer or tablet, and if it contains better security, access to email will be locked down and protected. This is achieved via encryption or more simple measures, such as banning the use of USB devices (by forcing the computer to ignore them when plugged in).

6. Harnessing Office 365

Microsoft Office 365 includes advanced threat protection, but what if it hasn’t been set up properly? Your IT support company should be able to set up these vital cyber defence tools in a way that best suits your business – make sure that’s so.

7. Employee awareness

Humans are often the weakest link in a business’s cyber defences. Email can unfortunately still get past all of the protection methods we’ve noted so far, and that leaves your staff as the last line of defence.

The more up-to-speed your team is with cybersecurity and the various threats they may face each day, the less likely they are to become a victim. Invest in cyber awareness courses. They don’t have to be boring, either; indeed, many are fun and designed to keep that vital knowledge at the foremost of employees’ minds.

8. Cyber Essentials

This is a government initiative, but it’s far from meaningless red tape. It’s designed to help your business and protect it from cyber-attacks. Cyber Essentials will become compulsory for businesses in the near future, and for a good reason. 

Cybercrime is the biggest threat your business faces and undertaking this course will put your organisation in the right mindset and arm it with the highest level of protection.

9. Cyber insurance

Like any insurance, you’ll never know the value of cyber insurance until you have to call upon it. Despite this, it is fast becoming one of the ‘must-have’ forms of insurance in the digital economy.

It’s worth shopping around and following the advice outlined in policy documents, but cyber insurance could prove very useful if the worst happens.

10. Cyber-aware business processes and culture

If you have a process for approving supplier invoices, it needs to be followed by everyone, all of the time – no exceptions. It’s when corners are cut, or business processes needlessly changed that cyber-attacks become a real possibility.

Encourage everyone in the business to follow processes and keep in mind that humans are usually the weakest link. The more this is driven from the top, the more it’ll create a cyber-aware culture throughout the business.

Final thought

The above certainly isn’t an exhaustive list, but it’s what we consider every time we protect our financia services clients. Think of our tips today as ‘best practice’. If you feel you need expert guidance, you know who to call.