The financial services industry -- which represented 7.4% of the United States GDP in 2018 -- is one of the most influential sectors in the world economy. Financial service firms like banks, wealth management, and insurance companies are tasked with the hefty duty of managing the finances of the world -- however, such a substantial role also comes with substantial threats. Companies in the industry are 300 times more likely to be targeted by cyberattacks compared to other industries, according to a report by Boston Consulting Group.
Given the fact that financial service firms primarily manage and work with money, it comes as no surprise that security is a top concern in the industry. Not only do they have to invest in the protection of their clients’ assets, they also have to maintain the security of their clients’ personally identifiable information (PII), which goes hand in hand with financial information.
Despite the known need for optimal data security in the industry, costly breaches continue to rise. A report from Accenture pinpointed the average cost per cybercrime in the industry at a whopping $18.5 million. So why do data breaches keep occuring in such a security-conscious industry?
The Data Security Challenge For The Financial Service Industry
For one, data security is complex: as new best practices evolve, so do the methods used by outside attackers. Furthermore, one of the biggest problems is that external threats aren’t the only security challenges to consider. Two of the largest (and hardest to combat) security risks for financial service companies are insider threats and third-party risks.
For one, employees need access to sensitive data that, in the wrong hands, could have serious consequences for an organization. Similarly, most organizations use third-party solutions to help with daily operations, and these solutions need to process sensitive data. If these solutions aren’t secure, they create more surface area within an organization’s infrastructure for cyberattacks to target.
Data Security Best Practices For Financial Services
Insider threats and unsecured third-party services are big threats, and they exist alongside things like malicious code injections, denial-of-service attacks, phishing and social engineering. It’s clear that the financial services industry is up against a lot -- so how can you protect your organization’s sensitive information and ensure that you’re not letting anything slip through the cracks?
Salesforce is a great start -- if you’re currently using the world’s #1 CRM, you’re already ahead of the game when it comes to cybersecurity. A leader in cloud security, the Salesforce platform has stringent security measures in place out of the box -- and they’ve built their Financial Services Cloud with the unique requirements of finance and insurance companies in mind. However, getting ahead of the game is only the beginning. Use these data security best practices for financial service firms using Salesforce in order to kickstart (or continue) your journey to becoming an adaptive, security-conscious organization:
- Stack Your Salesforce with Security
- Follow a Cybersecurity Framework
- Monitor Threats & Vulnerabilities
- Create Incident Response Plans
- Focus on Training
- Create a Security Culture
Salesforce is trusted by leading industries around the world, including the strictly regulated government and healthcare industries, so there’s no question that it’s one of the most secure CRM solutions out there. As good as its out-of-box security may be, however, there’s always more you can do to further secure your org.
To get started, make sure to follow Salesforce security basics, like managing redirects to external URLs and setting responsible password policies. You should also be sure to take advantage of Salesforce's different options for controlling information access, such as:
These options will allow you to ensure that sensitive information is only accessible by the individuals who absolutely need it, helping to prevent data breaches from within, whether malicious or negligent.
It may not sound like much at first, but layering on these simple security steps can mean the difference between millions of dollars lost and a normal day -- it only takes a small slip-up for big consequences to occur.
Use Salesforce Shield
Salesforce Shield is a trio of security tools that can help you take your data security to the next level. Salesforce shield supercharges organizational security in three ways: platform encryption, event monitoring, and field audit trail.
Platform Encryption encrypts sensitive data such as PII, credit card, or bank account information at rest, meaning that even when data is not being transferred anywhere, it’s still protected. Considering the amount of sensitive information that financial service organizations need to manage and store, platform encryption is a must for complying with industry regulations and internal policies, as well as preventing both internal and external breaches.
Event Monitoring detects and prevents information misuse by internal players, making it a key asset in the fight against insider threats. This feature can show what users are accessing, when they’re accessing it, and from where, as well as other insights like suspicious login trends. In the financial services industry, it can be used for detecting activity like data being viewed or exported from high net-worth clients, or preventing investment data from being leaked to competitors. It’s also important for complying with industry regulations like FFIEC, SOX, and PCI.
Field Audit Trail preserves the history of Salesforce field data for up to 10 years, giving financial service firms a valuable record of how their data has changed over time. Industry regulations require institutions like banks to keep a record of changes to key business elements like name and address, meaning field audit trail can be important in maintaining compliance. It can also be used to track change to important fields that display information like account balances, fees, and commissions.
Mitigate Third-Party Risks With Native Apps
Financial service firms rely on third parties to get their work done every day. From vendors to suppliers to partners, companies across all sectors use and share information with an average of 583 third parties each -- and 59% have experienced a data breach as a result of a third party. Vetting which third party solutions to use should be one of the highest things on the list when it comes to data security for financial service institutions.
Applications from the Salesforce AppExchange, while extremely useful, need to be evaluated particularly carefully because of how closely they work with and process sensitive data inside of Salesforce. Many AppExchange apps need to communicate with external servers for data processing, which means sensitive information may be at risk, depending on the security protocols of each individual vendor.
Fortunately, there’s a solution to this problem: look to native apps first. Native Salesforce applications are solutions that are built entirely on the already-approved Salesforce platform, meaning that they process all of your data within Salesforce, and don’t need to communicate or make API calls to external servers. If you already trust Salesforce, you can be confident that your data is secure when you use native apps. You also won’t have to spend valuable time evaluating the external systems that your apps depend on, since native apps only depend on Salesforce. Native apps are also automatically compatible with your org’s security settings, and most work great with Salesforce Shield.
S-Docs, for example, is a 100% native document generation and e-signature solution that allows users to generate documents with their Salesforce data merged in, and then route those documents for e-signature. The entire process happens within the Salesforce cloud. Documents that require sensitive data will be generated on the Salesforce platform by users that you approve, and since the e-signature process happens within Salesforce too, you can count on the security of your document and esign workflows to increase dramatically.
To sum it up:
You Might Also Like: How To Evaluate The Security Of AppExchange Apps
As we mentioned before, data security is complex, but the good news is that the burden doesn’t all have to fall on you. There are a number of cybersecurity frameworks that have been developed to guide organizations on how they should structure their data security practices and policies. Two important cybersecurity frameworks to consider are the NIST Cybersecurity Framework and the FFIEC Information Technology Examination Handbook.
Developed by the National Institute of Standards and Technology, the NIST Cybersecurity Framework focuses on five areas of cybersecurity: Identify, Protect, Detect, Respond, and Recover.
The FFIEC Information Technology Examination Handbook, developed by the Federal Financial Institutions Examination Council, is a comprehensive set of guidelines for optimal data security, covering everything from application security to security culture.
Both of these frameworks can provide valuable information on how to structure your own organization’s approach to improving or overhauling your data security policies, and help you maintain compliance with regulatory policies like SOX, PCI DSS, and GLBA.
Taking a proactive approach to data security is one of the best ways to avoid cyberattacks -- if you can detect them early, you have a better chance of containing them before real damage is done. The problem is, cyberattacks don’t usually give off obvious red flags; they’re designed to be as subtle as possible, and they’re only getting harder to detect as time goes on. Performing continuous threat monitoring with tools like Salesforce Shield and Salesforce Security Health Check is crucial to ensuring your organization doesn’t get caught unawares.
Similarly, it’s also a good idea to continuously assess your organization’s vulnerabilities. This can help you identify any areas that require security improvements, especially those that might be exploitable by insiders. The Financial Services Sector Coordinating Council (FSSCC) developed a cybersecurity assessment tool that can help organizations recognize internal and external risks. Doing regular assessments will help you identify and prioritize the most critical weaknesses so you can mitigate the biggest vulnerabilities first.
You Might Also Like: 6 Benefits Of A Financial Services Document Generation App
Being proactive is important, but the fact of the matter is that no cyberattack prevention method is 100% effective. Even at organizations with the highest levels of security, breaches still happen. That’s why it’s vital to have effective incident response plans on hand should something ever happen to your organization.
Consider the different ways in which your organization could be breached -- a report from Akamai identified four methods that comprise 94% of attacks within the financial services industry: SQL injection, Local File Inclusion, Cross-Site Scripting, and OGNL Java Injection, however there are numerous others that you should prepare for as well. You should also consider breaches that have happened to other companies in the industry.
From there, develop a plan that includes procedures for notifying the proper individuals, escalating incidents to appropriate management levels, response procedures, and business continuity after the incident is contained. Additionally consider government reporting requirements for certain types of incidents, as well as when and how you will inform your customers of the incident, if required.
It’s important to assign specific roles to employees for executing different parts of your incident response plan so that if an attack occurs, the response is seamless and effective. In addition, make sure to test and update your plans on a continual basis.
A good data security program and comprehensive incident response plans are only effective if your team is armed with the knowledge on how to use them. Make training a priority for your organization on all levels to ensure that everyone performs their job duties with data security top of mind.
Create a training program that focuses on your data security policies and procedures, as well as your incident response plans, so that your employees are aware of how to spot suspicious activity and know who to report it to. Include real-life examples in your program that showcase how breaches have happened in the past at other companies, and how to recognize and respond to similar attacks in the future. Trailhead courses are a great resource to use for training that gamify the learning process and make the information easier to consume.
It’s also a good idea to continuously reevaluate your training programs to make sure that they’re up to date with the latest industry standards and data security best practices.
In the end, one of the most important things you can do when it comes to cybersecurity is to foster a culture that supports and promotes it. Doing so isn’t as clear-cut as the rest of the tips listed in this article, but one way to begin is to start at the top. Devote board and senior leadership attention towards creating and improving data security programs so that cybersecurity becomes a priority. Follow the suggestions in this article, especially implementing comprehensive training programs, to make it clear that cybersecurity is something that your organization takes seriously.
Finally, convey the notion that cybersecurity belongs to everyone in the organization, from the senior leadership team to the summer interns. Integrate security policies into your employee handbook and keep cybersecurity top of mind with continuous training.
Topping your data security policies off with the right buy-in from senior leadership and the culture to support them will help ensure that your organization is doing everything it can to protect both your clients’ and your own information, prevent expensive data breaches, and continue to grow your customer base as a trusted leader in the financial services industry.
S-Docs: A Trusted Partner For Financial Services
At S-Docs, your security is our priority. That’s why we’re the only 100% native document generation and e-signature solution available on the Salesforce AppExchange. With S-Docs, all of your data is securely processed directly within Salesforce -- it’s never stored or processed on any platform other than the one you’ve already approved. S-Docs is committed to transforming the document and e-signature workflows of top financial services organizations around the globe, helping to securely generate and esign documents like contracts, account summaries, regulatory and compliance communications, and much more. If you’re ready to see what S-Docs can do for your organizational efficiency and security, request a demo today or email firstname.lastname@example.org.