Small Financial Companies Targeted

While the headlines are dominated with tales about recent breaches at Target, Neiman Marcus, and others, those businesses will survive. What about smaller companies?

Turns out that just last year, two separate title and escrow companies have had to shut their doors after suffering cyber attacks. Leaked emails from a small regional bank resulted a successful theft of money from a client. And thieves are using the access that small accounting and financial management firms have to individual and corporate bank accounts to steal hundreds of thousands of dollars.

What do these incidents all have in common?

They are all financial industry firms. And they are all relatively small. Most of them neglected to provide even the minimum viable security necessary to protect their assets, and those their clients entrusted to them. All of them have suffered reputational and financial damage as a result of their inaction. And some are now out of business.

Financial companies in the crosshairs

Verizon reported in 2013 Data Breach Investigation Report (DBIR) that 37% of the investigated breaches occurred within finance industry organizations. Not only is this the top industry, it experienced roughly the same number of breaches as the next four industries (Retail, Food Services, Manufacturing, and Information) combined.

Why is the finance industry attacked so much?

Three words: “follow the money.”

As attacks shift toward financial gain, attackers naturally prey on targets with easy access to capital. Banks are a logical choice; they have lots of other people’s money. Title and escrow companies also handle lots of money and tend to attract less attention, oddly making them prime targets.

Accountants, financial managers, and investment firms are next. These organizations have access to banking and investment credentials, or at least enough information about their clients to enable identity theft and fraud.

Don’t press your luck: watch out for the double whammy

Also revealed in the DBIR is the startling fact that the smallest organizations – from 1 to 100 employees – suffered the greatest number of breaches in 2013. That means smaller companies in the financial sector face a double whammy.

While some still argue about whether banks are too big to fail, it’s clear that none is too small for attack. While smaller organizations may represent a smaller “score” after a heist, they are easier to perform and therefore becoming a favorite target of attackers.

What it really means is that small financial organizations cannot afford to ignore security any longer. The challenge is the security built for large organizations — those that tolerate breaches more readily – isn’t always suitable.

The surprising challenge of compliance

For example, the Gramm-Leach-Bliley Act (GLBA) requires organizations to

“develop, implement, and maintain a comprehensive information security program that… contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”

Fairly generic in approach, it’s surprising how few small financial organizations follow this most critical requirement.

Two questions to get on the right path

First, do you have a compliant information security program in place? This doesn’t mean an information security policy that was approved four years ago and is collecting dust on a shelf. It means a complete program of policies, procedures, and controls around the physical, network, system, and data security of the organization. If the information security program doesn’t exist, or isn’t complete, our recommendation is that it should become a priority for the business.

Second, is the information security program is being followed? The best way to answer this question is to seek a third-party validation of the information security program, such as our Information Protection Assessment. This assessment should determine whether the policies are sufficient to meet regulatory requirements, whether the procedures can meet the policies, and whether the procedures and controls are implemented correctly.

Don’t be the subject of the next headline in the paper. Focus on security that is sized and prioritized to meet the demands of your business. Take these steps to make sure your organization isn’t an easy or rewarding target for attackers.