“We launch quarterly campaigns, and those who identify the e-mails get a prize every quarter,” Caban said. “We track repeat offenders [who don’t spot the phish e-mail] and require mandatory additional training for them,” she said.
Silberstein said, “The advancement and adoption of new technologies coupled with increased geopolitical tension has fueled a rapidly evolving cyber-threat landscape.
“An effective cybersecurity program,” he said, “needs to adapt to this environment, and funding must be deemed as a cross-functional investment.”
Currently, financial services firms allocate just 10 percent or less of their overall budgets to cybersecurity, according to 56 percent of the chief compliance and information security professionals in a survey performed by the Financial Services Information Sharing and Analysis Center.
Where The Cyber Budget Goes
Of that 10 percent, a majority (54 percent) said IT infrastructure and asset management is the area that receives the most funding. The three areas that receive the least amount of funding are employee training and education (4 percent), vendor management (6 percent) and business continuity (9 percent).
The “first and foremost thing firms should invest in is training, especially around e-mail,” said FINRA’s Markovich.
In addition to increasingly sophisticated phishing campaigns, the regulator is seeing more “typo squatting” and “the creation of imposter websites, where you have [a] URL that looks a lot like your URL. One thing that we’ve seen firms do is go out and register domains that are close to theirs and lock them up. Makes it more difficult for imposters to use one against your firm,” Markovich said.
He also urged firms to consistently monitor websites that are trying to mimic theirs, by hiring an outside vendor if necessary. “There are third-party firms that will track if domains that are registered are similar to yours,” Markovich added.
Tim Lotz, the vice president and head of global technology compliance and risk management at T. Rowe Price, advised firms at the FINRA conference to share as much as possible about their businesses with their information security professionals.
“How much about your business does cybersecurity staff need to know? The more the better. It is your most important line of defense,” Lotz said.