Get the Latest Updates Directly

Cybersecurity for Financial Industries, Healthcare and Retail

IT Security for the Financial Services, Healthcare and Retail. Is regulation compliance enough to avoid theft and disruption?

March 12, 2019

It’s hard to stop a chain of attack when we’re so hardwired to share information through interconnected devices, systems, and networks. Virtually no business or organization is without vulnerability of cyberattack.

There’s an unseen thief that can rob you blind, disrupt your business, and cause you to lose public trust. Cyberattacks steal your sensitive information to be sold on the dark web. But perhaps more threatening is the rise in disruptive attacks designed to bring brand damage through the disruption of standard operations. The harm is more than monetary. Think of the potential loss of life and public safety that could be caused through the disruption of critical services. Healthcare, financial services, and retail are high visibility targets due to their economic and public safety roles and the enormous value of the data they keep.

Interconnection provides greater access to attack.

It’s hard to stop a chain of attack when we’re so hardwired to share information through interconnected devices, systems, and networks. Virtually no business or organization is without vulnerability of cyberattack. As the dark web market grows in sophistication, barriers of entry have been significantly reduced. Attackers use the same tactics, such as data analytics, artificial intelligence and machine learning, used by legitimate businesses and organizations. Research shows that exploit detection has skyrocketed and that, along with ransomware and Internet of Things (loT) vulnerabilities, cryptojacking is also emerging as a serious threat.

Regulations designed to minimizing risk.

Regulatory bodies issue guidelines and standards designed to protect or minimize the impact of attack on healthcare, financial services, and retail industries. In order to comply with these regulations, organizations must have the technical infrastructure required to ensure data is secure and the ability to report their compliance. It’s good to have a strong partner to help in this endeavor.

The National Institute of Standards and Technology (NIST) has updated its Cybersecurity Framework in a collaboration between U.S. government and the private sector to provide best practices for managing risk from cyberattacks. Predictions indicate that about half of all U.S. organizations, including healthcare, financial services, and retail will implement this framework by 2020.

Consisting of five core functions to create a cybersecurity strategy, the Framework may be tailored to fit the needs of specific organizations. It also recommends the processes and controls that are necessary to manage and reduce cyber risks and identify areas where cybersecurity can be improved. A recent version of the Framework offers new recommendations, including those related to authentication, vulnerability disclosures, and cyber risk assessments.

According to the NIST Framework document, “The development of cybersecurity performance metrics is evolving. Organizations should be thoughtful, creative, and careful about the ways in which they employ measurements to optimize use, while avoiding reliance on artificial indicators of current state and progress in improving cybersecurity risk management. Judging cyber risk requires discipline and should be revisited periodically.”

The Framework may be applied to a wide range of public and private organizations, but you’ll also find a variety of regulations for specific industries.

Precautions For Healthcare Providers

Patient medical records are the number one target for cyber criminals. Naturally, stringent measures are required to protect the personal health formation (PHI) of patients. Connected medical devices have allowed patients to play a more active role in their healthcare. They have come to expect remote access to their medical data. It’s estimated that seven million patients are already using connected devices for their care—a positive change for patients, but opens the door to cyber risks since many of these devices aren’t designed for security.

All healthcare providers must follow the Healthcare Information Portability and Accountability Act (HIPAA) to protect patients’ PHI. In reference to cyberattacks, a Security Rule covers protections of electronic PHI by operational and technical controls to assure the confidentiality of the patient. HIPAA remains the primary healthcare regulation and healthcare organizations must demonstrate compliance to avoid fines and legal action. However, new guidelines and regulations have been by introduced by Congress and the FDA.

Precautions For Financial Services

The financial services industry is a critical infrastructure spanning the globe. China, Singapore, the European Union, the United Kingdom, as well as the United States have established their own cybersecurity regulations, and globally operating financial services firms must be aware of these new regulations and data rules and how they may be affected as they conduct business across borders.

Here in the U.S., the financial sector is subject to regulations and guidelines by the Financial Industry Regulatory Authority (FINRA). These call for written policies and procedures that must be submitted in regard to consumer information protection.

Recently, financial services are also being regulated at the state level. In New York, firms must comply with the 23 NYCRR 500 cybersecurity regulation established by the Department of Financial Services, requiring banks to have a cybersecurity plan and disclose cyber incidents within 72 hours.

Lack of compliance with these new regulations can result in heavy financial and business consequences. To ensure compliance, financial services firms should review each of these new regulations to understand exactly how their organization will be affected. While each law will require different cybersecurity measures be taken, improving visibility into data use and movement can be valuable.

Periodic assessments can give financial services firms a clear examination of their security protocol and insight into areas where they could be at risk. Conducting assessments and making adjustments to security demonstrates to regulating bodies that financial services organizations have actively prioritized security and compliance.

Precautions For Retail

Consumer credit card data is a primary target of the retail industry. For consumer protection, retailers must adhere to The Payment Card Industry Data Security Standard (PCI DSS). This provides retailers guidelines about storage and transmission of payment information in an effort to mitigate the risk of data breach and fraud.

Retail organizations must implement security controls that meet these requirements and produce compliance reports that prove their adherence in the mission of keeping data secure.

Feeling overwhelmed? Don’t take it on alone.

They say that “crime does not pay,” but of course it does. As long as cybertheft pays in terms of money, disruption or notoriety, organizations will pay in terms of constant vigilance. Regulations and standards will continue to be updated and expanded, but a holistic approach to security protection is required, and, quite frankly, manual asset and vulnerability management is not adequate.

While digital transformation unlocks potential for business, it also makes organizations vulnerable to attack. The IoT, the cloud service, and business networks are creating an expanding ecosystem of opportunity and threat. Keeping pace with this requires more than keeping pace with compliances. The expansion of the attack surface should drive organizations to adopt a broad, interoperable security architecture.

In short, security is hard. While some enterprise leaders think they're covered, the truth is there will always be a struggle to keep up, not only due the shortage of qualified in-house staff but also to the challenges of defining security needs and strategies, implementing the necessary technology, and maintaining a security solution.

This is where establishing a partnership with the variety of IT security and IT outsourcing services is critical. Organizations should be free to operate on the subjects in which they excel, rather than try to keep up the variety of threat actors. Joining forces with a technology expert who can work behind the scenes to seamlessly support your security with sound and thorough intelligence is the most practical solution.

You might also be interested in

How Vendor Agnostic Partners Help Solve IT Management Challenges
How IT Staffing Works
What’s Your Windows 10 Conversion Strategy?