A financial services firm had regulatory audits coming up, and wanted to be sure they identified and remediated any issues before being audited. Although they have internal IT and compliance staff this initiative wasn’t moving forward as quickly as they had hoped, and they became concerned that without outside expertise they could easily miss new requirements that would cause them to be found “non-compliant”.
Our IT Security team consulted with the firm’s stakeholders to confirm their objectives for this project:
- Identify current state of Cyber Security
- Prepare for upcoming regulatory audits by verifying that requirements are being met
- Establish a relationship with a cyber security firm who can provide resources for aspects of cyber security that the firm does not need on staff full-time (such as Incident Response)
We recommended a Cyber Security assessment to compare the firm’s current policies and controls against NIST standards and SEC regulatory guidelines. Third-Party vendors were included to ensure that appropriate agreements were in place that confirmed that the parties have agreed to adhere to the firm’s security practices. We also incorporated social engineering to test the human aspect of the firm’s cyber security as many breaches are caused by failure of staff to follow security awareness best practices.
Our findings for the firm were not unusual. Although they had much of the security best practice framework in place, missing security patches, use of default admin account credentials for devices like network printers and routers, and some updates needed to account access policies in Active Directory left them vulnerable to attack – and not completely up to compliance standards. All of these issues were easily fixed by their staff and outside IT support firm once identified.
An email phishing campaign was developed to test the firm’s staff on best practices to not click on links in emails and not share login credentials. The firm was proud that their security awareness training proved to be effective as despite multiple attempts and campaigns, staff alerted each other and the firm’s executive team of the suspicious nature of the emails, and none of the users were tricked into providing their credentials. Although the firm had some documentation in place, they were missing some key policy documents that will be required for the audits and some processes had not been documented at all. Again, a simple fix that will prevent them from a “non-compliant” audit status.