10 Steps to Better Protect Your Firm
Cybersecurity is a strategic priority for J.P. Morgan
Engage an experienced engineering firm that understands the technical risks and complexities of enterprise architecture to undertake a technical independent assessment of your firm’s infrastructure. The company you engage should have more technical expertise than a general consulting firm, so that you learn where your vulnerabilities are at all times.
Establish a clear engagement model with governing authorities, including law enforcement (who are you going to call, which agency and under what circumstances?). Have the relationships established up front and the engagement clearly documented within your standard procedures.
Join an industry-based information security forum, such as FS-ISAC.* Understand the latest threats to your industry before they impact your firm.
Create an internal team or engage a vendor to attack your systems using the same techniques bad guys do— but all the time, not once a year. Some vendors may also be able to monitor the availability of your credentials to the public on the “dark web.”
Malicious email is the No. 1 way bad guys get into organizations. Establish a mandatory baseline training program for all employees that focuses on the specific actions employees need to take to protect your firm. Once you have trained your employees, actively test them. For example, send targeted phishing emails and require those employees who click in the phishing emails to take additional training.
Understand your third party environment and upgrade your contract provisions so that third parties are following the same standards you are striving for in your own environments.
Run simulations and drills to assess your capabilities. Use a combination of tabletop exercises and inject real life scenarios to see how your Security Operations Center responds. Learn lessons and repeat. Include business colleagues and technologists in the tabletop exercises.
Look at all of the ways money leaves your firm. Figure out what controls and thresholds you can put in place to protect money movement, assuming bad guys get around your other controls. Examples include wire limits and additional checks/approvals for certain country destinations or for new beneficiaries.
Using your web filtering software (block category “None”) is a hugely important mitigation technique. Leverage technology called DMARC,† which gives others a way to validate that emails that appear to be coming from you are actually coming from you.
Available to our clients who use J.P. Morgan ACCESS® or J.P. Morgan Markets, training can offer substantial benefits and include suggestions for reducing risk.
* Financial Services Information Sharing and Analysis Center, an industry forum for financial institutions
† Domain Message Authentication Reporting & Conformance
Download a copy of J.P. Morgan’s enterprise-wide strategy for cyber defense, focused on protection and prevention, available here.