Cybersecurity

10 Steps to Better Protect Your Firm


Cybersecurity is a strategic priority for J.P. Morgan

“Protect the firm, its clients/customers, investors and employees from cyber attacks, as well as protecting the privacy of their data and transactions.” —JPMorgan Chase & Co. Annual Report (2015)

cybersecurity graphic number 1

INDEPENDENT ASSESSMENT

Engage an experienced engineering firm that understands the technical risks and complexities of enterprise architecture to undertake a technical independent assessment of your firm’s infrastructure. The company you engage should have more technical expertise than a general consulting firm, so that you learn where your vulnerabilities are at all times.

 


cybersecurity graphic number 2

AUTHORITY ENGAGEMENT

Establish a clear engagement model with governing authorities, including law enforcement (who are you going to call, which agency and under what circumstances?). Have the relationships established up front and the engagement clearly documented within your standard procedures.

 


cybersecurity graphic number 3

JOIN INDUSTRY FORUMS

Join an industry-based information security forum, such as FS-ISAC.* Understand the latest threats to your industry before they impact your firm.

 


cybersecurity graphic number 4

ATTACK YOURSELF

Create an internal team or engage a vendor to attack your systems using the same techniques bad guys do— but all the time, not once a year. Some vendors may also be able to monitor the availability of your credentials to the public on the “dark web.”

 


cybersecurity graphic number 5

MANDATORY EMPLOYEE TRAINING AND TESTING

Malicious email is the No. 1 way bad guys get into organizations. Establish a mandatory baseline training program for all employees that focuses on the specific actions employees need to take to protect your firm. Once you have trained your employees, actively test them. For example, send targeted phishing emails and require those employees who click in the phishing emails to take additional training.

 


cybersecurity graphic number 6

THIRD PARTIES

Understand your third party environment and upgrade your contract provisions so that third parties are following the same standards you are striving for in your own environments.

 


cybersecurity graphic number 7

EXERCISES AND DRILLS

Run simulations and drills to assess your capabilities. Use a combination of tabletop exercises and inject real life scenarios to see how your Security Operations Center responds. Learn lessons and repeat. Include business colleagues and technologists in the tabletop exercises.

 


cybersecurity graphic number 8

MONEY MOVEMENT

Look at all of the ways money leaves your firm. Figure out what controls and thresholds you can put in place to protect money movement, assuming bad guys get around your other controls. Examples include wire limits and additional checks/approvals for certain country destinations or for new beneficiaries.

 


cybersecurity graphic number 9

IMPLEMENT CONTROLS FOR MAXIMUM EFFECT

Using your web filtering software (block category “None”) is a hugely important mitigation technique. Leverage technology called DMARC,† which gives others a way to validate that emails that appear to be coming from you are actually coming from you.

 


cybersecurity graphic number 10

TAKE OUR TRAINING

Available to our clients who use J.P. Morgan ACCESS® or J.P. Morgan Markets, training can offer substantial benefits and include suggestions for reducing risk.


* Financial Services Information Sharing and Analysis Center, an industry forum for financial institutions
† Domain Message Authentication Reporting & Conformance

Learn More

Download a copy of J.P. Morgan’s enterprise-wide strategy for cyber defense, focused on protection and prevention, available here.

 

Copyright © 2017 JPMorgan Chase & Co. All rights reserved.