On May 3, 2022, Aaron Shilts was featured in the Business Journals article 21 Twin Cities Executives Named Regional Finalists for EY’s 2022 Entrepreneur of the Year Award. Preview the article below, or read the full article online.
Twenty-one leaders of Twin Cities companies are finalists for Ernst & Young’s 2022 Entrepreneur Of The Year award for its seven-state “Heartland” region.
The Minnesota executives dominated EY’s recently unveiled list of 28 finalists from a region that also includes North Dakota, South Dakota, Iowa, Nebraska, Kansas and Missouri.
EY will name the winners in June, then pick national winners in the fall.
The Heartland region finalists, with titles gleaned from LinkedIn and company websites, are:
Bret Weiss, president and CEO, WSB, based in Golden Valley
Nominees for the award are evaluated based on six criteria: entrepreneurial leadership; talent management; degree of difficulty; financial performance; societal impact and building a values-based company; and originality, innovation and future plans.
Other finalists from elsewhere in the region are Byron Whetstone of American Direct, based in Lenexa, Kansas; Greg Siwak of CareVet, based in Clayton, Missouri; Josiah Cox of Central States Water Resources, based in St. Louis; Jay Kim of DataLocker, based in Overland Park, Kansas; Todd Keske of Foam Supplies Inc., based in Earth City, Missouri; Brian Weaver of Torch.AI, based in Leawood, Kansas; and Austin Mac Nab of VizyPay, based in Waukee, Iowa.
On May 5, 2022, Nabil Hannan was featured in the VMblog Get Expert Advice During World Password Day 2022. Preview the article below, or read the full article online.
Did you know, today, May 5th, is World Password Day! The Registrar of National Day Calendar has designated the first Thursday of May of each year as World Password Day, and it is meant to promote better password habits – something we could all use, I’m sure. Passwords are critical gatekeepers to our digital identities, allowing us to access online shopping, banking, social media, private work, and life communications.
We use a lot of online services in our daily lives. And we’re constantly having to deal with the possibility of so many different types of attacks, making digital protection more and more important. So let World Password Day be a reminder and encourage people to protect themselves with a series of strong passwords.
To help get a handle on things, a number of industry security experts have chimed in to share their perspectives and opinions with VMblog readers.
“World Password Day serves as a moment in time for organizations to re-evaluate password security best practices. Today, a strong authentication strategy must include policies for safe password storage, the most important aspect of password security. Additionally, at a bare minimum, every organization should start with multi-factor authentication and build from there. One-time passwords, email verification codes, or verification links are user-friendly and go a long way in effective authentication.
From a user perspective, all staff working within or alongside the organization should be required to use strong, complex passwords that follow NIST’s latest guidelines. Security leaders may also practice the principle of least privilege, where only those who need access to certain information have it. With these best practices, organizations can better bolster protection and set themselves up for success on World Password Day and beyond.”
The financial industry is a top target for cyberattacks. Just behind healthcare, the financial industry is the second most targeted sector, accounting for 12% of all breaches. But what makes banks such a high-profile target for cybercriminals?
The critical assets that financial institutions store – customer personal data and money – make them a lucrative target for cybercriminals. In recent years, we saw a steady inclination towards digitization in the financial industry, and the onset of COVID-19 only accelerated this momentum. Employees transitioning to remote work and customers relying on online transactions mean an ever-expanding attack surface.
Although cybercrime is attempted frequently, the financial industry is known to implement some of the most mature cybersecurity programs.
According to consulting firm McKinsey & Company, the banking sector is one of the most advanced in cybersecurity maturity, due to the regulatory environment, consumer expectations, and competitive pressures. These nuances alone create a unique threat landscape for banks across the globe.
In this two-part blog series, we will dive into cybersecurity for financial institutions. This first blog will explore the current state of financial services cybersecurity, the challenges the industry faces, and opportunities for banks and other financial institutions to better protect their organizations – and in turn, their customers.
In part two, we explore measurable and actionable metrics banks can track to craft a powerful cybersecurity story tailored to their unique threat landscape.
For additional reading on financial industry cybersecurity, check out these resources:
Cybersecurity decisions are driven by security professionals, technology leaders, business executives, vendors/partners, board of directors, auditors, and regulators. The groups work in partnership to provide some of the most mature security programs.
Banks must comply with established regulators – often run by agencies such as the FDIC, OCC, NYDFS, and FRB in the US; the FCA in the UK; and OSFI in Canada – to oversee banking operations. Regulators ensure that banks comply with industry standards and consumer protection laws, and they oversee the soundness of the financial institution.
Banks that undergo a cybersecurity breach suffer from financial, reputational, and regulatory impacts. In addition to that, banks that receive a MRA (Matter Requiring Attention), or worse a MRIA (Matter Requiring Immediate Attention) from a previous examination or inspection will find themselves under intense scrutiny. This drives up operating costs and distracts resources away from other initiatives.
A medium-sized bank with smaller and less mature cyber functions is more likely to suffer a more impactful impairment. Larger banks that have had significant investments are not immune to compromise. But, because they’ve had the necessary investment to develop robust programs over the last two decades, they are less likely to experience a substantial impact.
This highlights that the current state of cybersecurity is situational and truly depends on various organizational factors and the accompanying unique cybersecurity considerations. For example, the size of your organization, type of banking services provided, who your examiners are, and location, among other factors.
Keeping that in mind, here are five things we know to be true today regarding today’s financial cybersecurity landscape:
Large banks invest more resources and money into their cybersecurity programs to accommodate for the complex and costly processes needed to avoid risks.
The larger your organization, the more complex your environment is to secure.
Evolving regulatory frameworks account for the size and systemic risk a given institution has on the entire financial system.
Banks with an international presence face the increased complexity of dealing with regulatory requirements globally.
There is a significant investment in cybersecurity for financial institutions.
To understand these concepts in depth, let’s look at four key cybersecurity challenges the banking industry faces today.
Keeping up with Banking Cybersecurity Regulations
Different banks have different regulatory imperatives based on where they operate. For instance, in the US, the Financial Industry Regulatory Authority (FINRA) operates at the multinational level, the Office of the Comptroller of the Currency (OCC) at the national level, and the New York State Department of Financial Services (NYDFS) at the state level.
To keep up with the regulatory requirements domestically and internationally, security leaders must work closely with their risk and governance leadership to establish an effective compliance strategy to ensure security protects the enterprise while meeting the expectations of regulators. A strategy that maps regulatory requirements back to the business’ reporting processes is essential since banks work with different countries that implements their own compliance laws.
Furthermore, evolving privacy standards, such as General Data Protection Regulation (GDPR), have a tone of security built into their compliance requirements. It’s important to understand how your security practices can help you comply with privacy standards, although they do not explicitly evaluate cybersecurity.
At the national level in the US, there is a mix of consumer privacy laws to regulate what financial institutions can do with specific types of consumer data, but there is no single legislation that all privacy laws fall under. In fact, only California, Virginia, and Colorado have comprehensive consumer privacy laws. Many states enact their own privacy laws, but they are either incompatible or the data overlaps. For instance, a state may define a breach and what constitutes as personal data differently from another state.
Retaining Financial Industry Cybersecurity Talent
Across the spectrum, financial institutions struggle to attract and retain cybersecurity talent. Although this changes from organization to organization. For instance, larger banks have the funding to attract talent compared to smaller banks that experience more difficulty in this arena. And non-traditional financial institutions may have better luck attracting talent if they have flexible work-from-home policies. As other sectors like healthcare improve their cyber posture, competition for talent is increasing.
The COVID-19 pandemic has created significant demand for remote or hybrid roles. Unfortunately, many financial institutions are not opting to allow this given the traditional nature of the industry. This can deter security candidates from seeking roles in the industry especially since other industries offer competitive pay with the added benefit of being remote.
For smaller banks that lack cybersecurity experts with the necessary background, third-party service providers can help solve hiring challenges and serve as an extension of their team. NetSPI specifically leverages its penetration testing experts and technologies to perform offensive security testing and help financial institutions discover, prioritize, manage, and remediate their security vulnerabilities.
Providers that take a partnership approach can also help organizations meet their objectives and offer services with a bench strength that they are unable to attract or retain themselves.
Regulators Are Your Partners, Not Your Enemy
Regulations are put in place to protect financial institutions and their customers. In cybersecurity, you’re only able to safeguard your critical assets to an extent if you’re not keeping pace with the ever-changing threat landscape.
The independent nature of regulators is a resource many other industries don’t have. They’re able to provide unique perspectives based on the independence and years of experience an organization has. Having the ability to bridge the gap through the market and within the organization makes them an ideal partner to protect your organization and customers. Transparency and actively reaching out to your assigned auditors will be key in this process.
Start by engaging with them in conversations about the future of your organization. Engaging in conversations early in the pipeline and gauging their opinion will open opportunities for more discussion and insights that will help you with compliance.
You also want to work in tandem with your regulator to leverage regulatory requirements against existing controls and efforts to address control gaps in the organization. This enables the regulator to gain a better understanding of the company’s risk culture to effectively map the regulatory requirements back to the business’ operating systems. Then, the board and executive leadership team can make sound decisions relating to budget and risks.
Ultimately, your cybersecurity team and the regulator share the same goal – to protect your customer – so it is important to realize that your regulator is not your enemy, but your partner in maturing your organization.
Prioritizing Investments Within Financial Industry Cybersecurity
But how should financial organizations prioritize that spending? By focusing on risk.
What vulnerabilities, if exploited, would cause the most harm to your organization and customers? Fix those first.
What part of your business is responsible for most of your revenue? Increase your investments in securing this portion of your business.
Implementing new technologies or architectures (see: blockchain security)? Understand the cybersecurity implications before deployment.
Just because you are compliant, does not mean you are secure. That’s worth repeating: just because you are compliant, does not mean you are secure. Shifting to a risk-based mindset will set financial institutions up for future success and elevate your program maturity.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.