Cyber security policies: a must-have for online trading brokerages
The volume of cyber attacks in South Africa is increasing in sophistication and number. Recently, South African companies have been hit with a lot of phishing attacks. In the 2022 State of Email Security by Mimecast report, 94% of South African companies reported e-mail phishing attacks and 48% of these companies also experienced data loss.
According to reports, South Africa ranks number three on the list of countries with the highest number of cyber crime victims globally. This has cost South Africans over R2.2 billion a year. The report went further to say South Africa is estimated to suffer 577 malware attacks an hour.
Cyber criminals don’t seem to be slowing down and many of these attacks are starting to target online brokerage businesses, which have seen huge growth during the pandemic.
Karan Singh, editor at Safe Forex Brokers South Africa, points out that it is a necessity for online brokerages to have cyber security policies that are updated regularly. There are many hackers constantly trying to hack brokerages in order to gain access to their client information and other data, which they can use for phishing or sell this data online.
We will be discussing how these policies should be formulated, the people involved in its formulation and the need for these policies to meet international ISO standards.
Putting together a cyber security policy
The chief information officer in collaboration with legal, human resources and procurement department staff should collectively formulate an effective cyber security policy to be approved by the board of the organisation.
These policies should also be updated frequently. The policy should take the following points into consideration:
1. E-mail security
When an e-mail comes from outside the network, the IT team should first of all scrutinise any attachments and remove any executable files.
A caution notice such as: “This e-mail emanates from outside the network and is not trusted” should also accompany e-mails coming from outside a firm’s network. Staff of an organisation should not be allowed to send e-mails containing sensitive information outside the network.
2. Password storage
All client passwords stored on the cloud should be hashed.
Hashing is a process of converting an input into a non-reversible fixed length code called a “hash”. Hashing is different from encryption because encryption can be reversed once you have the encryption key, but hashing cannot be reversed.
No two words should have the same hash code, so when you input your password the system re-hashes it and compares the generated code to the one stored in its database.
Hashing is necessary since there won’t be a need to see anybody’s password. If there is a data breach, all the hackers will see is the hash code instead of the password.
3. Cloud security
Cloud storage refers to storing your data on servers of a cloud provider like AWS, for example. In an organisation, not every member of staff should be granted access to certain client data stored on the cloud.
Certain parts of the cloud containing sensitive client information should be password protected and any staff wanting to view that information should apply for and be granted permission to access the data. Where a staff member is not authorised to view a resource, a pop-up message such as “your access rights and privileges do not permit you to view this data” could be displayed.
Also, data that is not sensitive or is general in nature, and needs to be accessed by everyone without authentication, can be public so as to reduce the number of people with access to the private cloud.
Also, there should be a firewall enabled on the network to prevent brute force attacks and other similar attacks.
4. Social media usage
Staff of an organisation should be discouraged from sharing sensitive information about the firm’s activities on social media.
For example, a staff member posting “off to work for the business continuity test” could let cyber criminals know that the firm is conducting such tests.
Staff should also be discouraged from taking pictures of themselves in sensitive office areas, like the server room, and posting it on social media. This could let cyber criminals see the kind of hardware equipment being used by the firm.
5. Brokerage client and staff password change
Both brokerage clients and their staff should not be allowed to use weak passwords.
During the password creation process, if the password is not alphanumeric, doesn’t contain special characters and at least one capital letter, the password should be rejected by the system.
The system should also prompt brokerage clients and staff to change their passwords periodically. Should their passwords be compromised, a change would render the compromised password worthless.
6. USB port and CD-ROM drive use
Inside an organisation's office, USB drives and CD drives could be disabled for staff who don’t need them. This is to prevent people from charging their phones using the USB drive as these phones could be infected with viruses.
Disabling CD drives also prevents installation of unwanted programs on an office system.
7. Server room access
Only authorised staff should be granted access into the room housing the servers that are on-premises. These rooms must always have CCTV cameras recording and should be fortified to prevent breaking and entering.
The server room should always be air-conditioned and have automatic fire extinguishers ready.
8. Unsuccessful login attempts
If the wrong username or password is used to log into a staff work station for a predetermined number of times, the staff system should be disabled automatically.
The IT team should be automatically notified of this and the staff should then be required to contact the IT department for the system access to be restored. By doing this, the staff can tell if someone else has tried to gain access to his system while he was away.
9. Two-factor authentication (2FA)
An additional layer of authentication should be added to the usual password requirement.
A combination of two factors, like something you know, such as your password/PIN and something you have such, as your mobile device or hardware token, is ideal.
10. Business continuity tests (BCT)
Business continuity tests should be carried out to find out how quickly the network can recover after a massive cyber attack. These tests should be carried out periodically alongside testing the servers for vulnerability so as to detect any holes in the network perimeter.
11. Visitor waiting area
Visitors to an organisation's office premises should wait in the visitor’s area. They should not be allowed to plug laptops and other devices to wall outlets as hackers could use this method to install malware on the network.
Security personnel should routinely inspect the organisation's premises for any odd-looking devices and report such to the IT office immediately.
Also, staff should not use their keyless access cards to grant strangers access to official areas. Vendors should also be properly vetted before granting them access to work on official equipment.
12. Anti-malware update
Updating anti-virus on all official systems should not be left to the staff using the systems but done remotely by the IT department. Usually when staff close from work, anti-virus updates can commence overnight.
Meeting ISO standards and following standard practices
Having and meeting ISO standards could help data-centric organisations like online brokers meet their information and data security requirements.
The International Standards Organization (ISO), in conjunction with the International Electrotechnical Commission (IEC), specify standards to help in the prevention of cyber attacks and internal threats like accidental disclosure of data and error due to human input. Information security management systems (ISMS) that are compliant with ISO standards aid organisations to easily comply with GDPR laws, which the South African Protection of Personal Information Act (POPIA) is built on.
The ISO 27001 is the most popular of the ISO standards and its certifications have grown by over 450% in the past 10 years. Other members of the ISO family are tabulated below:
These standards in the table above help organisations keep their information protected through giving specifications, best practices and codes of conduct to make sure ISMSes are efficient.
Having ISO 27001 standard practices in the organisation has the following advantages:
- Protects all forms of information, whether digital, cloud-based or paper-based;
- Increases the network's attack resilience;
- Helps organisations respond to ever evolving threats;
- Reduces ISMS management cost;
- Protects quality of data; and
- Makes security an integral part of business culture instead of just an IT department affair.
To get ISO 27001 certified, an organisation must first meet the requirements stipulated by ISO, then seek certification by an external certification body. The certification body issues a certificate stating that the organisation’s ISMS is in line with ISO requirements.
Holding an ISO certification makes a brokerage more marketable and other industry players would want to do business with them. It also assures clients that their funds are safe.