Investment Firms: Steer Clear of These Common Security Shortfalls (Part 1)
This article appeared in its entirety in HFMWeek Magazine in August 2017. Part 1 is featured below. Part 2 will appear on Eze Castle Integration’s blog in the coming weeks – stay tuned!
The security risks we face are ever changing, and it’s a full-time job trying to keep pace. Attacks can spread quickly (think: WannaCry) and disrupt systems, networks and operations to the point of disaster. And social engineering scams – e.g. sophisticated, well-timed phishing emails – are targeting users more frequently, meaning your guards need to be up, technology and otherwise.
Unfortunately, many firms often fall short when it comes to their cyber-security protections – and they don’t often realise it until it’s too late. These 10 common IT security gaps highlight areas where investment firms can take steps now to avoid risk in the future. These gaps are preventable, and when the next phishing email hits your inbox or ransomware attack strikes, you can rest easier knowing you’ve plugged these common security holes.
Risk management and governance
Who owns the risk at your business? Cyber strategy and programmes start at the top, so your leadership team/executive board should be involved in discussions around cyber-security preparedness. You should also appoint a Chief Information Security Officer (CISO) to oversee the firm’s security posture. Oftentimes, this individual holds a dual-role within the firm, also operating as the Chief Compliance Officer or Chief Technology Officer.
Risk management does not end with the CISO, however. There should be broad support and input across the firm with regard to cyber-security practices and governance policies.
Depending on the size of your firm, this group may be large or small, but should include individuals responsible for operating the controls in place to secure the business. In addition to contributing to and managing the proactive security functions of the firm, this group (or a portion of it) may also take the form of a Computer Security Incident Response Team (CSIRT).
IT asset management
This critical security gap occurs when investment firms fail to maintain a complete inventory of their technology assets. This includes keeping a running list of: workstations, servers, applications, and smartphone devices such as phones, tablets and laptops. Don’t forget other devices that store information (phones, printers/copiers and so on) as well as the growing collection of Internet of Things (IoT) systems including conference call equipment and wireless speaker systems.
Also, as your firm grows in assets, products and headcount, are you remembering to re-evaluate your IT inventory? At the bare minimum, firms should conduct an annual review cycle of all IT assets to understand if there have been additions, deletions or changes in how that technology is managing data and what controls are in place to protect it.
Vulnerability assessments (and penetration tests)
In order to construct the right defences, investment management firms must have a clear understanding of their IT security vulnerabilities. Through regular vulnerability assessments (VAs) and penetration tests (pen tests), firms can identify current and potential risks that exist internal and external to the network – a critical first step to resolving and remediating threats.
The key to VAs and pen tests is taking a risk-based approach, which oftentimes investment firms fail to do. Having hopefully identified key risks during the risk assessment process, firms should use those risks to tailor their approach to vulnerability assessments and ensure they scan for critical threats.
Patch management is becoming a top-tier question on investor due diligence questionnaires (DDQs) as they look for reassurance that investment firms are staying current with software and system upgrades.
The key to successful patch management is applying patches appropriately – and as quickly as possible. Some systems have regimented processes that roll out updates automatically, but others are not as disciplined and require diligence on the part of systems administrators/IT teams to stay current.
Social engineering & user training
According to the 2017 Verizon Data Breach Investigations Report:
Social attacks were utilised in 43% of all breaches
Almost all phishing attacks that led to a breach were followed with some form of malware
66% of malware was installed via malicious email attachments
73% of breaches were financially motivated
These statistics demonstrate the incredible impact of social engineering tactics by hackers today, and we see no signs of a slowdown. The ultimate goal of social engineering is to trick users into divulging information (credentials, personal financial information, company financial information), and the results have been staggering.
The key to thwarting social engineering scams is not an expensive piece of technology, but a commitment to user education and training. Awareness of these common tricks will alert users to their typical maneuvres and keep them on their toes as fresh emails hit their inboxes.