Top Security Gaps and How to Avoid Them (Part 2)
This article appeared in its entirety in HFMWeek Magazine in August 2017. Part 2 is featured below. Read Part 1 HERE.
Our two-part feature covers 10 common security gaps as well as actional advise on how to avoid them. In Part 1 we covered vulnerability assessments, patch management, social enginnering, risk management and IT asset management. Now on to Part 2.
Business Continuity Planning
Business continuity planning (BCP) seems like a no-brainer in this day and age, but unfortunately, many firms still miss the mark as it relates to their security posture and preparedness. Some BCP gaps commonly identified during the risk assessment process include:
No business continuity or recovery plan in place
BCP hasn’t been updated within a year
Plan does not take a risk-based approach or deal with specific risk scenarios unique to the firm
A plan exists on paper, but employees have not been educated or trained on it
The above examples highlight critical gaps in business operations that could lead to significant repercussions in the event of a security incident. Beyond dealing with the technical aftermath of a cyber-breach, asset management firms must have continuity plans documented for the recovery of their business operations – including communication to internal and external parties, employee roles and responsibilities and prioritisation of business functions.
Hackers have become savvier over time, and strong passwords are no longer solely effective in thwarting their sophisticated attacks. With the use of two-factor or multi-factor authentication, however, users can add a necessary layer of complexity to their security practices and make it more challenging for hackers to exploit gaps.
Multi-factor authentication (MFA) should be enabled on all devices and applications that allow it; that includes: cloud platforms and remote access gateways (Citrix), social media sites and web-based applications.
Third Party Vendor Management
Managing vendor risk is a full-time job, and unfortunately, many investment management firms still fall short in this regard. A few critical questions to ask:
Have your managed service providers shared copies of their DR/BCP reports, vulnerability assessment reports, SOC audits and data centre facility certifications?
Do your third-party providers keep an inventory of their systems, data and applications?
How do your vendors manage their vendors (contractors, data center providers, external security providers and so on)?
These and many other questions should be asked during a thorough and annual due diligence process with all third-party service providers. In addition to understanding your firm’s own risk, it’s equally as important to understand the risks and exposures present as a result of your outsourcing partners.
Provisioning and Management
Paramount to warding off malicious and unintentional security threats is access control. And whether your investment firm has 20 users or 200, it requires detailed and stringent access control policies to ensure data and sensitive information is restricted to only those who need it.
To best manage system access, IT administrators should understand and employ the principle of least privilege, which states that access should be limited and based strictly on those who require it. Using varying levels of access or individual user account specifications allows firms to better safeguard confidential information regarding company financials, investor information and portfolio company assets.
Cyber incidents today come in many forms, but whether a system compromise at the hands of an attacker or an access control breach resulting from a phishing scam, firms must have documented incident response policies in place to handle the aftermath – and yet, many firms do not.
It’s inevitable that your firm will face a security incident (not if, but when), and thus documenting the process for business impact and resolution will enable your firm to react swiftly and (hopefully) with little to no impact to operations.
Ultimately, the goal of the incident response plan is to ensure the business is able to continue operating at full confidence and to minimise the risk and exposures of the firm externally – that includes on regulatory, financial and reputational levels.