Simplifying Vs. Augmenting Your Security Strategy
It's a tale as old as time. You want security for your firm. Who wouldn't? You start to look into what options are out there to help you achieve that goal. Maybe you make a wishlist. By the time that wishlist is long enough to wear as a scarf, you've realized something crucial about the world of cybersecurity: it's huge, and you're never going to be able to use every tool that exists to help you keep your data locked down. You couldn't afford to, of course, and then who's got the time to manage hundreds of different tools and systems and workflows and dashboards, anyway?
Now, not to be a downer, but all those security technologies exist for a good reason. Threat actors really are around every corner, and their methods are getting more sophisticated every day. It takes a pretty heavy arsenal of security measures to combat the ever-growing threats targeting your firm from both the inside and the outside. But it simply isn't realistic for your firm to employ every cybersecurity tech/tool and develop and maintain a host of ironclad security policies—at least not from day one.
You need to be able to assess which protections should be on your list. We've divided them into three tiers to help you decide how much of your time, budget, and resources should be spent protecting your firm's assets. The lowest tier represents must-have protections for any size investment firm, the middle tier consists of industry standard policies & infrastructure protections, and the top tier is reserved for forward-thinking IT solutions for institutional-grade security.
Tier 0 (Basic)
We call this level Tier 0 in part because, well, there's zero chance your firm will have long-term success in thwarting cyber risks if you don't employ these basic security measures.
Tier 0 Perimeter and Network Security Requirements
- Firewalls
- Anti-virus software
- Software patching and patch management
Tier 0 Access Control Measures
- Secure remote access
Tier 0 Policies & Procedures
- Separation of administrative access/principle of least privilege
- Acceptable use policy
Tier 0 Employee/User Behavior Requirements
- Strong, non-default password enforcement
Tier 1 (Standard)
The good news is that many investment management firms today fall into the Tier 1 category, meaning they are doing more to address cybersecurity risks than just the basics. You’ll notice this tier features a strong contingency of policies that help firms prepare for and respond to cybersecurity and business business-impact threats.
Additionally, Tier 1 does more to address network security and highlights the need for ongoing employee information security awareness.
Tier 1 Perimeter and Network Security Requirements
- Tier 0 items +
- Enhanced email security
- Network access control
Tier 1 Access Control Measures
- Tier 0 items +
- Mobile device security/management
Tier 1 Policies & Procedures
- Tier 0 items +
- WISP
- BCP
- Incident response policy
Tier 1 Employee/User Behavior Requirements
- Tier 0 items +
- Regular/annual cybersecurity training
Tier 2 (Advanced)
You’ll often find mid-to-large asset managers fall into this category, but many of these “advanced” protections are fast-becoming the norm for smaller firms hoping to demonstrate to institutional investors their commitment to cybersecurity. For EU firms, many of these protections are mandated by GDPR, as well. Through IT outsourcing, these firms are able to leverage managed service providers to add strategic value to their businesses—without having to manage these advanced technologies on their own.
Tier 2 Perimeter and Network Security Requirements
- Tier 0 items + Tier 1 items +
- Next-generation firewalls
Tier 2 Access Control Measures
- Tier 0 items + Tier 1 items +
- Multi-factor authentication
Tier 2 Advanced Technologies
- Intrusion detection/prevention
- Storage encryption
- Data loss prevention
Tier 2 Employee/User Behavior Requirements
- Tier 0 items + Tier 1 items +
- Phishing simulation exercises
A robust security plan consists of layers of the above (and more) protections, each propping up the next to the ultimate benefit of your business. An effective security plan, while layered, is simple enough to still be manageable, because if you have so many alerts and log files and other feedback that you can't keep track of them, they really aren't serving you at all.
One way to simplify your security strategy is to work with a trusted partner whose expertise and constant focus is in staying on top of cyber threats. The more you can consolidate the work of staying secure under one umbrella, the less chance there is for something to slip through the cracks, and the more value for your firm. Consider asking your managed IT infrastructure provider if they have cybersecurity solutions on offer. An MSSP (managed security service provider) may be a perfect fit to help you put lots of layered protections in place without overloading your in-house team.
