I’m frequently in discussions about financial sector cyber security. My latest discussion was about how traditional cyber frameworks are not very applicable to smaller firms. Here are some things those firms can do to help with cyber security risk:
Be Cyber Aware
This sounds simple enough but this is one of the most important facets of cyber security. For new firms or firms going through a change this is usually covered in any IT discussion(s). For firms that have been operating for over a year, cyber security is probably not the first thing you think about in the morning. You probably think your IT staff or vendor has it under control and in most cases this is true. However, as a manager of the firm you should be taking an active approach and assessing your cyber posturing at least once a year. Employees might have left the firm, new people get hired, you switched a vendor or a new regulation regarding cyber policies has been introduced. All of these are normal occurrences and are no cause for concern, however these all have the potential to open your firm to cyber risk or data loss.
You don’t have to understand the technical details, but by asking questions directed to your IT staff/vendor, you will create the awareness that tends to be lacking at smaller firms. These questions could lead to updated policies, double-checking that old accounts are deactivated or permissions are properly distributed to critical file shares.
As a manager, understand that cyber risks can be directly computed to monetary and reputational liability. Once you have that understanding, it will be easier for you to start incorporating cyber awareness into your mindset.
A huge factor in cyber security breaches is the human component. Sure, some of these incidents are from disgruntled employees, but most inside jobs are from social engineering. These incidents are primarily from people opening emails or clicking on links that are opening the digital door to hackers. Let’s not forget about removable storage and cloud file sharing platforms. How many of us have seen a random USB drive lying around and want to see what’s on it? It doesn’t matter if you want to see the contents to help the person who lost it, or see if there is something “good” on there. Plugging a USB drive into your computer is the equivalent of giving someone a copy of your house keys, which is not good if that person wants all your stuff.
People are not doing these things to intentionally open your firm to attacks, in most cases they simply do not know any better. This is why I made this such an important point in the discussion. You get a huge ROI when it comes to training your employees about the risks that are out there and what can be done about them. Even if your employee is now second guessing a certain email, or understands the threats that can happen by plugging in a random USB drive, you are potentially saving your companies money and reputation.
Vendor and Partnership Documentation
Another thing managers can look at is their current and upcoming agreements with vendors and/or partners. In the financial sector we have all kinds of partnerships that potentially open your firm’s information and infrastructure to another company. As managers you do your best to pick trustworthy partners, trusting that they are instituting the best practices and safety procedures for accessing your company data.
I recommend you revisit your agreements with these partners and see if they cover cyber security or the procedures for accessing and using your data. If there is no such contact, I would suggest that your firms work together to get something in place. Not only will this give both companies peace of mind, it will also cover you in any regulatory and compliance matters regarding due diligence for vendor selection. Since the SEC cyber initiatives are only 18 months old, we are finding these types of documents to be lacking.
Compliance and regulations aside, having something in writing is a good indication they take their cyber security seriously. Do not be afraid to ask questions or bring in a 3rd party to asses the documents they give you.
Cyber security is a process, not a product. By being aware, training your staff, and making cyber part of your partnership due diligence, you will be on the road to a more cyber secure business.
inCyber Security is a cybersecurity and cyber compliance consulting firm that specializes in helping the financial industry adhere to industry cyber regulations and protect themselves from cyber threats and reputation damage. inCyber acts as an Outsourced CISO to most of their clients, but also offer project based services. Using their proprietary security maturity model and unbiased approach, inCyber helps their clients understand and manage relevant cyber risks.
To learn more, contact us at 844-446-2923 or firstname.lastname@example.org