PE Tech Report

NEWSLETTER

Like this article?

Sign up to our free newsletter

Cybersecurity Best Practices: How to avoid becoming the next target

By Amanda Daly – Cyber threats are on the rise and are increasingly becoming more sophisticated. It can be a daunting task to stay on top of new and evolving attacks and breaches, which is why proactively implementing the right technical and administrative safeguards are essential.

In a recent webinar, speakers from Eze Castle Integration talked about strategies and best practices for cybersecurity preparedness. In case you missed it, here’s a recap of the key elements to help avoid being the next cyber target.

1: Understand the Cyber Threats

Understanding the types of cyber threats facing your organization allows you to implement the right layers of defense as well as train employees. Here are some top threats facing alternative investments firms today:

  • Physical security attacks: These are breaches or incidents compromising a firm’s physical assets. For example, a data center or office breach.  
  • Malware/ransomware: Malware itself is short for malicious software and is intended to damage, disrupt or disable computer operations. The sort of meaner stepsister of malware is ransomware, which takes things to another level by holding data hostage and requiring users to pay a ransom to get their files back.
  • Social engineering: The idea behind social engineering is essentially trying to trick users into divulging personal or company information. Phishing is probably the most common social engineering tactic we see today.
  • External hacking: This attack occurs when an outside hacker tries to either infiltrate or disrupt a firm’s network or connection either as a means to steal information or to simply prevent the firm from conducting business.
  • Insider Threats: This can either be malicious or unintentional threats caused by a firm’s employees.

2: Defence in Depth – Security Layers

One approach that we like to educate our clients on is the strategy of defense in depth, which essentially means, you need to implement layers upon layers upon layers of security across your organization to mitigate risk.

At Eze Castle Integration, we apply standards and best practices from a number of frameworks and programs, but a key one to follow is the NIST framework, which is from the National Institute of Standards and Technology. The NIST framework has the following five hallmarks:

  1. Identify 
  2. Protect
  3. Detect
  4. Respond
  5. Recover

It likely goes without saying, but by implementing strategies and safeguards across these spectrums, firms can come away with a comprehensive strategy on cybersecurity. 

3: Incident Response Planning 

In the event a cyber incident does occur, there obviously needs to be rapid response in dealing with the fallout. Be sure to:

  1. Establish an Incident Response Team
  2. Identify the type and extent of incident
  3. Escalate incidents as necessary
  4. Notify affected parties and outside organizations
  5. Gather evidence
  6. Mitigate risk and exposure

4: Vendor Risk Management

Whether it’s with your outsourced IT provider, your accountant, or your legal team, you should establish vendor risk management guidelines around a few different areas to understand key elements about their business including:

  • What their policies are for information security, acceptable use, disaster recovery and business continuity
  • If they have a SOC 2 audit and how often they perform vulnerability assessments or penetration tests?
  • How else are they proactively monitoring their networks?
  • And how well do they train their employees on their policies and procedures?

5: The Human Factor – Make Your Employees a Cybersecurity Asset

They say that employees can be your firms biggest threat. Be sure that your employees are getting the appropriate training. It’s imperative that firms make the training a priority to educate and inform the users about the risks at hand.

At a minimum, information security training should be required annually, and firms should run simulated phishing tests via email. Administrators can send simulated phishing emails to test users’ awareness and ultimately determine if the firm’s training and education are working or if employees are putting firm assets at risk.

Like this article? Sign up to our free newsletter

MOST POPULAR

FURTHER READING

Featured