Seven questions to help you evaluate your firm's IT vulnerabilities
1. Does my firm know what assets, both hardware and software, are in inventory?
The first step to considering your vulnerabilities is to create a complete inventory of technology assets. How can you know what your vulnerabilities are if you don't know what systems and data you need to protect? Keeping a list of workstations, servers, applications and smartphone devices in one central location is crucial. As your firm grows in assets, products and headcount, are you continuing to re-evaluate your IT inventory? You'll want to have a running list of technology assets as the firm evolves and grows.
2. Are we patching effectively and appropriately?
Your firm should be patching quickly and appropriately, as poor patch management can leave your firm exposed to potential threats. Zero-day threats take advantage of software vulnerabilities before patches and updates are available to the public. The best way to protect yourself against these threats is installing updates as soon as they become available. Having a patch management process in place allows firms to roll out these updates when necessary.
If your firm is required with the SEC, you are required to have these plans in place. Even if you aren't registered with the SEC, it's best practices to have formal plans to protect your sensitive data and information and ensure that your firm is able to function in any situation. If you firm has already formed these plans, are they actionable and specific to the firm? If there are parts of your plan that aren't feasible for your organisation or properly communicated to employees, then your plan isn't considered thorough or actionable.
4. Do we employ multi-factor authentication (MFA)?
Multi-factor authentication adds an additional layer of complexity to logins to make it more challenging for hackers to infiltrate your systems. This could be in the form of security questions, codes sent over SMS, or fingerprint verification. In order for MFA to be effective, firms must discontinue using shared logins across their systems and applications.
5. Are employees considered an asset to security or a liability to the firm?
With thorough security training and strong communication of policies and procedures for employees, your team should be considered an asset instead of a threat to security. If your employees are considered a threat, ask yourself these followup questions.
- Does our firm practice the Principle of Least Privilege? (PoLP)
- Have employees been trained properly on topics ranging from Incident Response, to Business Continuity, Information Security?
- Are our employees trained and on the watch for phishing and other social engineering attempts?
- Are updates to policies and procedures communicated quickly and effectively to employees on a periodic or as-need basis?
6. Do third-parties and vendors have proper cybersecurity policies in place?
It is key to evaluate vendors and third parties as well as your own firm when evaluating risk and exploring your business's vulnerabilities. Managing vendors can be tricky, but this is a crucial area that can't be overlooked. Performing thorough and annual due diligence process with all third parties and service providers keeps your information up-to-date and ensure that your partners are considering security in their day-to-day business.
7. Are we going to remediate the findings in a timely manner?
Resolving vulnerabilities in a timely fashion is critical to maintaining a healthy business. After identifying risks in the process, firms must remediate these findings that are critical to the functions of their business. In other situations, it may make sense to accept risk, but having a well documented plan and inventory of IT gaps will be helpful in future assessments.
One critical piece mentioned several times above is communication. Communicating all plans, policies, and procedures to employees, shareholders and partners will ensure that everyone is informed and knows what role they play in the health of your IT systems.
For more information on cybersecurity gaps for investment firms, read our whitepaper "10 Common Cybersecurity Gaps and How to Avoid Them".