When it comes to cybersecurity, the list of potential gaps is expansive ranging from technology to human. To help identify where your firm may be lacking, here is a list of the top 10 most commonly identified gaps found during an IT audit/risk assessment.
Top 10 IT Security Gaps
- Risk Management and Governance
- IT Asset Management
- Vulnerability Assessments
- Patch Management
- Social Engineering & User Training
- Business Continuity Planning
- Multi-Factor Authentication
- Third Party Vendor Management
- User Provisioning and Management
- Incident Response Planning/Procedures
Risk Management and Governance – Responsibility and accountability for risk management starts in-house – and at the top. Even for firms that rely on third party outsourced providers, it’s imperative (and often overlooked) to establish governance controls and outline who internally maintains ownership of the firm’s security posture – and more broadly, who owns the firm’s risks.
IT Asset Management – Frequently identified as a shortcoming for firms during the IT audit process, IT asset management and data inventory has become a critical component to security. Best case, a firm should conduct inventory management and data classification of all web based applications, as well as all devices that store company critical information.
Beyond understanding what devices firms have and what data they hold, firms also need to understand how the data is accessed and by whom. Access control policies and procedures and inventory management protocols need to be reviewed continually as employees start/leave/change roles and technology evolves. Annual review cycles are recommended, but for higher-risk systems and applications, firms may want to re-evaluate more often.
Patch Management – Patch Management is widely seen as one of the most critical areas of security for investment management firms. Particularly for firms that leverage a wide array of systems, technologies and applications, it can be a daunting task to keep up with regular patches. That said, it’s essential for firms to employ comprehensive plans for patch management and ensure security flaws are addressed in a timely manner to prevent vulnerabilities from taking form.
Social Engineering & User Training – You’ve heard us say it time and again – users are often a firm’s weakest links when it comes to cybersecurity threat prevention. Particularly when it comes to social engineering tactics growing in sophistication, employee training is critical to protecting your firm’s information and reputation. Threats such as corporate account takeover and business email compromise are real and concerning to investment management firms, and the best way to ensure they do not impact your business is through consistent and comprehensive user training.
Eze Castle Integration is a Cisco partner skilled at helping firms address these common IT security gaps.