By Bob Shaw (pictured) – As cyber threats continue to mature and firms become increasingly dependent on third-party service providers and Internet applications to support operations, they not only begin to benefit from greater efficiencies and advanced technologies, but also open themselves up to more security vulnerabilities. Investment firms need to evaluate all risks that pose potential threats to their firm and leverage the safeguards necessary to protect themselves, clients, partners and their assets.
“Cybersecurity threats vary in scale, motive and target, and it may not be realistic for your firm to employ every cybersecurity technology available in the cyber space. This is when it becomes important to determine the time, budget and resources your firm has available for cyber risk management,” says Bob Shaw, Director, Eze Castle Integration. “By dividing cybersecurity practices into different tiers, firms are able to prioritise the necessary security layers to evaluate and implement at that specific point in time.”
Tier 0: We call this level Tier 0 in part because, well, there’s zero chance your firm will have long-term success in thwarting cyber risks if you don’t employ these basic security measures.
This is the ‘must have’ list and there is no getting around them:
• Perimeter and Security Network: Firewalls, Anti-virus software and Patch Management
• Access Control Measures: Secure Remote Access
• Policies and Procedures: Separation of Administration Access and Acceptable Use Policy
• Employee/User Behaviour: Password Enforcement
Tier 1: The good news is that most investment management firms today fall into the Tier 1 category, meaning they are doing more than just the basics to address cybersecurity.
In addition to the basics covered in Tier 0, this tier incorporates a few enhanced features as well as a strong contingency of policies to support your cybersecurity program.
• Enhanced Email Security and Network Access Control
• Mobile Device Security/Management
• Written Information Security Policy, BCP Plan, Incident Response Policy
• Annual Cybersecurity Training
Tier 2: If you’re thinking only the largest and most tech-savvy investment firms are in Tier 2, you’re only half-right. Yes, you’ll often find mid-to-large asset managers fall into this category, but many of these more “advanced” protections are fast-becoming the norm for smaller firms hoping to demonstrate to institutional investors their commitment to cybersecurity.
In addition to the security basics and the industry standards we’ve already mentioned, Tier 2 firms often employ:
• Next-Generation Firewalls
• Multi-factor Authentication
• Phishing Simulation Exercises
• Intrusion Detection/Prevention, Storage Encryption and Data Loss Prevention Technology
When it comes to your firm’s cybersecurity practices, it is safe to say that less is definitely not more. How does your firm stack up when it comes to your cybersecurity practices? Check out our eBook for a deeper understanding of where your firm stands.