Cybersecurity: Six First Steps Your Firm Needs to Consider
Cybersecurity: Six First Steps Your Firm Needs to Consider
Cybersecurity quickly became the primary focus of conversation at a recent dinner with a bunch of old financial sector IT friends. It is certainly the topic du jour but the level of interest was fascinating. The people around the table, mostly CTOs or CIOs at hedge funds or sell-side firms, all acknowledged being inundated with security requests and queries and it is clearly top of mind for boards, institutional investors and senior management teams alike.
What is also clear is that it is top of the agenda for very good reason. Each of the firms represented had experienced attacks and some on multiple occasions. This anecdotal evidence considered alongside the persistent rumours that a number of Fortune 500 companies have already been hacked, and in a number of instances had all their data stolen and wiped, underlines how widespread the problem is becoming. We live in an era where threats come in all shapes and sizes; ranging from organised bands of cyber ‘kidnappers’ using ‘crypto-locker’ technology to hold corporate data to ransom, to pure cyber ‘terrorists’ that simply wipe a company’s systems to make a point.
After some time discussing the woes of this new landscape, the conversation turned to some simple practical steps any IT manager or CTO can and should take to drastically reduce the risk of an attack and crucially, mitigate the impact of an attack should the worst happen.
The top six recommendations from the group are as follows:
(1) Daily Backups To Tape:
The first recommendation is the simplest, but can have a profound impact on platform robustness. Ensure there are daily backups to tape and that these are archived off-site with one of the top record management and media storage providers.
This is something that well run software companies have always done, simply because the code is their IP. Daily backups are useful for dozens of reasons but can be the difference between a successful attack being a minor hassle (i.e. losing a day’s work) and becoming a major headache that could mean lights out for your business.
(2) Lock Down Admin Rights and USB Access:
The consensus across the group was that while all their firms were investing millions of dollars in multi-layer security architectures, getting the basics right gave the most bang for the buck. And when they referred to the basics they meant the simple measures that every well run blue-chip IT shop has been doing for 20-plus years.
Top of the list: locking down local admin rights and shutting down USB access.
To a person, everyone acknowledged that the lion’s share of security breaches could be prevented by restricting admin rights and removing users ability to install new applications. There should also be a sign-off process every time a new application is added to the corporate platform. You can expect some push back when this is first raised internally but it really is crucial. Similarly, every hacker and pen-tester knows that the easiest way to breach data security is to get past a company’s front desk and plug in a USB. Full USB lockdown is the only option.
(3) Phishing Tests:
Phishing attacks remain the most common source of a successful cyber attack and recent studies show that incidents of users opening phishing emails are actually on the increase. This is no doubt the result of a marked improvement in the levels of sophistication being applied to these type of attacks but a lack of user training and education is proving equally problematic.
As a result, phishing tests carried out on internal platform users are highly recommended. If the expectation is that all users will have received some level of basic training (most likely during their induction) in how to identify phishing emails then a phishing test will identify further those who require follow-up or additional training. Simply put, as phishing emails evolve, so too should your employees, and scheduled, company-wide phishing tests are a crucial first step in educating them.
(4) Separate Your Networks:
Equally simple but setting up the office Wifi correctly can prevent a plethora of problems. One of the first precautions to take with your office network is to ensure there’s a guest Wi-Fi SSID, in addition to your internal Wi-Fi. Setting up a separate SSID effectively means that the guest Wi-Fi should offer exactly the same coverage as the main office network, but with no access to company data or systems.
Visitors to the office aside, this should also be used for mobile phones and non-essential devices and in one step, you can make sure access to your private data is limited to the people who need it, and hugely decrease the risk to your platform.
Critically, having full coverage on the guest Wi-Fi makes it easy for people to access their personal email etc. while in the office BUT only using their personal phone or iPad; thus eliminating the single biggest security vulnerability.
(5) Lock Down your Physical Devices:
Stopping network intrusion is one step, but what about data leakage on the way out? Do you know for sure that the models and spreadsheets you’ve spent months on aren’t being shipped out the back door?
If they are, then it is more than likely they’ll be moved using a physical device. At Options we suggest firms simply block the use of removable storage. We recommend turning it off company-wide and if anyone needs it day-to-day, individual exceptions can be made. Similarly, Dropbox and comparable services should not be permitted on corporate networks or devices.
(6) Enable Web Filtering:
The final pragmatic line of defence that pretty much everyone recommended is web filtering. This blocks access to a subset of chosen websites, making sure that anything related to gambling or pornography, for instance, are inaccessible from your corporate network, as well as a vast range of high risk sites ranging from personal email services to “Chinese” hosted websites (The likes of Box.net and Dropbox can also fall into this category).
Web filtering has been a fairly standard approach for large corporates for many years, but is fast becoming the benchmark for all financial firms (and is probably a very good idea for SMEs in general).
Further Reading & Feedback:
In light of recent cybersecurity oriented initiatives from the SEC and other regulatory entities, we have released an overview of our cybersecurity policies and best practice recommendations. To download our 2015 cybersecurity white paper click here