Cyber Security--It’s Not an IT Problem

For many organizations, investment offices and otherwise, cyber security is somewhat of a mystery. This lack of clarity surrounding cyber security for investment offices has, unfortunately, created a number of misconceptions across management as to the best approaches.

It’s important for all organizations to hold the notion that cyber security isn’t just an IT problem. So many organizations make that assumption because they have in-house technical expertise, their cyber exposure is something for the technicians to worry about.

But no longer are the computers and access devices just part of the IT department. People are accessing the company’s network on a number of devices, and each has it vulnerabilities. The IT department can put up firewalls and other defenses, however, staff, user-management and policies are also important when managing cyber risk.

Cyber Security Tips for RIAs

Staff

The weakest link in the security chain is the human link. We can use all the superior technical tools and security products available on the market, but if we don’t have the proper awareness and knowledge from users, they remain the biggest threat.

Risks come from something as simple as leaving a computer turned on in an empty office during lunch or stepping away from a laptop at a coffee shop. There are certainly much more complex
scenarios, but this is often where it starts.

Policy

Having a security policy for employees to live by is an important first step. The next important step is ensuring employees know about them and follow them, and that they know the consequences should they violate those policies. That means training to increase awareness and communicating around those policies when violations occur.

It’s essential that managers take ownership of this challenge. Actions speak louder than words. They have to demonstrate interest in protecting and educating employees about policies, following them and being proactive with communications regarding potential security issues.

Software

While most software does come with some security measures, they may not be activated out of the box and they likely need to have some parameters set and selections activated. In many cases, however, there are additional tasks that need to be considered to instill confidence in security of those applications. These activities are typically part of the IT organizations’ responsibilities, however, it needs the cooperation of every employee to ensure the correct processes are followed to minimize risk.

Best Practices

Staff, policies, education and awareness are all part of best practices for cyber security. But the truth is it’s a matter for the entire organization and everyone plays a role in security. The following is a list of best practices that we’ve shared with clients recently.

• Communicate to all employees that everyone in the organization plays a role in data
  security.
• Send updates from the media about security breaches in the news.
• Perform employee background checks during recruitment.
• Ensure all employees have read the current Data Security Policies, starting with senior management.
• Enforce a clear desk policy where all documentation, etc, must be stored away safely any time it’s not in use.
• Apply different levels of access to physical and digital files and test the access.
• Discourage use of public wi-fi and use mobile phone data while ‘on the go’.
• Allow out-of-office access to client data only to a restricted number of users.
• Enforce password protection of computers and any devices having access to company data.
• Apply different levels of access to physical and digital files and test the access.
• Discourage use of public wi-fi and use mobile phone data while ‘on the go’.
• Allow out-of-office access to client data only to a restricted number of users.
• Enforce password protection of computers and any devices having access to company data.
• Force change of passwords every 90 days.
• Don’t broadcast the company wi-fi network name.
• No USB sticks containing company data to be taken out of the office.
• Regularly test IT systems and the security procedures in place to assist with enforcement.

This list is certainly not exhaustive but does demonstrate how every employee can help or hinder security and the risk to company data. Encourage employees to report breaches and known risks and make security a part of regular company meetings and discussions.

If everyone knows they have a role to play and understand how they can help reduce risk, you’ll create a desirable culture around company data and security.