Why is cybersecurity important?
Here are a few not so fun, but revealing facts about cybersecurity (credited to Verizon 2015 Data Breach Investigation Report:
- Did you know that it takes approximately 205 days between intrusion and detection of a breach in security?
- Did you know that the most common cause of a breach is phishing? Employees clicking on a link or opening an attachment is the usual gateway to a security breach within an organization.
Much like investment management industry participants on our platform, we at DiligenceVault are concerned with two primary issues:
Do we put our client’s information at risk? Do we put our competitive edge at risk?
To address both of the topics above, we have researched and implemented best practices, with the recognition that you do not have to be a cyber and information security expert to understand risks and threats.
Hope for the Best, Prepare for the Worst
In designing DiligenceVault, we assumed that there would eventually be a breach in security. My training in risk management drives me to prepare in advance for things to go wrong and have an action plan for when they do. Someone I heard at a recent panel discussion put it quite nicely – “To avoid a breach, you have to be prepared and be right 100% of the time. To successfully infiltrate, the hacker has to be right 1% of the time.” If you are defending, the odds are against you. One’s immediate reaction might be to build a fortress of controls and processes. Having worked at a large organization, I realize the value of process, and more importantly the value of purpose driving the process, rather than reverse. Any controls we establish should be relevant and translate into policy and a series of best practices:
Control Best Practices
- Carefully designed role-based access to information, based on handshake between information provider (manager) and information consumer (investor)
- Latest authentication protocols, with 2 step authentication as a standard functionality
- Tier data and information based on what is critical, and use different policies for each tier
Encrypt data in motion, as well as in rest.
- Application design limiting the free flow of identifying information
- Architectural controls leveraging an enterprise ready platform that delivers visibility, governance and protection of data. DiligenceVault uses Microsoft Azure and, in doing so, we rely on teams of 100’s of people solely focused on cybersecurity while offering physical security, 24 hour monitoring as well as logging, patching and penetration testing.
Understanding the Cultural Challenges
The best risk controls are worthless if an organizations culture doesn’t foster appropriate implementation of those controls. We found the following cultural challenges to be important in successful implementation:
- Risk culture cannot have exception at the top. An organization leader cannot have a policy that applies to everyone else but not themselves, especially when it comes to information security.
- Employee understanding of risks and how to mitigate them is a necessity. Our industry’s biggest handicap is legacy. We are used to doing things a certain way, and it used to work when our world was less complex and hackers less sophisticated. When there are new risks emerging, being wedded to legacy multiplies the risk factor. For example, how many employees still do not lock their computer screens when they leave their desk, due to a false sense of security?
Based on the above two areas, we made some policy decisions
- Decided not to send attachments via email. As a result, our users can easily flag any phishing emails they might receive.
- Prioritized 2 Step Authentication integration ahead of other important platform features, as login and password are no longer a sufficient enough control to access an application. People tend to use passwords that are in some ways attached to their lives, or save passwords in a file on a computer, which is easily accessible if their workstation is hacked. 2 Step Authentication provides an additional layer of security to guard against these scenarios.
- Enabled logging for every single user action, allowing firms to control their access gateways.
The outcome is an enterprise ready platform, which is richer in controls, and offers a secure solution for the industry. But we don’t plan to stop here, and look to keep up with the latest advancements in an evolving technological landscape.