In today’s blog post, RFA UK Managing Director George Ralph shares his thoughts on the hedge fund IT department of the future and how it will shape cybersecurity.
With businesses suffering from a 144% increase in successful cyber attacks between 2011 and 2015, according to CYREN’s 2015 Cyberthreat Yearbook, financial services firms cannot afford to take any chances when it comes to implementing a robust cybersecurity strategy that is overseen by a knowledgeable, committed team. But who is really in charge of your firm’s cybersecurity?
The Chief Information Security Officer is the obvious choice, with more and more firms recruiting for this position. However, firms should not forget all about cybersecurity once a CISO is in place. Cybersecurity attacks can impact every part of a firm, and as such should be on the agenda at Board meetings.
The Chief Executive holds ultimate responsibility for the firm, ensuring that it is operating legitimately and is charged with maximizing the value of the firm. With this in mind, it is fair to say that a big part of the responsibility for cybersecurity falls to the firm’s CEO. Indeed, the Senior Manager’s Regime, introduced by the FCA, apportions accountability to senior individuals within the financial services sector and makes those individuals personally culpable and criminally liable for mistakes, malpractice or inaction. But if figures presented by PwC in their 2015 Global State of Information Security Survey are accurate, there is still much work to be done to get cybersecurity onto the agenda at Board meetings. The research showed that 75% of directors were not involved in the review of cybersecurity risks within their firm.
The Chief Risk Officer is another obvious choice for many firms, but with responsibility for strategic, reputational, operational, financial and compliance related risk, technological risk and more specifically cybersecurity risk, is just a part of the CROs overall remit and as a result it will not receive the focus it needs.
Most hardware and software vendors are at pains to point out their products’ security features, which is useful when they are operating as standalone solutions. However, put them into the context of a firm’s IT infrastructure, with complex networking, mobile access, hybrid cloud solutions and internet enabled everything, and the product’s security features become less useful. Of course, protect all devices, including user devices, network equipment, storage, servers, website, email system and any other communication tools that your firm may have. But make sure to work with a trusted, vendor neutral technology partner to build a multi-layered security strategy. The strategy should include antivirus software, firewalls, a backup solution, encryption software, mobile device protection and multifactor authentication to reduce password attacks.
Cloud partners, on the other hand, can be held accountable for upholding cybersecurity standards, provided you have outlined your requirements prior to engaging with a cloud partner. Your cloud partner must be able to demonstrate that your data will be stored in accordance with the security requirements that the industry demands. Data centers should be physically secure, adhering to ISO27001 and SSAE16/Type II standards, and with options to encrypt, or use multi-factor authentication should that be required. Intrusion detection and continuous monitoring will ensure uninterrupted service and enhanced cybersecurity protection.
While all these different groups can be held accountable at varying levels for a firm’s cybersecurity preparedness, ultimate responsibility must be given to every single employee, from the most junior, to the most senior. Secure perimeters, end-point devices and encrypted data should be taken as a given, but a truly robust cybersecurity strategy is about employee awareness and buy-in, training and behaviour management. With instances of targeted spear phishing attacks doubling between 2013 and 2014, according to Symantec’s Internet Security Threat Report of 2015, employees need constant reminders of what to look out for and of good practice when they are working on the corporate network. Cybersecurity must be an embedded culture within the organization, with every employee feeling personally responsible for adopting the correct policies and procedures.