The evolving cyberthreat landscape and increased regulatory scrutiny have created tremendous pressure for asset management firms as they race to shore up their IT security. In response to the recent Securities and Exchange Commission alert declaring an initiative to assess cyber security preparedness in the securities industry, Gravitas developed a whitepaper to provide asset management companies with a layered cybersecurity strategy, including a six-point framework for addressing a range of threats head on.
The framework is constructed to assess a firm's cyber security awareness, preparedness, and resilience to operational threats and regulatory compliance requirements. The following highlights the six-point action plan to help firms generate procedures and add required technologies to protect themselves better.
1. Physical security
This means protecting the hardware, networks, and data from a material breach and/or events that could cause catastrophic loss or damage. Physical security is often overlooked in favor of more technology-driven protection.
Co-location facilities offer sophisticated on-site security (cameras and biometrics systems) that prevents unauthorized access and 24x7 backup systems that ensure zero downtime and minimal disruption in operations due to power failure.
All hardware devices -- old and new -- should be actively managed so that only authorized devices are given access.
2. Network security
Attacks against organizations can take the form of phishing attacks, emails with viruses, websites containing malicious code, and other end-user focused threats. The attacks often provide hackers with privileged access to secured systems on behalf of a trusted user/system.
Comprehensive network security must be equipped with firewalls and intrusion detection/prevention systems. Newer firewall technologies provide web content and filtering defense against web-born malware. Switches and routers must be configured with their security features enabled. Proper network segmentation isolates network traffic between backend infrastructure and user endpoints.
3. Malware defense
The malware layer is defined by controlling the download or the spread and execution of malicious code at multiple areas across a firm's infrastructure. The point of entry can vary, but email attachments, websites, and removable media are popular examples.
Malware defenses must be robust enough to provide continuous updating and validation to prevent an attack from spreading. They must also be deployed across all potential entry points to stop the flow or govern the execution of malicious software. Laptops, workstations, and servers should also be configured so they will not auto-execute content from removable media (thumb drives, external drives, or CD/DVDs).
4. Access control and password management
Managing administrative permissions is a primary method for attackers to penetrate an environment. Access control management is the most significant challenge with this basic, built-in security mechanism that can rapidly fall out of sync with business changes so that it no longer reflects an organization's appropriate level of access.
Limit the number of administrative accounts, and grant access to the accounts only on an as-needed basis. Configure all automated passwords to be complex with a retention period of no longer than 90 days. Applications can be used to monitor user permissions on all administrative accounts and validate their privileges.
5. Data protection monitoring systems
Once an organization has established business critical access for its data, the biggest challenge will be to keep access aligned with business requirements and an ever-growing file system. Access rights to file data are constantly in flux due to changing job roles and responsibilities and the addition of data and projects requiring user collaboration. Moreover, rights changes are very often made by the IT help desk, because most financial firms don't have a dedicated IT security administrator.
By establishing security policies within a file activity monitoring solution, IT staff can receive real-time information about permission changes to sensitive business data through simple web-based query tools. In addition, file audit logs can be retained for long periods of time.
6. Cyberincident response plan
This plan protects the firm's critical data and reputation by implementing a set of processes and procedures to discover, acknowledge, compartmentalize, neutralize, and eradicate the attack from the environment rapidly. A cyberincident response plan should be coupled with a business continuity plan when a malicious incident has resulted in data loss, sustained system outage, or a potentially catastrophic site failure.
The reactive steps taken with a potential attack are detection, compartmentalization/containment, remediation, and recovery and restoration. A comprehensive postmortem should be conducted after a firm is back to a steady state after recovery.
By using a six-layered approach to cyber security, asset management companies build their resilience to operational threats and regulatory compliance requirements, thus decreasing the chances of being compromised by cyberattacks.
This article is co-authored by Kevin Noll, director of business consulting at Gravitas, where he is responsible for providing strategic advisory services and project management to clients. Before joining Gravitas, he served as principal and CTO of a Chicago-area technology consultancy, providing high-level technology strategy to firms across a range of industries. He is a graduate of DePaul University's School of Computer Science, Telecommunications, and Information Systems, now the School of Computing and Digital Media.Patrick Mullevey is the Executive Director of Cloud Services and Support at Gravitas, responsible for the strategic vision of Clients infrastructure. Patrick is responsible for the implementation, security and management of client environments hosted in ... View Full Bio