a layered approach to cybersecurity for investment firms · access, system logins, ... 12 | a...

A Layered Approach to Cybersecurity

an Eze Castle Integration eBook

Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802

2 | A Layered Approach to Cybersecurity

A Layered Approach to Cybersecurity

• Tier 0: This is the ‘must-have’ list. There is no getting around these security measures.

• Tier 1: This tier incorporates a few enhanced features as well as a strong contingency of policies to support your cybersecurity program. Plus – and here’s the big one we keep talking about –employee security awareness training. Tier 1 is typically where most investment management firms fall today.

• Tier 2: This can be considered an “advanced” tier, with the incorporation of progressive tools such as intrusion detection/prevention systems and next-generation firewalls. But this is quickly becoming the norm for mid-to-large asset managers, particularly as a means to demonstrate preparedness to institutional investors.

When it comes to protecting your investment firm from serious cybersecurity threats, it's safe to say that less is definitely not more. In fact, it takes a pretty heavy arsenal of security measures to combat the ever-growing threats targeting your firm from both the inside and the outside.

But it may not be realistic for your firm to employ every cybersecurity technology/tool and develop and maintain a host of security policies - at least not from day one.

This eBook is designed to help you assess some of the cybersecurity protections that should be on your list. You’ll notice we’ve divided them by tiers, because, well, you’ll need to decide how much of your time, budget and resources are spent protecting your firm’s assets.


© Eze Castle Integration | 3

Tier 0 (Basic)

We call this level Tier 0 in part because, well, there’s zero chance your firm will have long-term success in thwarting cyber risks if you don’t employ these basic security measures.

• Firewalls• Anti-virus Software• Software Patching/

Patch Management

• Secure Remote Access (e.g. via Citrix)

• Separation of Administrative Access/Principle of Least Privilege

• Acceptable Use Policy

• Strong Non-default Password Enforcement

Perimeter & Network Security Access Control Measures

Policies & Procedures Employee/User Behavior



Perimeter & Network Security

At a minimum, your investment firms should install firewalls, anti-virus software and patch management software to protect your perimeter and stop low-level threats and spam from entering your network.

The firewall, as controlled by the network administrators managing IT for your firm, monitors and controls the incoming and outgoing traffic on your network.

Software patch management is best practice to prevent vulnerabilities from appearing within software applications. Particularly as zero-day threats grow in popularity, software patching should be part of your firm’s daily IT management.

Tier 0 Requirements:

• Firewalls

• Anti-virus Software

• Software Patching/Patch Management



Access Control Measures

We live in a technology-empowered world, and if your employees work outside of the office (on location, at home, etc.), you need to ensure they have effective – and SECURE – means to do so. Citrix is a great option for secure remote access and allows end users to log in to access applications on-the-go.

Virtual Private Networks (VPN) also offer secure remote access for employees, allowing employees to “remote desktop” and run any and all applications that live on the work computer’s server.





Policies & Procedures

The policy layer of cybersecurity is often overlooked, but provides a much-needed backbone for your firm’s cyber risk management program. If you employ no other policies from the start, your first policy to create should dictate the Acceptable Use of your employees with regard to network access, system logins, Internet usage, etc.

Your firm should also employ the “principle of least privilege”, meaning only those who need access to certain systems and data should have access to it.






Employee/User Behavior

Your users themselves will round out your cybersecurity defense strategy (always remember: people, processes, technology), and the most basic way to control user security behavior is with strong password enforcement. Ensure your firm’s employees are prompted at least every 90 days to change their passwords and use strong combinations of upper and lowercase letters and special characters.

Consider also requiring specific parameters around password development and use, such as not allowing personal information (names, birthdates) within passwords and not allowing passwords to be reused within a certain time frame.





Tier 1 (Standard)

The good news is that many investment management firms today fall into the Tier 1 category, meaning they are doing more to address cybersecurity risks than just the basics. You’ll notice this tier features a strong contingency of policies that help firms prepare for and respond to cybersecurity and business-impact threats.

Additionally, Tier 1 does more to address network security and highlights the need for ongoing employee information security awareness.

• Enhanced Email Security

• Network Access Control

• Mobile Device Security/Management

• WISP• BCP• Incident Response

Policy

• Regular/Annual Cybersecurity Training


Policies & Procedures Employee/User Behavior




If you’re a Tier 1 firm, you’re expanding your network security beyond the standard firewalls and anti-virus software to include more comprehensive network access control. Plus, since email is oftentimes the gateway into a firm’s network (more on phishing later), enhanced email security features are a must to safeguard sensitive information.

Growing in popularity, these features often include targeted attack protection, attachment scanning and encryption.





• Firewalls• Anti-virus Software• Software

Patching/Patch Management




With our growing reliance on mobile devices for business, it’s become critical for firms to develop mobile device policies and employ mobile device management (MDM) solutions which allow administrators to provision, secure and support company-sanctioned smartphones and tablets.

Particularly if your firm is of the “bring your own device” (BYOD) kind, you need to ensure there are clear protocols and guidelines for employee access to company/client information.







Policies & Procedures

We mentioned this was a policy-heavy tier, but these IT security policies are truly the backbone to a solid and comprehensive cyber program.

The written information security policy (WISP) should break down what and where your firm’s confidential data is and who has access to it. Your Business Continuity Plan (BCP) outlines how your business will continue to operate in the event the firm is impacted by a cyber-threat.

And your Incident Response Policy will go into deeper detail on how to respond to cybersecurity issues, including what steps to take to remediate the situation and how/when to notify clients/third parties.


• Written Information Security Plan (WISP)

• Business Continuity Plan (BCP)

• Incident Response Policy







Arguably the most important – and yet underrated –aspect of your firm’s cyber preparedness, training and educating your employees is critical to the success of your organization’s security efforts. Technology and systems can only do so much to address threats.

Your employees, however, can act as your first line of defense against cyber-attacks, but unfortunately, their efforts will only be effective if they are properly trained on both potential threats and the firm’s policies and procedures.







Tier 2 (Advanced)

If you’re thinking only the largest and most tech-savvy investment firms are in Tier 2 you’re only half-right. Yes, you’ll often find mid-to-large asset managers fall into this category, but many of these “advanced” protections are fast-becoming the norm for smaller firms hoping to demonstrate to institutional investors their commitment to cybersecurity. And through IT outsourcing, these firms are able to leverage managed service providers to add strategic value to their businesses – without having to manage these advanced technologies on their own.

*For EU firms, many of these protections will soon be mandated by the GDPR and will likely go into effect by early 2018.

• Next-Generation Firewalls

• Multi-factor Authentication

• Intrusion Detection/Prevention

• Storage Encryption• Data Loss

Prevention

• Phishing Simulation Exercises


Advanced Technologies Employee/User Behavior





• Next-Generation Firewalls





• Firewalls• Anti-virus Software• Software

Patching/Patch Management

The latest and greatest network security technology you should employ? Next-generation firewalls. These take the benefits of traditional, port-based firewalls to the next level, and allow firms to filter network traffic by application and implement additional security protocols to keep harmful traffic at bay.

Some advantages to next-generation firewalls include:

• All-in-one functionality• Greater visibility and control• Simplified management• Better security• Lower total cost of ownership





• Multi-factor Authentication





One of the most effective ways a firm – and its users – can ensure security is through the use of multi-factor authentication, which requires users to verify credentials in some form to ensure they are, in fact, who they say they are. This hot tech trend is growing in popularity, and many firms are now employing for access to cloud services, for example.

There are three types of multi-factor authentication:

• Knowledge-based (e.g. security questions)• Possession-based (e.g. cryptocard, authentication app on

mobile device)• Inherence-based (e.g. fingerprint, biometric scan)



Advanced Technologies


• Intrusion Detection/Prevention

• Storage Encryption (Data at Rest)

• Data Loss Prevention

Being the “advanced” tier, Tier 2 features some progressive systems and technologies that many of today’s investment management firms are starting to leverage. Intrusion detection and prevention systems can be costly, but add a convincing layer of security to an existing cybersecurity program, with the ability to monitor networks and prevent threats from penetrating them.

Additionally, the encryption of data at rest is becoming a top priority for security-focused firms, as well as data loss prevention – software that aims to prevent end users from sending sensitive information outside of a firm’s network.





• Phishing Simulation Exercises

If you consider your firm security-focused, then you probably also realize the critical role your employees play in securing your firm and safeguarding its information. To ensure employees realize their importance and act as well-informed users, many firms are conducting phishing simulation exercises to test and train users to identify potentially malicious email threats.

These managed phishing tools are relatively inexpensive in nature and often include in-the-moment security awareness training to reinforce many of the key concepts employees should be aware of.






a layered approach to cybersecurity for investment firms · access, system logins, ... 12 | a...

Documents