[BreachExchange] For start-ups: Four pillars of cyber security defence

[Audrey McNeil]

http://www.hedgeweek.com/2016/07/07/241408/start-ups-four-pillars-cyber-security-defence

But beyond technology safeguards, today's successful financial firms
require the wherewithal to implement comprehensive cybersecurity programmes
– whether you're a seasoned firm or embarking on your first investment
venture. The most effective cyber programmes will focus on four critical
administrative areas: (1) developing comprehensive security policies and
plans to prevent external cyber-attacks or internal breaches, (2) training
firm employees on said policies and current cyber threats, (3) cultivating
a culture of security awareness from Management down, and (4) managing an
effective risk programme via external vendor oversight.

Plan: True cybersecurity defence starts with proper planning. To start,
funds need to develop written information security plans – comprehensive
documentation of the firm's corporate security initiatives. This should
include technical and administrative safeguards being employed to secure
confidential data. In the development stage, firms will need to identify
systems and plans currently being used, technical procedures and systems in
effect, employee access controls relative to confidential data as well as
user responsibilities for both prior to and in the event of a data breach.

Train: Speaking of employees, it's often said that your firm's users can
either be your greatest threat or your first line of defence against cyber
threats. As a result, training is not only critical but essential so
employees understand the threats facing them and the company as a whole, as
well as how they can take steps to prevent, detect and respond to cyber
security incidents.

Cultivate: More abstract than the prior points, this third pillar suggests
that firms create a culture of compliance throughout the organisation,
starting from the top. Senior Management need to set the tone for the firm
by spreading awareness of cybersecurity threats and their potential impact
on the business by instituting annual information security awareness
trainings and sending regular reminders about basic security protocols.

Manage: The fourth and final pillar of an effective cyber security defence
programme relates to managing key third party relationships with vendors,
and at a higher level, taking a strong position on risk management across
the firm. Managers must work closely with all their third party service
providers to understand how their cyber security programmes are designed
and ensure the data and assets of the investment firm are protected from
internal and external threats.

Emerging managers face a tough landscape from regulators and stiff
competition for investors, therefore making early investments in cyber
security protections is critical to demonstrating preparedness and forging
successful investment endeavours. From day one, start-up alternative firms
must operate at an institutional-level, vaulting themselves into
competition with established funds and validating the operational
excellence that has come to be expected of them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160708/919f2b72/attachment.html>