Over the last year there has been no shortage of things to keep investors, asset managers, and risk managers concerned. Despite these exogenous shocks most equity markets have continued to shake off these events with measures of volatility remaining muted. There are always additional risks lurking and the WannaCry ransomware attack highlighted one of the largest.
The WannaCry cryptoworm, launched in May 2017, exploited a vulnerability within Windows to remotely lock computers and demanded Bitcoin payment to unlock them. The vulnerability was first found by the U.S. National Security Agency who chose to exploit the weakness for its own use instead of reporting it to Microsoft. Hackers released the vulnerability data in a breach of the NSA’s own servers, allowing Microsoft to issue a critical patch. An estimated 230,000 computers in 150 countries had already been infected.
Cybersecurity is an increasingly important risk. In the past, due diligence trips to managers and vendors would focus on investment and operational process, depth of team, compliance, risk management, and would touch on a firm’s infrastructure and business continuity plan. Today, an increasing amount of time is spent understanding a firm’s data and systems as well as the policies and procedures in place to protect them. Similar attention is being paid to cybersecurity readiness by the financial market regulators.
An organization can best defend itself from threats like the WannaCry virus by implementing four elements of an information and cyber security plan.
Identify
It is imperative that organizations of all sizes seek to identify their most critical and sensitive information in order to construct stronger defenses around those “crown jewels.” While a unified, standard approach to security for all data and systems may sound appropriate, organizations may be misallocating resources by over-securing lower priority elements and under-protecting the most vital information. Classification and prioritization of key data is essential to implementing controls that are commensurate with the risk severity and level of potential impact to the business. Outside resources can be utilized to augment the efforts of internal management and information technology personnel to audit and monitor this process and its results.
Plan
A proper information security policy should be developed collaboratively to focus on the following areas: people and policy security, operational security, insecure Software Development Life Cycle (SDLC), physical security, third-party relationships, network security, platform security, and application security. Implementation and enforcement of these policies and procedures requires defined processes for effective dissemination, ensuring that they are understood and available at all times, while enforcing compliance through audits and potential disciplinary actions.
Protect
Once an organization has identified their crown jewels and put a plan in place for securing them, the next step is executing the plan. The focus is on people, process, and technology. Insufficiently trained personnel are often the weakest link in an organization’s security perimeter and are the target of sophisticated social engineering attacks. It is crucial to provide adequate security awareness training to all new hires, as well as ongoing training to current employees. Process encompasses the day to day operational and technological steps that an organization takes, forming the intersection point of planning and testing. Some of the practices involved include: third party risk management, compliance and audit, asset management, monitoring and operations, and vulnerability and patch management. The technological environment within an organization itself needs to be built securely. Secure network design, secure builds, authorization, and malicious code prevention help to create the proper backbone for security.
Test
Even with the strongest protections in place, the continuous stream of real world attacks means that eliminating every threat is virtually impossible. Third-party specialists are used to leverage their expertise in stressing and identifying weaknesses. Vulnerability assessments broaden and deepen awareness of threats, attacks, vulnerabilities, and the effectiveness of existing controls. Penetration testing is the practice of probing a computer system, network or web application to find security weaknesses that an attacker could exploit. These assessments and tests should be conducted on a recurring basis with the frequency dependent on the risk tolerances of the system being addressed. Organizations should conduct table-top exercises and regularly test their incident response, disaster recovery, and business continuity programs internally. Regular and routine phishing tests aimed at employees strengthen awareness and mitigate social engineering risks.
Cybersecurity risk is real. Organizations that can properly leverage internal and external resources to identify their crown jewels, put a comprehensive security plan in place, protect their data and systems through sound execution, and continually test and improve their defenses are most likely to remain unharmed. Institutions should seek the same rigorous security approach from each entity with which they conduct business. The threat landscape is always evolving and organizations that fail to evolve with it will eventually be exposed. Despite best efforts and intentions, people remain the biggest risk. Educating employees is paramount. As an information security officer from a global asset manager stated in a recent diligence meeting, “you can’t patch stupid or careless.”
