For many organizations, investment offices and otherwise, cyber security is somewhat of a mystery. This lack of clarity surrounding cyber security for investment offices has, unfortunately, created a number of misconceptions across management as to the best approaches.
It’s important for all organizations to hold the notion that cyber security isn’t just an IT problem. So many organizations make that assumption because they have in-house technical expertise, their cyber exposure is something for the technicians to worry about.
But no longer are the computers and access devices just part of the IT department. People are accessing the company’s network on a number of devices, and each has it vulnerabilities. The IT department can put up firewalls and other defenses, however, staff, user-management and policies are also important when managing cyber risk.
The weakest link in the security chain is the human link. We can use all the superior technical tools and security products available on the market, but if we don’t have the proper awareness and knowledge from users, they remain the biggest threat.
Risks come from something as simple as leaving a computer turned on in an empty office during lunch or stepping away from a laptop at a coffee shop. There are certainly much more complex
scenarios, but this is often where it starts.
Having a security policy for employees to live by is an important first step. The next important step is ensuring employees know about them and follow them, and that they know the consequences should they violate those policies. That means training to increase awareness and communicating around those policies when violations occur.
It’s essential that managers take ownership of this challenge. Actions speak louder than words. They have to demonstrate interest in protecting and educating employees about policies, following them and being proactive with communications regarding potential security issues.
While most software does come with some security measures, they may not be activated out of the box and they likely need to have some parameters set and selections activated. In many cases, however, there are additional tasks that need to be considered to instill confidence in security of those applications. These activities are typically part of the IT organizations’ responsibilities, however, it needs the cooperation of every employee to ensure the correct processes are followed to minimize risk.
Staff, policies, education and awareness are all part of best practices for cyber security. But the truth is it’s a matter for the entire organization and everyone plays a role in security. The following is a list of best practices that we’ve shared with clients recently.
This list is certainly not exhaustive but does demonstrate how every employee can help or hinder security and the risk to company data. Encourage employees to report breaches and known risks and make security a part of regular company meetings and discussions. If everyone knows they have a role to play and understand how they can help reduce risk, you’ll create a desirable culture around company data and security.