04/22/2024 | News release | Distributed by Public on 04/22/2024 07:53
How executives in the office
can lead for security in a WFH world
Work-from-home (WFH) has created cybersecurity challenges for businesses in every industry, and buy-side finance is no exception. Much of the discussion about WFH security is focused on at-home employees, or how IT teams can make things safer. But it's also crucial to consider the role of executives back at the office. In this final post in our series on WFH cybersecurity, we'll address the C-suite directly. Here are our recommendations for leaders who want to build a culture of security in their organizations:
WFH and hybrid technology environments are fundamentally different from traditional office IT environments behind the corporate firewall. For this reason, your IT and security teams, as well as your WFH employees, will need a different set of tools in order to ensure cybersecurity. Here are the top three considerations:
Endpoint protection: A robust EDRR or MDRR solution is needed in order to protect endpoints at home as well as in the office.
Updates and patching: For IT to keep your employees' off-site devices updated and patched, they will likely need a separate toolset (e.g., Microsoft Intune or similar).
Mobile device management: MDM or EDM tools help ensure all employees' devices are patched, up-to-date, and following the correct security policies-no matter where they're working.
The software platforms and apps your organization uses may already have additional security features built-in. But these features can't help you if you don't take advantage of them.
One key example is multi-factor authentication (MFA). This is available for many apps and services, and is the single best way to prevent an account breach if an employee's password is compromised. But if MFA isn't enabled, it can't protect you.
Talk to your IT team about turning on MFA for every app and web service in your organization-especially ones used by your at-home employees. Then ask them if there are other available security features or tools that you could be leveraging for better cybersecurity.
In buy-side finance, small and medium organizations often lack the technical resources of their peers in other sectors, even though they are managing far larger amounts of money on a daily basis. This makes you a tempting target for bad actors.
Rather than trying to reinvent cybersecurity, and overburdening your overstretched IT team in the process, find a managed service provider (MSP) to help you with your WFH security challenges. An existing third-party IT provider is a good place to start your search. But ideally, your MSP partner for WFH security will have a strong track record of successfully completed cybersecurity projects and extensive industry-specific experience.
A good service provider should also be able to offer your employees 24/7 support no matter where they are-a critical capability in the always-on world of work-from-home and work-from-anywhere.
Despite the best of security precautions, organizations may suffer cyber incidents and service outages. For this reason, it's important to have clear incident response plans, policies, and procedures.
Executives have a vital role to play in creating and defining an organization's disaster recovery (DR) plan and business continuity plan (BCP). In particular, leaders have a good overview of the organization's structure as a whole-and will be able to help ensure that DR and BCP planning encompass the entire business, not just a handful of roles or mission-critical departments.
In addition, external vendors should be included in incident response plans. Here too, leaders have the big-picture perspective on operations-as well as the business relationships-to help make this possible.
After comprehensive incident response plans are created, they need to be periodically tested and validated to ensure that they will work as intended in a real emergency-and to account for changes that may require an update.
For example, DR plans should be tested under near real-world conditions. It's not enough to set up a DR environment in a "bubble" and simply verify that it can be accessed. A true DR test will involve key personnel actually failing over to the DR environment from the production environment and operating there for an extended period of time before failing back to production.
Leaders have the authority to mandate that DR and BCP tests are conducted regularly and that they are genuine audits of incident response plans. In addition, leaders should be involved in reviewing the results of incident response tests to ensure that updates and corrections are made as needed.
If a cyber incident occurs, the IT department or the MSP will be the first to know, and the emergency response plan will be initiated. But executives need to be involved in the decision-making process from the first critical moments of the response.
This is important because in the early stages of an incident, there are many key decisions to be made. How will the incident be communicated to regulators and stakeholders, and when? Who will be the main point of contact-a PR person or general counsel? How will your organization deal with time-sensitive threats or demands for ransom payments if you are attacked by cybercriminals? Before an incident occurs, be sure to define your role in the response plan.
Done right, security training is one of the most powerful tools in the fight against cyber criminals. But unfortunately, far too many organizations treat training as a mere regulatory requirement: a somewhat irritating box to check once per year.
Leaders have the unique ability to influence their organization's culture-and move it from complacency to compliance.
Executives should work with their IT teams and MSPs to implement a robust and frequent program of training that includes phishing simulations, best practices, and general security awareness. In addition, they must drive accountability and performance. The results of each training session should be analyzed in order to identify problem areas. If gaps in knowledge or proficiency are found, corrective action should be taken.
In addition, leaders need to model the behavior they want to see. By leaning into security and holding themselves just as accountable as their teams, executives set the tone for the entire organization. A culture of compliance is built and led from the top down.
Whether you're a hedge fund, private equity or private credit firm, asset manager, or a combination of these, we can help you solve your cybersecurity and technology challenges. We offer a full suite of managed technology services specifically for buy-side firms, including cybersecurity, public and private cloud migration and hosting, and a full MSP offering.
Girish Khilnani co-heads Linedata's Technology Services business, which includes Public and Private Cloud, Cybersecurity, and Managed Services. He's spent nearly two decades managing IT infrastructure, cloud, and global service delivery teams to provide leading-edge solutions for financial institutions. Girish is passionate about enabling operational excellence that supports the specific requirements of hedge funds, private equity, and asset managers.
The combination of the global pandemic and the Great Resignation have reshaped traditional workplace confines. In this work...
Work-from-home (WFH) cybersecurity is a challenge for every business. But for buy-side financial services firms, the...