Vinod Paul
Cybersecurity has shifted beyond being a recommended best practice; it’s quickly becoming a legal requirement for organizations across industries. The Securities and Exchange Commission has recently proposed a series of new cybersecurity compliance, reporting and disclosure rules for the investment management industry, which can be reviewed here.
As the hybrid workforce continues to carve a place for itself in the corporate world, the attack surface for cyberthreats has gained ground with equal fervor. Threat actors are quicker than ever in exploiting whatever vulnerabilities they can grab. And with recent data from Microsoft showing that 81% of enterprise organizations have begun the move toward a hybrid workplace, with 31% of those surveyed already fully adopted, cyber criminals have a whole new plane of opportunities at their disposal.
According to the FBI, there’s been a 300% increase in cybercrimes since the beginning of COVID-19. To keep up with the ever-evolving cyber dangers, organizations are applying various security controls to strengthen their security perimeters.
To make matters more pressing, following the Russian attack on Ukraine, the CISA has recommended that U.S. organizations apply “Shields Up” heightened security precautions due to the high probability that we will continue seeing cyberattacks against Ukrainian allied governments and interests. While there have yet to be any credible attacks on the United States, CISA predicts it’s only a matter of time before adversaries leverage cyberattacks.
Cybersecurity Tips
What’s the solution? Here are some cybersecurity tips at both the enterprise and employee level.
What Your Company Should Do:
- Implement a model cybersecurity program. This also includes regular cyber training and security awareness updates, which will not only help employees adopt best practices in their day-to-day activities such as good password hygiene and management, privacy settings, end-user verification, and more, but will also help them learn how to identify dangerous and potentially costly scams. For example, some of the most nefarious threat attacks cleverly leverage social media to attack a firm via phishing. A routine cyber test in this regard could help identify employees that need additional training.
- Adopt a “zero trust” strategy. This strategy follows a “never trust, always verify” approach. Organizations can no longer just rely on network firewalls and VPNs to isolate and restrict access in a workforce that operates beyond traditional network boundaries, especially when using cloud-based services.
- Deploy multifactor authentication (MFA). MFA can help weed out threats by requiring an additional layer of end-user verification across various employee activities, including remote and administrative access.
- Prioritize vulnerability management: Traditional patch management cycles are creating too large of a window for potential threats. Modern, risk-based vulnerability management tools include prioritizing vulnerabilities on reducing the biggest risks to your business to address any new or known exploited vulnerabilities via the CISA.
- Protect personally identifiable information (PII). Use a secure file transfer system to encrypt PII such as Social Security numbers, bank account number, or email address combined with the password or security question and answer and only allows the authorized recipient to access it.
- Know where your data is. Your data may be “in the cloud,” but the importance of knowing exactly where your data is stored and where it travels to cannot be overstated. It’s critical to “gate” data from leaking outside of a corporate infrastructure, whether this be cloud or physical service based.
- Approach cybersecurity risk management with layers. There is a misconception that deploying one technology stack or set of tools puts firms in a better cybersecurity posture. The best defensive strategy leverages technologies and services that augment and complement a cybersecurity program designed to protect a firm’s data within the new hybrid workforce.
What Employees Should Do:
(continued on next page)
