The threat landscape has transformed in recent years, and the trusted old combination of a firewall and anti-virus software is no longer adequate protection against more sophisticated attacks we’re seeing these days.
A “belt and suspenders” approach with more layers of defense are needed: web security solutions, intrusion prevention services, anti-spam, and more.
To determine which protective layers meet an investment advisory firm’s needs, we’re seeing more and more managers turning to security assessments with network vulnerability testing at its core.
Vulnerability testing, also known as vulnerability analysis or assessment, is a procedure that identifies and categorizes the externally facing security flaws in a company’s IT infrastructure.
Running vulnerability tests can determine how effective proposed countermeasures will be and even evaluate how well they performed after they were implemented (rather than dealing with them in response to a crisis).
Vulnerability analysis consists of several steps:
Defining and Classifying Infrastructure Resources
Every resource on the system or network that could be a potential target for a cyber attack is defined and classified. This includes onsite servers, desktop PCs, laptops, tablets, smartphones, switches, routers, and firewalls.
Cataloguing resources that are used to deliver online services and contain confidential firm data makes it easier to pinpoint the source of a DOS (Denial of Service) attack, hack attempt, or malware opportunity.
Assigning Relative Levels of Importance to Every Resource
There are many potential points of failure when evaluating possible vulnerability exposure. Which components are the most vulnerable? Which resources are instrumental in maintaining business continuity and/or contain sensitive files? All machines and devices need an importance level assigned to them so that corrective measures can be taken on the basis of how urgent the problem is.
In the case of a multi-target attack, web servers would take priority over smartphones. For “data leakage” smartphones and USB drives would be a high priority. With malware prevention, GPOs (Windows Group Policy Objects) might hold a high ROI for review and prevention adjustment.
Identifying Potential Threats
This stage is occasionally performed using techniques known as ‘ethical hacking’. Internet security experts or specially designed software packages intentionally probe a system or network to locate weaknesses. The results are used to develop defenses to genuine hack attempts.
Putting Together a Plan to Deal with More Serious Problems First
Once security holes have been pinpointed and plugged, a remediation plan must be formulated to deal with and address issues so that they don’t become future crises. Senior managers need to:
- Document the steps for making major decisions, such as quarantining any areas of the network that have been infiltrated
- Identify the personnel who are integral to incident response and business continuity
- Ensure that response plans are available to all employees in the firm, and that everyone knows what they need to do in the event of a security breach
Defining and Implementing Ways to Minimize Attack Consequences
As they say in the security industry, “it’s not a matter of if – it’s a matter of when”. No matter how sophisticated a firm’s security is, it will be attacked sooner or later. Backing up data routinely, distributing the disaster recovery plan, and ensuring that systems are in place to keep operations going will minimize the consequences of a security breach. The following steps are also recommended to ensure data integrity:
- Encrypt all sensitive data so it becomes harder for attackers to steal
- Provide employees with access only to the files and applications they need to do their jobs
- Implement a two-factor authentication process: do not rely on passwords alone
The financial services industry has a more advanced level of duty to its clients. Safeguarding client information as well as your reputation is critical to your success as an investment advisor. If a vulnerability analysis detects security holes, act quickly. There are many ways to address your new found vulnerabilities - between business continuity software packages and security assessment and remediation services. But, the first and most important point is to do something.
Has your investment firm used vulnerability testing on its network and systems? And does it do it on a recurring basis? Let us know your thoughts in the Comments box below.
And to follow-through on the tips introduced in this short article, be sure to download your free guide, Investing in High Net Worth Clients: The LA Investment Advisor's Guide to Using Technology to Manage and Grow Your Firm.