More than most types of business, financial management firms carry a heavy burden to avoid cybersecurity risk and protect their clients’ sensitive information. This is because cybercriminals mark them as a high-value target, which in turn leads to needs for IT compliance.
Whenever I meet with owners and managers of financial firms to discuss their IT needs, they nod in agreement when I describe cybersecurity attack scenarios they may encounter. They know there are constant attempts to take money from accounts and to gain access to account information. Regardless, we find that nearly all of them do not have effective cybersecurity in place.
Instead, they built their business without a focus on cybersecurity and are not sure how to get started. They may have a template that they got from a peer; they may have even had it reviewed by counsel. While this is a good start, until the organization truly embraces all the controls needed to meet a standard, they really haven’t done the work.
If you are the owner or manager of a financial management organization, this blog will help guide you through the process to ensure your company is up to date with cybersecurity standards.
Step One: Choose An IT Compliance Standard
Because of the sensitivity of your client information, your organization is responsible for maintaining specific cybersecurity compliance standards. You may choose to utilize a common standard (there are several to choose from) or have your own. Luckily, while different, most available standards have a significant overlap. When one standard is understood, the rest are fairly easy to figure out. It’s just a matter of formatting your information to comply with the selected standard.
However, compliance with a standard does not mean your organization is magically free from risk. It’s just the beginning. Standard compliance merely gives you a focal point for improvement of your cybersecurity policies, controls, and audits of controls.
Step Two: Establish Information Security Policies
So what’s next? Establish good information security policies that have several components. You should have policies addressing and declaring standards and controls to be used to manage cybersecurity. Common controls include authentication restriction, remote access, mobile device management, etc. The policy will often include an IT manual that lists some common procedures as they relate to controls.
They best way to put an effective policy in place is to engage a professional service organization that specializes in policies. This organization should be familiar with policies related to your company’s specific compliance standards.
When writing your policy, don’t try to do it all at once. Instead, build it in parts and pieces over time. Make sure you can truly live by the policies you create and that your staff understands them. It is common to take as long as a year to complete a full policy set.
Step Three: Enforcing Security Policies By Choosing Controls
After you have created your policies, it’s important to have controls in place to enforce them. Controls are essentially the “rules” within your system that it is trying to enforce. For example, it could be a password change control, a multifactor authentication restriction for login, etc.
These controls will determine the cybersecurity readiness of your organization. Be ready and willing to regularly review and improve your controls.
Step Four: Auditing Your Controls
After policies and controls are in place, an often-overlooked component is the audit of your controls. Many organizations have policies and may even have defined controls. However, without auditing the controls, you can never be sure it is actually working.
Summing it Up
So, how does a financial organization meet IT compliance needs? It begins with choosing the right compliance standard for your organization and setting policies to meet it. Next, you will create your controls, and lastly, audit the controls regularly. If you follow all these steps, you’ll be well on your way.
By Karl Bickmore, CEO