Overview
Work-from-home (WFH) has created cybersecurity challenges for businesses in every industry, and buy-side finance is no exception. Much of the discussion about WFH security is focused on at-home employees, or how IT teams can make things safer. But it’s also crucial to consider the role of executives back at the office. In this final post in our series on WFH cybersecurity, we’ll address the C-suite directly. Here are our recommendations for leaders who want to build a culture of security in their organizations:
Give your teams the right tools for the job
WFH and hybrid technology environments are fundamentally different from traditional office IT environments behind the corporate firewall. For this reason, your IT and security teams, as well as your WFH employees, will need a different set of tools in order to ensure cybersecurity. Here are the top three considerations:
Endpoint protection: A robust EDRR or MDRR solution is needed in order to protect endpoints at home as well as in the office.
Updates and patching: For IT to keep your employees’ off-site devices updated and patched, they will likely need a separate toolset (e.g., Microsoft Intune or similar).
Mobile device management: MDM or EDM tools help ensure all employees’ devices are patched, up-to-date, and following the correct security policies—no matter where they’re working.
Look for easy wins
The software platforms and apps your organization uses may already have additional security features built-in. But these features can’t help you if you don’t take advantage of them.
One key example is multi-factor authentication (MFA). This is available for many apps and services, and is the single best way to prevent an account breach if an employee’s password is compromised. But if MFA isn’t enabled, it can’t protect you.
Talk to your IT team about turning on MFA for every app and web service in your organization—especially ones used by your at-home employees. Then ask them if there are other available security features or tools that you could be leveraging for better cybersecurity.
Find the right partner
In buy-side finance, small and medium organizations often lack the technical resources of their peers in other sectors, even though they are managing far larger amounts of money on a daily basis. This makes you a tempting target for bad actors.
Rather than trying to reinvent cybersecurity, and overburdening your overstretched IT team in the process, find a managed service provider (MSP) to help you with your WFH security challenges. An existing third-party IT provider is a good place to start your search. But ideally, your MSP partner for WFH security will have a strong track record of successfully completed cybersecurity projects and extensive industry-specific experience.
A good service provider should also be able to offer your employees 24/7 support no matter where they are—a critical capability in the always-on world of work-from-home and work-from-anywhere.
Plan for the unexpected...
Despite the best of security precautions, organizations may suffer cyber incidents and service outages. For this reason, it’s important to have clear incident response plans, policies, and procedures.
Executives have a vital role to play in creating and defining an organization’s disaster recovery (DR) plan and business continuity plan (BCP). In particular, leaders have a good overview of the organization’s structure as a whole—and will be able to help ensure that DR and BCP planning encompass the entire business, not just a handful of roles or mission-critical departments.
In addition, external vendors should be included in incident response plans. Here too, leaders have the big-picture perspective on operations—as well as the business relationships—to help make this possible.
...test your plan...
After comprehensive incident response plans are created, they need to be periodically tested and validated to ensure that they will work as intended in a real emergency—and to account for changes that may require an update.
For example, DR plans should be tested under near real-world conditions. It’s not enough to set up a DR environment in a “bubble” and simply verify that it can be accessed. A true DR test will involve key personnel actually failing over to the DR environment from the production environment and operating there for an extended period of time before failing back to production.
Leaders have the authority to mandate that DR and BCP tests are conducted regularly and that they are genuine audits of incident response plans. In addition, leaders should be involved in reviewing the results of incident response tests to ensure that updates and corrections are made as needed.
...and be part of the plan
If a cyber incident occurs, the IT department or the MSP will be the first to know, and the emergency response plan will be initiated. But executives need to be involved in the decision-making process from the first critical moments of the response.
This is important because in the early stages of an incident, there are many key decisions to be made. How will the incident be communicated to regulators and stakeholders, and when? Who will be the main point of contact—a PR person or general counsel? How will your organization deal with time-sensitive threats or demands for ransom payments if you are attacked by cybercriminals? Before an incident occurs, be sure to define your role in the response plan.
Train for security—and lead by example
Done right, security training is one of the most powerful tools in the fight against cyber criminals. But unfortunately, far too many organizations treat training as a mere regulatory requirement: a somewhat irritating box to check once per year.
Leaders have the unique ability to influence their organization’s culture—and move it from complacency to compliance.
Executives should work with their IT teams and MSPs to implement a robust and frequent program of training that includes phishing simulations, best practices, and general security awareness. In addition, they must drive accountability and performance. The results of each training session should be analyzed in order to identify problem areas. If gaps in knowledge or proficiency are found, corrective action should be taken.
In addition, leaders need to model the behavior they want to see. By leaning into security and holding themselves just as accountable as their teams, executives set the tone for the entire organization. A culture of compliance is built and led from the top down.
To Remember
- Executives must recognize that WFH cybersecurity demands new tools and must adequately equip their teams to secure the organization.
- Leveraging the security tools and features already available to you is a good place to start when attempting to improve WFH cybersecurity.
- Finding the right service provider to help you with WFH security issues is important, and will take pressure off of your technical personnel (who likely have enough on their plates already).
- Incident planning is essential, but is not a “one and done.” BCPs and DR plans must be regularly tested, validated, and updated.
- Lean into cybersecurity leadership to foster a culture of compliance at your organization.
About Linedata Technology Services
Whether you’re a hedge fund, private equity or private credit firm, asset manager, or a combination of these, we can help you solve your cybersecurity and technology challenges. We offer a full suite of managed technology services specifically for buy-side firms, including cybersecurity, public and private cloud migration and hosting, and a full MSP offering.
About the author
Girish Khilnani co-heads Linedata’s Technology Services business, which includes Public and Private Cloud, Cybersecurity, and Managed Services. He’s spent nearly two decades managing IT infrastructure, cloud, and global service delivery teams to provide leading-edge solutions for financial institutions. Girish is passionate about enabling operational excellence that supports the specific requirements of hedge funds, private equity, and asset managers.