Keeping up with the myriad of cyber security requirements expected of today’s financial firms is a daunting – and sometimes unachievable – task. This list continues to grow in size and scope, and remembering how often to perform tests or when to change passwords is a growing challenge for CTOs and business execs responsible for technology.
To assist in guiding your firm with its cyber plan implementation, we’ve outlined a basic calendar of security reminders to help you stay on track. Listed in order of frequency, here’s how often you should plan to take these security steps:
3 months: Change your passwords.
At least every 90 days, we recommend changing your network, system and application passwords to prevent intruders from gaining unauthorized access. Remember: password creativity is critical, and password re-use is a big no-no.
3-6 months: Conduct a simulated phishing exercise.
Phishing is one of the most effective, and thus dangerous, social engineering scams in use today and threatens to deceive and manipulate users into opening gateways, sharing confidential information or, in many cases, making financial transactions. Simulated phishing exercises (whether conducted by your firm itself or via a managed service provider) are the most effective way to test users’ knowledge of email threats and train them to be cyber aware. Most firms opt to perform quarterly phishing tests, but semi-annual exercises are commonplace also.
3-6 months: Require remote access testing for business continuity.
On at least a quarterly basis, firms should require various users to test their remote access capabilities as part of the company’s overall business continuity plan. Remote testing should encapsulate connectivity options (e.g. VPN connection, Citrix application access, web applications, etc.), and users should verify their ability to access firm networks, systems and applications at every level. Remote testing is a critical element to BCP planning and ensures organizations can function properly in the event office locations are inaccessible due to security, weather or other disaster-related incidents.
6 months: Conduct a vulnerability assessment (internal/external) and/or penetration test.
Twice per year, financial firms, including hedge funds and private equity firms, should plan to perform vulnerability assessments and/or penetration tests to identify potential vulnerabilities inside and external to the network. With these assessments complete, firms can then leverage their IT provider to remediate issues and make recommendations for proactive improvements. If you’re confused about the difference between VAs and pen tests, read our comparison article here.
6 months: Test your disaster recovery systems.
If and when a disaster strikes – and that includes cybersecurity incidents that may render your firm’s network or systems in jeopardy – you want to ensure your confidential data is protected at all times. For that peace of mind, it’s essential to test your disaster recovery (DR) systems at least every six months. Full failover exercises are particularly effective in preparing firms for a DR experience, but some services can also be tested in ways that avoid any disruption to the production environment.
6-12 months: Perform third party vendor risk assessments.
Vendor risk management is top of mind for organizations today, particularly for those who rely on numerous outsourced and managed service providers to support daily business operations. With regard to cybersecurity, it’s imperative to assess your third party vendors to verify their security measures and protocols are in line with your firm’s needs and expectations. At least once per year (if not twice), connect with your third parties to get a review of their IT systems and cyber practices and retain updated policy documentation. In today’s fast-paced cyber environment, preparedness methods are changing rapidly, and thus firms need to stay up-to-date on how their vendors are addressing and mitigating risk.
6-12 months: Conduct internal tabletop exercises for Management and/or Incident Response teams.
Much like remote access and DR testing, it’s easiest to understand a user’s experience with a cyber incident – and a firm’s – by going through the motions. Tabletop exercises bring together internal stakeholders from Senior Management and/or your Incident Response team to conduct scenario-based exercises and identify gaps in continuity and response planning. Tabletops can be conducted in-person or virtually, but should occur at least annually to ensure changes to the cyber threat landscape and to the business itself are incorporated into the exercises.
12 months: Complete formal employee infosec training.
Information security awareness training is perhaps one of the most underrated and underappreciated areas of a cybersecurity program. As social engineering schemes ramp up and hackers target individual users as a means to invade corporate networks, training becomes critical. At least annually, financial firms should require all employees to complete formal infosec training (either virtual or in-person). Training should include an overview of common threats (e.g. phishing, malware, etc.) as well as best practices for mitigating said risks and an overview of corporate security policies.
12 months: Review and update internal security documentation.
Speaking of policies, they must be reviewed and updated at least once per year (and consider ad hoc based on organizational changes as well). All corporate security documentation should be considered “living”, meaning they are consistently updated to meet changing threats, comply with new and existing compliance initiatives and render the firm qualified to respond to a security threat or incident. Documentation that should be reviewed at least annually includes, but is not limited to:
- Business continuity plans (BCP)
- Written information security plans (WISP)
- Access Control policies
- Acceptable Use policies
- Incident Response plans
3 years: Conduct an IT hardware refresh.
One area of cybersecurity you may not have considered adding to your calendar is a technology refresh. Even if you’re already leveraging cloud services to access files or host applications, you still house on-site IT equipment – and it doesn’t last forever. In fact, most technology nowadays, including servers, workstations, PCs, etc., is lucky to last more than three or four years without incurring some sort of issue or malfunction. To avoid these headaches ahead of time, firms should look to assess their hardware around the three-year mark and conduct refreshes of on-site equipment. Legacy systems and software, as we saw with the recent WannaCry incident, can add unnecessary risk into the firm’s network and create more serious incidents across the organization.