Attaining a Viable Cyber Security Program at a Reasonable Price; is it Possible?
We’ve all heard about the hacks at Sony, Target, and even the U.S. Government. Fortune 500 companies and US government agencies getting hacked is exciting news. Well, actually – it’s terrifying. And even more disturbing is the complexity associated with solving this problem. For a Fortune 500 company, the solution involves throwing money at the problem by hiring another 25-50 cyber security experts and investing another $50-$100m in cyber security. But what if you’re a smaller firm, but no less meaningful to its owners or stakeholders, with a limited IT budget and little to no cyber expertise?
So if you’re Sony or Target or some other global goliath, stop reading now. This article is not about how to protect a multi-billion company from a North Korean or Chinese Advanced Persistent Threat; it is about how to develop a viable cyber security program to protect a small organization against the most preventable cyber threats while keeping the cost and risks in perspective. It’s the nexus between cyber security, common sense and Pareto analysis (sometimes called the 80/20 rule).
The basic cyber security objective for small business owners is avoiding the most prevalent risks that might disrupt their business or harm their clients. For IB’s, this means having a good understanding of how to protect Personally Identifiable Information (PII or client data) and communication to the markets, clients and third-party providers. The required NFA ISSP (Information Systems Security Program) is just a start. It is important to understand that at this stage the NFA is primarily focused on protecting PII. However, as a small business owner, you should also focus on the survival of your business. The creation of a viable cyber security program addresses both of these concerns, and focuses on knowledge, best practices, and structured policies that are continuously enforced.
Knowledge is about creating or outsourcing a competency in cyber security predicated on a basic understanding of your cyber security vulnerabilities. It is important to understand what the key risks are to your business, and what actions to take given the specifics of your particular situation. If you are going to outsource cyber security, you should take care to find a provider that understands your industry and firm. You already have an understanding of risk and how best to relate it to your business; it is critical to have someone who can translate between cyber risk and your business risk. For example, what is important for a discretionary trader might be different for a systematic trader. There are no “one size fits all” solutions that address the individual concerns. A discretionary trader might need to emphasize back-up and recovery, while a systematic trader will consider defense of “crown jewel code” to be of paramount importance, and an IB will value protection of PII.
Best practices generally focus on small sets of relatively simple security controls that all organization should address. These practices include controls such as password management, visibility and oversight of the hardware and software that is allowed in your environment, software patch and upgrade management, and web monitoring to provide black listing (prevention of bad sites) or white listing (access only to good sites). Ultimately, the “Golden Rule” in cyber security, which goes hand-in-hand with best practices, is to start a security program that addresses the “CIS Critical Security Controls” – more commonly referred to as the SANS (System Administration, Networking, and Security Institute) Top 20 Security Controls. Not all these controls will apply to your business, but by understanding and reviewing each of them in concert with best practices (generally with the assistance of an IT vendor) – you will be well on your way to developing a viable cyber security program.
Written policies are critical to maintaining the cyber security posture you put in place. Making sure that the key cyber controls are in place and that they are being implemented and supervised is now critical for all businesses.
Ultimately, you can attain a viable cyber security program at a reasonable cost. The key to attaining positive cyber ROI, however, is predicated on you becoming more knowledgeable in cyber security, addressing industry best practices as an initial approach, and developing supporting policies to these best practices that you follow as you move forward