Cyber Security 101 For Small Firms (10/25/19)
Front of Mind This Week: Cyber Security
As I was streaming the Senate Banking Committee's hearing on CAT this week (Tuesday), I watched closely as FINRA & FINRA CAT staff responded to cyber security-focused questions from Committee members.
When the issue of cyber security was raised by SBC members, witnesses replied that FINRA member firms "...are all required, as registered broker dealers, to maintain adequate security programs..." and "...broker dealers are subject to both review by FINRA, as well as adhering to best practices with regard to security practices, so many broker dealers...have a very large and robust security program...(including) account and identity management, multi-factor authentication, granular role based access controls...".
As a small firm community member, I found those responses troublesome because, while certainly some of the 3200 small firms around the country are up to speed on and fully conversant in cyber security best practices and maintain robust cyber security policies, procedures and infrastructures, many others do not and I would hope that FINRA knows this. A significant portion of our community of small firms are not able to be actively engaged on this topic due to resource limitations (financial and human), disproportionate regulatory compliance burdens, crushing PCAOB audits, rising regulatory fee environment, collapsing margins, etc etc etc.
In an effort to help bridge this gap for firms who might need this assistance, I am going to run a series on cyber security-focused content. This series will contain both original content and imported content from various sources, all with one goal: to increase your awareness and understanding of cyber security (in general) and the need for small firms to undertake the task of creating and implementing dynamic cyber policies and procedures.
It is my hope that this information proves helpful to small firm executives. As always, I welcome your feedback.
CYBER SECURITY 101 FOR SMALL FIRMS:
It’s nearly impossible to run a business today without an Internet presence and an Internet connection. Everyone from the tiniest one-person companies to the largest conglomerates utilizes the Internet for transactions, communication, information sharing, marketing, payment processing, and more.
With all that connectivity comes the risk of exposing sensitive information, downed websites due to attacks, and corrupted or compromised internal networks from viruses and hackers. Once the damage is done, it’s hard and expensive to repair. The best way to minimize your online risk is to put safeguards in place before you have issues.
Try some of these cyber security tips to keep your small business protected:
Build a firewall
A firewall is a barrier between your internal network and the rest of the Internet. It is the gateway for incoming and outgoing traffic and can block suspicious activity before damage is done. A variety of firewalls are available, including software-based and hardware-based options. Work with a cyber security expert or your Internet service provider (ex: Comcast) to assess your level of threat and choose the best options for your company. They can also help you customize your firewall with the features the make the most sense for your network, data and budget.
Encourage individual computer safety
Firewalls do you little good if your employees invite viruses and malware into your network via their work computers, so start by installing antivirus software on every machine. No matter how savvy your employees are, malicious content can slip through, and antivirus software will provide a safety net for your entire network. Be sure all updates are downloaded, installed and are active on every machine, too.
In addition to installing software protection, it’s important to train employees on safe and appropriate use of their work computers, starting with the following guidelines:
--Don’t click on links from unknown sources or unexpected links from trusted sources. Train your employees to ALWAYS look at the sender's email address, this is one of the easiest ways to determine the source is invalid and untrustworthy. When in doubt, ask the sender before opening it.
--Don’t download software and apps without approval from your manager.
--Report suspicious behavior on your computer, such as windows popping up, unexpected errors, slow load and processing times, and unusual emails from unknown addresses.
--Use complex and secure passwords and update them regularly.
--Maintain physical control of all devices and passwords.
Create a virtual private network
If you have remote employees and/or work with sensitive information, you’ll likely want to establish a virtual private network (VPN). As remote employees connect to your business network, the data they send may go through a public network or their own Internet service provider. These pathways make the data vulnerable to networking security threats. A VPN allows users to communicate with a server via a hidden connection, often likened to a tunnel, to protect the data they transmit.
Add external website hosting protection
For most small businesses, websites are hosted on external servers outside of the company network. While your internal network may be protected and monitored, your website may still be exposed to attack. In this case, your Web host might be able to help you to lock down your site from malicious behavior. These tips can also help keep your site in good shape:
Keep server-based apps updated. Outdated apps often have unpatched security holes that hackers will know about and exploit.
--Use HTTPS rather than HTTP. It’s a more secure protocol and is becoming the standard for websites. It does require installing a security certificate — typically your Web host can help with this. Your customers will notice your investment in their security.
--Avoid unnecessary tools and features on your site. The more you install, the more chances you create for a security hole or other problem.
--Install a security plugin or app to help you manage your site’s protection.
--As mentioned above, choose secure passwords and update them regularly.
These four practices can help keep your small firm safe from some cyber security threats.
Being proactive can save you time, money, and frustration, so start with these four practices and we will build on this information in future articles in this series.