If a client asked you today, how are you protecting my information from a cyber-attack, how would you respond? The risk assessment is the confidence you can provide to your customers that you take their information seriously and value it. Now if you are in a regulated industry such as the non-banking industry (BDs, RIAs, etc.) you are required to have a current risk assessment. What qualifies as current you might ask, typically this is something that is conducted and/or updated twice a year.
The main principle behind the assessment is for you to understand the risks you face as a business. The key is to assess your business against a realistic set of outcomes. There is no way you are going to put in the same level of security that Frost Bank or Bank of America has. This is why we created a specific assessment that teach you what we like to call the Basic Arithmetic of Cybersecurity. There are several cyber frameworks out there but, they just are not aligned for a small business and startups. This would be like skipping elementary school and going right into middle school and being placed within a geometry class. How are you going to be able to do geometry if you can't do basic addition, subtraction, multiplication, and division.
The cyber risks you need to be evaluating your business against are tied to the five key functions; Identify, Protect, Detect, Respond, and Recover. Within each function there are specific areas that need to be evaluated. Let's take a look at an example for each function below.
- Identify, do you have a current list of hardware and software within your business?
- Protect, are your devices encrypted at rest?
- Detect, do you leverage a managed security service provider to monitor your environment for suspicious activity?
- Respond, do you have a disaster recovery plan in place?
- Recover, do you have an offline and off-site backup to restore from?
Using the same questions above we need to answer an additional set of questions that are tied to the controls in place from a Physical, Technical, and administrative standpoint. Let's use the Recovery answer and assume you backup to an external hard drive.
- Physical, where is the external drive kept and what security protections are in place to safeguard it? Do you have it in a fireproof safe, a lock box at the bank, etc.
- Technical, is the external drive encrypted in the event it is lost or stolen?
- Administrative, is there any mentioning of the requirement to have an off-site backup in your Information Security Policy? Do you have a documented process to perform the backup?
Design amazing digital experiences that create more happy in the world.
Address: 130 N Preston, Rd., Suite 529, Prosper, TX 75078 Phone: 469-715-5255