Industry Best Practices
The SEC OCIE guidelines are vague in many areas-subtly suggesting some things and forcefully recommending others (with the caveat that security may be different for each firm). One thing that they do not mince words on, though, is the need to vet vendors. They clearly state that it doesn’t mean that a company abdicates its need to ensure that data is secure just because it moves its data to the cloud.
How can you verify that data kept on servers that you don’t control is safe? You obviously can’t, but at the same time, both as a good practice and to satisfy the SEC (and other governmental, compliance, and regulatory agencies), it is important to conduct due diligence on vendors.
What’s involved in this process? In theory, it is actually quite easy. Just start asking questions. Ask the vendor, check their web site, Google them. Ask in-depth questions and follow up when the questions yield information that is different than you’d expect. If you are already using a vendor, look at how they are performing. Basically, you want to do a miniature Risk Assessment on each vendor that holds your data or has access to your systems.
Some vendors will cooperate quickly, providing all necessary information immediately. Others will get the same information slowly, and still others won’t even bother calling back. Some (like Microsoft) really don’t care. The trick is to find out everything possible anyway. It often takes a little detective work. Figuring out how data is backed up, what a company’s reputation is, whether they’ve had any incidents, how good their security really is-all of these can be discerned-is just a matter of – as the title suggests – being diligent.
Cobaltix Compliance is happy to do this work for clients or to guide them if they would like to do it themselves.
Most users are not compromised through an advanced hack targeting their company’s networks or computers. Instead, social engineering threats like phishing scams are the most prevalent for harvesting user credentials or other information. Often these general emails are unsuccessful, but emails that are specifically crafted to target an organization or users of a specific service (like ebay, Facebook, Google, Amazon, etc.) can be quite effective. User training on spotting phishing emails can help, but these emails can look innocuous to even seasoned veterans at first glance if the scam is crafted well enough. While people are often more concerned with which antivirus products are the best on the market, phishing scams are still making off with their account information. It doesn’t matter how up to date your computer is, what kind of antivirus product you have, or that you have a dedicated security team at your organization if you willingly hand over your credentials to attackers. How can you help secure yourself? By ensuring your authentication methods are secure.
Single Sign On
More and more companies are moving to Single Sign On (SSO) solutions, and for good reasons. SSO bridges the gap users typically face between security and convenience. By having your IT link multiple applications with a SSO solution, there is only one strong passphrase needed to authenticate yourself into said applications. Monitoring can be done by IT to help ensure no one else is accessing your accounts but you. This helps alleviate the pressure on users to have long, strong, unique passphrases for the multiple applications they need to access daily for their work. Users can secure their account even further by employing multi-factor authentication or password managers, which we will discuss below. Single Sign On applications are not without their weaknesses; it is still a web application, and with that comes all the security issues web applications face. However, if your company is choosing a well-known provider, chances are they have internal security teams dedicated to hardening their application. Many of them could even have a bug-bounty program, which rewards security researchers from around the globe for reporting vulnerabilities to their team. Despite their potential weaknesses, SSO applications are generally recommended among security professionals since they make it easier for users while still offering improved security through authentication and account change monitoring.
Multi-Factor Authentication (or MFA) helps secure accounts by requiring a unique code generated at the time of login that is typically from a smartphone or other physical token and is becoming more widely supported on several applications. Applications such as Authey, Google Authenticator, or FreeOTP can all be linked with many applications like Google, Facebook, Amazon, bank accounts, and more. MFA greatly helps secure accounts because the second code must be present at the time of authentication, so even if someone gets hold of your password, they typically won’t be able to log in without that second factor. While there are ways to bypass this, most attackers won’t have the technical ability to get around properly set up MFA. While strong passphrases are still highly recommended, MFA can help add an additional layer to authentication to help guard accounts against weaker passwords. However, having a layered approach to authentication like this does a great deal to improve account security, and takes very little effort to set up and configure.
Finally, password managers are also a great way to help secure your accounts. Password managers make it not only much more reasonable to have a unique login for every site or application you have credentials for, but you can also make the passwords very long and random. Meaning, you can have passwords that look like “e82X@c4!$Gsk101#S3ndu8(38s”, which is 26 characters long, completely random, and practically impossible for an attacker to guess. Password managers ensure that you never have to remember these passwords, which also makes rotating them easier as well. Remember just one strong passphrase to authenticate to your password manager (and enable MFA!) and let the password manager take care of the rest for you.
The world is changing. Back in the old days, you called a Big-5 consulting company to do an audit. They sent over 4 or more recent grads from top business schools to pour over boxes and boxes of files for 5 or 6 weeks. Eventually, they said that the accounting was good, and they left until the following year. The only problem was that the results were always positive-after all, the same firm had been doing the accounting-why wouldn’t it be good?
All that changed a long time ago. Now you have two firms-one that does accounting, and another that does the audit. The same recent grads come though – now you get coffee with a partner, too – but at the end of the day, unless you’re in a really bad position, you get a short list of things that need to be fixed and end up with a clean bill of health.
Oh, yeah, and your cybersecurity compliance was fine.
Why is the accounting firm doing cybersecurity? Big or small, accounting firms don’t have any idea about cybersecurity. They may hire a couple of people with credentials, send out questionnaires, and ask when the last penetration test took place. Generally, that is about it. No look at any of the systems. Minimal interviews. Generally, no understanding of the relationship between cybersecurity and risk or any understanding of technology at all.
IT guys are great. Their jobs are to make people happy. While many tech guys fail at their primary mission (making people happy), if you have a good IT guy, your company has a great competitive advantage.
IT guys are focused on fixing things but don’t usually think about risk, procedure, or controls. Your best IT guy thinks in exactly the opposite way, creatively solving problems in the fastest way possible-that is what you want in an IT guy. Also, most IT guys don’t write all that well. Communication is key in security-you want everyone (even up to the CEO) on the same page around risk and security.
Security isn’t just about checking boxes, it’s about reducing risk. Risk doesn’t just come from computers, it comes from people. Risk comes from HR and Finance and Accounting. It comes from systems, too.
Compliance and great security are done by people who can blend a true understanding of business with a deep knowledge of technology. They have to be able to think like a bad guy and an attorney at the same time. The job requires both asking hard questions and also looking closely at systems, networks, laptops, and people.
Larger firms have a CSO (Chief Security Officer) or a CISO (Chief Information Security Officer); the CSO/CISO and CIO are peers, and they often report through different hierarchies. Unfortunately, it isn’t practical for small and medium sized firms to hire a CSO/CISO. This is a role that can be outsourced.
Information Security usually reports to legal or compliance, or in some firms, the CFO. Because many small firms don’t have legal or compliance in house, many accounting firms offer to be “one-stop-shops” and include cybersecurity for the CFO. It is easy, but it is a bad idea.
You want your compliance and security consultants to be smart about business and to know the regulatory environment-not just the rules, but what happens during an audit. Ask about a CISSP (one of the few security certifications worth anything). Look for deep knowledge of technology. The auditor should never ask for passwords or actually touch any system, but rather should be “shoulder surfing.”
Ideally, your security firm should have a great deal of experience in the sector you are in. Being tied to a technology company is often good, but you don’t ever want people in the same company auditing their own, or their peer’s work.
Although the SEC does not currently require some hedge and venture funds to be registered, this does not mean that these firms don’t have to comply with the laws and rules; it just means that they don’t have to demonstrate regulatory compliance. While the SEC assumes that they are working with sophisticated investors, not being registered implies having less regulatory oversight. Even with less regulations, though, it is still pertinent to maintain a stable security system and compliance.
Does this mean that non-registered firms don’t need to worry about compliance? Yes and no.
The SEC, and almost every credible regulatory body in the US and Europe, requires risk assessments to determine the state of security and minimize impactful cyberattacks on companies. Yet whether they are registered with the SEC or not, companies may experience careless or unwitting activity as well as intentional malfeasance from employees and vendors that pose great threats. Therefore, understanding the overall degree of harm that could occur as a result of an exploitation of a security vulnerability is crucial.
Risk assessments not only find security issues, but also identify the risk level and its impact. Cobaltix Compliance offers risk assessments as well as other services that are crucial in keeping a company secure whether SEC registered or not. Compliance often adds hoops that distract from actual security, which are often overlooked by IT personnel. This is where Cobaltix Compliance comes in.
While IT is focused on getting systems working, security makes sure the data is safe even when things change. This requires keeping track of current threat vectors, understanding how doing things the same way every time leads to consistency by way of finding problems through regular audits, and establishing control measures to prove that data hasn’t been tampered with. Today hedge funds or companies that deal with sensitive data, moving around money, or propriety information are target-rich environments, and often experience daily attacks from the internet. Likewise, attacks from the inside are often the most damaging, whether careless or intentional. For these companies, whether they are required to do compliance or not, risk assessments become especially relevant. Even if you aren’t required to do compliance, skip the hoops but don’t skip the security. A risk assessment by a competent security company, such as Cobaltix Compliance, is a good first step.