Here are a few not so fun, but revealing facts about cybersecurity (credited to Verizon 2015 Data Breach Investigation Report:
Much like investment management industry participants on our platform, we at DiligenceVault are concerned with two primary issues:
Do we put our client’s information at risk? Do we put our competitive edge at risk?
To address both of the topics above, we have researched and implemented best practices, with the recognition that you do not have to be a cyber and information security expert to understand risks and threats.
In designing DiligenceVault, we assumed that there would eventually be a breach in security. My training in risk management drives me to prepare in advance for things to go wrong and have an action plan for when they do. Someone I heard at a recent panel discussion put it quite nicely – “To avoid a breach, you have to be prepared and be right 100% of the time. To successfully infiltrate, the hacker has to be right 1% of the time.” If you are defending, the odds are against you. One’s immediate reaction might be to build a fortress of controls and processes. Having worked at a large organization, I realize the value of process, and more importantly the value of purpose driving the process, rather than reverse. Any controls we establish should be relevant and translate into policy and a series of best practices:
The best risk controls are worthless if an organizations culture doesn’t foster appropriate implementation of those controls. We found the following cultural challenges to be important in successful implementation:
1. Risk culture cannot have exception at the top. An organization leader cannot have a policy that applies to everyone else but not themselves, especially when it comes to information security.
2. Employee understanding of risks and how to mitigate them is a necessity. Our industry’s biggest handicap is legacy. We are used to doing things a certain way, and it used to work when our world was less complex and hackers less sophisticated. When there are new risks emerging, being wedded to legacy multiplies the risk factor. For example, how many employees still do not lock their computer screens when they leave their desk, due to a false sense of security?
Based on the above two areas, we made some policy decisions
The outcome is an enterprise ready platform, which is richer in controls, and offers a secure solution for the industry. But we don’t plan to stop here, and look to keep up with the latest advancements in an evolving technological landscape.