If your company has made it this far into the COVID-19 pandemic and is still healthy, it’s a good time to address any processes or practices you’ve been putting off. Specifically, you need to adopt and implement a framework of safeguards and controls for cybersecurity and governance.
(Take note that it’s not just regulators who are interested in your framework, investors are starting to take a hard look as well. Understanding the cyber maturity of portfolio companies is a vital part of managing the risk to a private equity firm.)
The Gold Standard
Many companies have a new operational model: employees are working remotely. Now that everyone has had time to adjust to the switch, it’s time to evaluate the risks you’ve introduced by pushing users to work remotely, understand what those risks do to your risk profile, and adjust your security controls and safeguards in accordance with your new or modified architecture.
The National Institute of Standards and Technology published an updated standardized cybersecurity framework (NIST CSF) in 2018. The framework has five functions that provide the foundation for managing your cybersecurity risk at a high level:
The CSF includes meaningful metrics that indicate a maturity with respect to cybersecurity and has become the gold standard in cyber governance.
Establish Your Framework
To get started with your framework, look at your organizational risks, identify how much risk and acceptable variance your organization is comfortable with, and then perform a gap analysis to determine your CSF strategy.
There are three threats in particular that may have been introduced because of your new remote workforce model. The first is the internet at large—the understanding that the internet can be a bad place where everyone is out to get you. Most people are aware of and are sensitive to this threat.
The second threat is the insider threat. This doesn’t mean employees are intentionally sabotaging your organization; in fact, it’s usually the unintentional user that causes the problem. An insider threat is along the lines of falling prey to phishing attempts, working over unsecured networks, and sharing devices with non-employees (e.g., family members).
Finally, there’s the third-party threat; it’s the most overlooked when you’re putting your safeguards and controls in place. Third-party threats are where vendor risk management is critical. You must understand what your exposure is based on the level of access a third party has to your systems, your data, your users, and your clients.
If a vendor is Tier 1 (i.e., provides a key function to the core operations of your organization, has access to a key set of data, or has access to or manages the platforms that support this data or those business processes), you should rigorously assess them annually. Your vendor(s) should be able to demonstrate that they are maintaining, at a minimum, at least the standards that you are.
Test Your Safeguards
It’s not enough to say you have a framework in place; you have to show what you’ve done to mitigate risk and that your efforts are effective. Too often, testing is left up to an evaluator. Sometimes they follow a formal process; sometimes they don’t. If you want to ensure your framework is secure, test it yourself (or hire a third party like Agio) through the lens of the adversary.
Testing your safeguards and controls against known adversary tactics, techniques, and procedures ensures the safeguards and controls you put in place are effective and relevant to the threats that are realistic to your firm and based on what’s happening today.
The way your company protects its data and manages risk is critical. It’s not just regulators who are interested in your cybersecurity and governance framework; investors are taking note, too. Alternative investment firms want to know that you’ve implemented the required safeguards and controls and can demonstrate what you’ve done. Your cyber maturity is an essential part of managing their risk.
If you’re ready to meet the gold standard, contact us today. Agio can help you navigate the process of finding organizational risks, performing gap analyses, implementing the CSF that matches your company’s needs, and testing to measure the efficacy of your cybersecurity solutions and validating their performance against known adversary tactics.