ACE IT Solutions was featured in HFMWeek’s 2015 Cyber Risk and Security Report. They spoke with managing partner, Warren Finkel, about why cyber security must include a top-down approach to security awareness and why threat intelligence is essential. The article is below.
HFM: Can you explain ACE IT Solutions’ approach to cyber security and the main principles behind your offering?
Warren Finkel (WF): Our cyber security solutions are tailored to help firms be proactive and meet compliance requirements. We believe the key to an effective cyber security initiative is being proactive rather than reactive. The fact is, your firm will get hacked; it’s no longer a matter of IF but WHEN.
The key to minimising risk is using threat intelligence to get ahead of hackers. With up-to-date, customised intelligence about current and future threats, and a deep understanding of how well your security strategy stands up to these threats, you can better manage your defences while reducing risk and making smarter investments. Threat intelligence also help you understand which threats are applicable to your businesses. A one-size-fits-all approach does not work as well as a customised approach to taming your firm’s threat landscape.
This includes security awareness training to help employees understand how they put their firm at risk, training them about cyber security best practices and how to recognise phishing emails – a primary entry point for hackers.
HFM: ACE IT Solutions, partnered with IBM, which was rated number one by Gartner for threat intelligence. What is ‘threat intelligence’ and is it employed against cyber-crime?
WF: The more information you have about the threats that are out there, the better prepared firms can be to deal with the risks. Threat intelligence can be used to defend against attacks, but it is incredibly useful for helping recognise an attack and dealing with it. Think about it like this: we know company A, B, and C got hacked and this is how it happened. How can we use that information to mitigate a cyber-attack on our own firm?
Even the government is getting behind this approach. The house recently passed a bill that would push companies to share information about security breaches. This is important because businesses can no longer fight the bad guys individually. We must use the complied threat intelligence from the whole industry to fight them.
HFM: There also is a clear need to educate your clients’ staff to employ best practise and avoid a breach through phishing techniques etc. How do you approach this?
WF: We are doing a lot of employee training on safe internet use, including phishing exercises to help them recognise phishing emails. Teaching employees to be aware of an organisation’s security requirements can be one of the most effective ways to enhance the company’s overall security posture. Employees are a key link in the security of a business’ technology infrastructure and company data. Without end-user training on security best practices and policies, it is impossible to secure your information resources or ensure data privacy. The effort to create a ‘security aware culture’ must include everyone in the company. Additionally, end-user training on security best practices and privacy awareness is essential to any organisation’s compliance and risk management initiatives
We also educate people on the weaknesses of certain cloud apps and ensuring employees don’t have admin access which allows them to download applications and access back-office functions.
As an IBM partner we can offer our clients access to its security operation centers and the X-Force threat intelligence team, but if you don’t have the basics of an educated and aware staff then it won’t help prevent a breach.
HFM: What is the most important feature of your staff education process?
WF: The key is that change is driven from the top. We often speak to IT staff from a fund who are obviously very aware of the dangers of cyber-attacks and how to avoid a breach but more often than not when I speak to CFOs or CEOs they don’t even know what basic controls their fund has in place. Senior management must be made aware and then drive best practise procedures down to the whole staff.
Information security polices and incident response plans are also a critical feature of any cyber security program. The SEC is now requiring these plans to be in place and that you have a penetration test.
Ultimately, we have all the services a client could want and we understand the SEC’s requirements but the best cyber defense mechanism has to start internally by creating a culture of awareness and training employees to comply with laws, regulations and policies to reduce the risk of exposure.
ACE IT Solutions tailors cyber security and risk management programs to meet each client’s needs and budget. Contact us at firstname.lastname@example.org or 646.558.5575 to schedule a free cyber security assessment.
For more information on HFMWeek, visit their website http://www.hfmweek.com/