Many businesses have made great progress with their cybersecurity programs, however, social engineering attacks, such as phishing, remain the most common method of attack, accounting for 90% or more of targeted external attacks.
Ransomware, other forms of malware (including malware that targets mobile and IoT devices), and other forms of remote exploitation, continue to increase in terms of their frequency and severity.
The SEC released these recommendations based on the findings of the OCIE during examinations of investment funds. These tips apply to ALL businesses no matter the size or industry.
- All businesses should conduct risk assessments of their critical systems, follow a process to keep up with regular system maintenance and have some sort of response plan for dealing with a cybersecurity incident.
- Train employees about security awareness and phishing – Cybersecurity training should cover acceptable use of the firm’s network and teach employees how to safely use their devices, work remotely, and how to identify and respond to basic indicators of compromise.
- Penetrations tests are a crucial step for catching system vulnerabilities and a necessity in terms of assessing the impact of a potential breach event.
- Perform adequate due diligence on vendors and other 3rd-parties who have access to sensitive data, infrastructure, or both.
- Comprehensive network, application, and device vulnerability scanning should be conducted regularly.
- Develop cybersecurity protocols with clear instructions on how they will be followed in different situations.
- Consider bringing in an outside cybersecurity specialist to go over your procedures and make sure everything is running properly.
- Do not assume you are too small to be a target!
ACE IT Solutions works with firms early in the process to help design and implement effective cyber practices and to provide assessments and testing of security controls. Please call Warren Finkel at 646.558.6358 or Kelly Bruce at 646.808.2794 to schedule an introduction and free, no-obligation, preliminary assessment.
Our cybersecurity services are comprehensive and include network vulnerability scanning, penetration testing and system exploitation, security training, and a variety of consulting services ranging from governance and policy creation to vendor security due diligence, to IT and compliance support.