As consultants, we can’t emphasize enough the importance of having a proactive cyber security program that is specifically tailored to protect disruption of critical systems as well as protection of sensitive data for both the firm and its customers. Of course, any worthy program should include policies and procedures that assess, analyze, and establish risk-based controls; however, equally important, is oversight and execution of the program by a competent team of individuals that regularly monitor the performance of the program.
Cyber security is complex and cyberthreats are constantly evolving. Therefore, a substantial challenge that many firms face is that they just do not have the in-house resources available to dedicate a team of individuals to a cyber security program. And let’s be honest, most of us do not have the time, nor the know-how, to be cyber security whizzes as that is “not what we do, nor is it, what we want to do”! Nevertheless, the threat is still very much there, and each firm must come to its own conclusions as to the best way to minimize the risks at hand.
In this communication, we simply ask… Does your firm have a cyber security program and if so, is the “blind leading the blind”? Regardless as to whether your firm relies on a third-party provider or has in-house cyber security expertise at its disposal, does your firm dedicate the necessary resources to a cyber security program that has been designed specifically to protect your firm and clients from the never-ceasing threats of cyber security? Yes, maybe, not sure? Below are, what we believe to be, a few “points to ponder” when assessing the viability of your firm’s cyber security program.
- Does the firm have policies and procedures related to cyber security? If yes, are the procedures tailored specifically for the firm or are the procedures based on a template that is fairly generic?
- Do employees receive regular training related to cyber security and how it pertains to their job responsibilities?
- Who are the individuals that are responsible for the firm’s cyber security program and are they properly qualified and competent to perform such job functions?
- Is there a gap analysis performed for items that may still pose a threat to the firm?
- Does the firm monitor and perform testing on the cyber security system? If yes, is the testing documented through the use of checklists, exception reports, testing, etc.?
- If you engage with any third parties, have you assessed if they are performing as expected and meeting the requirements and needs of the firm?
At this point, you should be able to quickly recognize any potential shortcomings to your firm’s cyber security program. So, do you have a thorough understanding or is the “blind leading the blind”? If you can absolutely say “we are good and we have got this” then, please give yourself a pat on the back and keep up the good work! However, if your answer is “OMG…we really need help” please consider engaging with a third-party Technology Service Provider (“TSP”) or Managed Service Provider (“MSP”) to assist your firm in implementing a cyber security program tailored to protect your firm and customers.
What is a technology service provider?
A technology service provider (TSP) is a third-party information technology (IT) company that can offer specialized solutions for your firm with a flexible arrangement that allows you to keep your IT staff. They can assist with functions such as hosting items on the cloud and cyber security.
What is a managed service provider?
A managed service provider (MSP) is a third-party company that remotely manages a customer’s IT infrastructure and end-user systems. Small and medium-sized businesses (SMBs), nonprofits and government agencies hire MSPs to perform a defined set of day-to-day management services. These services may include network and infrastructure management, security, and monitoring.
Regardless of your choice, TSP, MSP or in-house expertise, it is imperative to obtain the proper IT support to mitigate your firm’s cyber security risks. We often see that firms hire a technology company and assume that they are performing services similar to an MSP; however, this is often not the case. This is why it is important to conduct periodic reviews to ensure that all parties are performing per their contracted terms and expected terms.
Finally, trust but verify! Trust that you have now done the work to proactively establish a cyber security program specifically tailored to protect the sensitive data of your firm and customers from the continuous threats related to cyber security. Verify that the program performs as intended by testing the highest risk areas for your firm.
Contact us today for any additional information on where we can recommend you get assistance with your firm’s cyber security program.