We watch many economic levers such as unemployment rates, inflation, and everyone has an ear toward headline news. We feel the tangible impacts of shipping delays, supply shortages, and a culture adjusting after a pandemic. The bottom line is that the current economic outlook points to recession, meaning the need to be intentional with technology spend and strategy is more important now more than ever. Here are a couple considerations for 2023 IT strategy.
Most Importantly: Cyber Security.
We will soon face a reality where organizations are attacked every two seconds by threat actors that continue to evolve their tools and tactics.
CYBERSECURITY DIVE,
Click Here for article
Cyber security is a topic that tends to overwhelm the small business owner on a constrained budget. At this stage, most companies are finally formalizing a return to office policy and trying to retain employees in the process as expectations are reset. While most companies are focused on the human capital, the natural progression of attention will need to shift to security, particularly cyber security in the home environment. Home environments do not have firewalls and segmented networks. For big and small companies, the home environment will become an attack vector that will need to be addressed.
Second: Automation and Relationships
With employee retention being a being challenge, many are asking how the business can automate or remove single points of failure that originate from the employee base. Often business owners get tunnel vision around the war cry of automation. The true solution balances efficiency & automation with the art of relationship. To architect technology that compliments the business practice, one must consider what part of the job should be left to the creative minds of your employees, and what portion is to be automated as a foundational pillar for scalability.
Cyber Security, Where to Begin
Is your Cyber Security Strategy Sound?
Cyber security is an overwhelming topic for many small business owners, particularly financial wealth managers as they truly do have a target on their back. If you are a small business owner, here is a chance to gauge your strategy and review guidance on several requirements that every cyber security strategy and policy must address.
# 1 Define the Cyber security framework.
A fantastic framework and organization to familiarize with is the Center for Internet Security (cisecurity.org). Within this methodology, it categorizes companies by size using revenue, expenses, and employee count. In simple terms, if the company is big and is responsible for more, there are higher expectations regarding cyber security requirements. Smaller companies have less strict requirements but are encouraged to always chase best practice. In the world of financial managers, all organizations are required to thoughtful protect their client’s data, and ultimately, it is the security framework that defines what is risky vs what is outright negligence when it comes to the business’ security implementation.
#2 Define the data governance strategy.
The definition of data governance in this context is the ability to track and control the creation, storage, and destruction of data. This pillar of security is arguably one of the most challenging to fully solve. Data is a massive word and hides in many corners. Data includes business contacts in mobile phones of employees, notes stored on a desktop, or even in a physical notebook. The moment the business has a piece of information, written, typed or recorded, there should be an assigned classification of appropriate access to the information and the ability to prove access is appropriately set. This requirement is a giant task for any quickly growing business when understanding the technical definition. Regulators know that this is nearly impossible to fully solve, but there is an expectation that the business is continuously improving the ability to properly govern data and avoid data leakage. Office 365 environments have solved for this in a large way with advanced data sensitivity labels (which are not enabled by default), but the evaluation needs to be asked for each business application: inclusive of CRMs, accounting tools, file storage, client portals, etc. Any tool storing data needs this evaluation and a thoughtful action plan.
#3 Define the Device Governance Strategy.
The definition of device governance in this context is the ability to control the creation, storage, and destruction of devices. With the new era of mobile access, device governance has become a much greater challenge than in the past. Business owners need to strategically decide how they want their data accessed because every access point is a new attack vector that needs to be protected. Access point examples include cellular phones, tablets, Mac operating systems, Windows, iOS, Android OS, and any device accessing business data.
A way this becomes harmful to the company is a cellular phone upgrade. Users download company applications (with protected data inside) and in the destruction process may not wipe a device, leaving the device and the data stored on it potentially vulnerable. Rather than allowing this to happen, there needs to be a business policy detailing the expectations of how all devices are handled. In addition, it is wise to work with commercial recyclers and to receive a certification of destruction when a device is ready to be decommissioned.
#4 Consider relevant Regulation & Compliance.
Depending on the regulation a company is subject to, regulation does sometimes have explicit definitions of what is required in the business’ cybersecurity policy. Many financial firms are required to account for HIPAA (if they sell insurance and collect any PHI or PII), PCI (if there is credit card handling), FINRA, or the SEC. Many times, if an audit is coming, companies can proactively ask for the non-negotiables ahead of time.
Once consideration, following regulation does not guarantee security best practice. The people who write the regulations are usually about a year (or a few) behind what cyber security best practices should include, and sometimes the regulation can go against security best practice. I worked with a broker dealer once who required a password change every thirty days. Latest security white papers explicitly state this type of “security requirement” actually decreases the security of an environment due to user behavior. A user starts using simpler and more repetitive passwords so they can remember them. In navigating this policy, I worked with the broker dealer and they ended up changing their regulation to match the best best practice. Most of the time, these policy writers are not cyber security experts.
Learn more about
There is a need to protect your business and your clients in this evolving environment but also be mindful of cost. ECCO BOLD strives to address the need for strategic technology assistance for businesses that do not have access to have a full time CTO, a strategic and technical leader.
If you want to learn more and ask specific questions, book a free consultation with me. I look forward to helping guide you along your journey.
ECCO BOLD 