The Words Which Must be Spoken and The Actions Which Should Be Taken
I have long harped that cyber security is a problem and that because the HCM community deals with critical financial and personal data, and large flows of funds that serious players should look at highly regulated industries and see what they and their regulators are doing to clean up their act.
The rules and regulations are beginning to pile up: federal, state, and local; governments, regulators, industry guidelines. Some are helpful. Some are expensive to implement. More are finally coming. Some have teeth in them which could cause banks and clearing houses to impose restrictions on their customers, including cutting access; some are more than implying that non-compliance and certain cyber security breaches, particularly by insiders, could constitute fraud. Courts and insurance companies are beginning to reconsider how they need to respond to data holders liability for breeches, mishandling of data, and quality of security taken to assess responsibility and levels of harm.
Here are some policies and practices that are coming to the fore, and may help focus your attention:
- Written Information Security Program
- Incident Response Plan
- Acceptable Use Policy
- Account Access and Password Policy
- Clean Desk Policy
- Patch Management Policy
- Portable Device Policy
- Remote Access policy
- Threat Protection and Monitoring Policy
- Vendor Due Diligence Policy
- Disaster Recovery Plan and Protocols (and testing)
- Anti-Money Laundering Policies and Procedures
Some of these policies focus internally on the company. Some deal with issues that frankly are new to the industries many companies use daily but over which they have little or no control. How secure a customer’s employee mobile device is when they sit in a coffee shop using public wi-fi to access data on your servers and move funds around is one that haunts me, daily.
The Vendor Due Diligence Policy involves HCM companies in many ways: their vendors are vendors through them to their customers, they use a variety of vendors to deliver their services from regulated banks to a wide group of unregulated and lighted vetted API linked partners. If one is only as strong as their weakest link, 360 due diligence seems pretty important, and still seldom seriously used.
I attended a technology conference recently. It was not the first time. The difference was that for years the conference was small, had young people gathered around electric plugs in the hall way, and the great event of the week was having a security agency put the most secure software they currently had in a room with the participants and timed how fast it took to break the code. Never more than 40 minutes. This time there were five times as many people, half people who were looking for better people, developers, software, and merger candidates. A sense of urgency is beginning to fill the air.
I think that the cyber problem may very well start to be addressed as the process audits that the banking industry primarily started are driven through the system to service providers. Historically, the first couple of steps were pretty meaningless. Remember the SOX 1 auditor who came in an asked you what you did, reviewed whatever you gave them, and then gave you a gold star when they saw that you did what you said you did, whether it was complete or not? The second step began to actually set some templates which were not based on what you did, but what you should be doing. That was better. The next steps will be much better.
Many companies are running penetration tests. It’s good, but not enough. Running tests on legacy systems tell companies things they may or may not want to know. They may not but get specific enough on details, in many case, to find all the weaknesses. Few companies have wanted to even try to fix the problems. But processes are getting better now. Automation is here to the scanning existing code, new as well as legacy. It is improving security and the performance levels.
But, companies need to go further to protect against new types of attacks. Hackers work 24/7 to exploit systems to expose information or shut down systems. Audits need to be broader and deeper, and the audit results need to be reviewed for accuracy and findings need to faced and fixed. The fixing gets to be more interesting as companies move control of their IT environment into the cloud where they have little or no direct control, but still bear the liability for loss of data or access, identity theft, etc.
We are making progress. The conference showed me that more companies, owners and boards, regulators, and key process providers are getting involved. I am seeing a lot more resources coming into the market place. The cyber security industry is undergoing great change. More and better tools are being developed. Large amounts of data can be scanned. Systems can be scanned for abhorrent behavior very quickly to isolate issues and focus remediation efforts. However, I want to see more developers and their sponsors get involved and do all they can to increase protection; more insurance companies defining their coverage better; and, more courts getting involved in enforcement actions. Participants need to get the message that their cyber table manners need to get better fast or they may be too risky to be part of the future.
As independent businesses, you can now find ways to act, policies to consider and put in place, and to build a cyber team so that you and your customers are better positioned to compete in the new cyber environment.