Focus on Funds: ICI Forums Focus on Cybersecurity Practices
ICI Forums Focus on Cybersecurity Practices
The September 25, 2015, edition of Focus on Funds offers key takeaways on staff training about cybersecurity, and previews an upcoming conference focusing on the topic.
Transcript
Stephanie Ortbals-Tibbs, ICI Director, Media Relations: Welcome to Focus on Funds, the Investment Company Institute’s weekly roundup of industry news, ICI activities, and research findings.
ICI continues to rapidly build out its extensive resources on cybersecurity with the second annual Cybersecurity Forum set for early November. This upcoming event in Washington follows the July conference in London that focused on critical issues like assessing cloud security and training staff to avoid creating vulnerabilities. Here are some key takeaways.
Ben Smith, Field CTO (US East), RSA: Email continues to be the primary attack vector for companies large and small today, so being able to train your end users to pay attention to things like grammatical problems, attachments from people that you’re not expecting attachments from. I had an email in the last couple of weeks from another vendor, it was completely legitimate, but it was not somebody I’d interacted with before. There was a PDF attachment and before I opened up that attachment, I actually called that vendor—because he had that information in his signature—to verify his identity before we could start the conversation. So, again, it goes back to education, it goes back to empowering your employees to understand—to smell—that something isn’t quite right about this email. One of the things we talk about in the session is that it’s almost impossible to get to 100 percent surety. You’re not going to guarantee that your end users will never click on “badness.” So the goal should be half the time, three-quarters of the time, and make it an iterative process, not doing it just once, but doing it on a regular basis to try and make sure that those employees understand training that you might’ve received three years ago might’ve been perfectly adequate for the threats three years ago. The world has changed so you need to revise and extend that training.
Mal Grant, Manager, Information Security, EMEA, Invesco: One individual posed a very good question and that was should the assumption of cloud providers, or the security that they provide be challenged, because people think that maybe the cloud is more insecure than actually hosting things on premise. But actually if you look at the maturity of the cloud service providers now, they can actually probably do quite a better job than what you could probably do internally, particularly if you take into account making sure that they store data or make sure that data is within their own availability zones.
Ortbals-Tibbs: More conference highlights and information about the committee’s work are posted the ICI website, and registration for the conference is now open. That’s this week in funds. See you next week.