As the end of National Cybersecurity Awareness Month is approaching, we hope registered investment adviser (RIA) firms have become more equipped to confidently improve their cybersecurity programs using the information and guidance RIA in a Box provided. Ideally, your firm’s systems and data should be safeguarded against hackers. However – we recommend a form of “ethical hacking”, known as penetration testing, to assess the security of your systems.
In this blog post, we discuss the steps RIAs should take before conducting penetration testing to ensure they get the most value out of the common cybersecurity vulnerabilities assessment.
Penetration testing is a simulated cyber attack and an attempt to breach your firm’s various systems, including APIs and servers. The results can be used to improve your security policies and procedures and patch vulnerabilities.
We must emphasize that penetration testing should not be the first course of action to strengthen your firm’s cybersecurity program.
Ask yourself first – what have we done to prepare for the penetration test?
- How complex or protected are your employees’ passwords?
- How is your firm’s firewall protected from a breach?
- Are there vulnerabilities in the operating system that haven’t been patched?
The penetration test will flag low level issues if you haven’t done anything to safeguard the network. This is a disservice to a penetration test – you will not get the full value of your cybersecurity investment.
We recommend you start by ensuring your virtual private networks (VPN) are secure and your firewalls are updated to close all ports necessary. Conduct the test when you feel your network is reasonably locked down.
A penetration test begins by ensuring the first level of security is locked down. The test will identify if there are “holes” hackers typically find, which are not easy to find without a penetration test.
Hackers will try the easy doors first, then go to the next level of “holes”. The value of penetration tests is to determine these. Hackers will use tools which are uncommon to execute hacks. Don’t make it easy for them to get into your system. Social engineering and backdoor access are the next level for a hacker to get into your system.
Why not test first? Because you’re likely to fail. The purpose of penetration testing is to identify the key areas for your firm to focus on. You want it to DIG deep. During penetration testing, “white hat hackers” will look for sensitive areas in your system and confidentially tell you the type of data they were able to access.
To learn more about how our cybersecurity offerings can enhance your RIA firm’s cybersecurity program, click the link below!