It has been a long time since I thought of Euclidean algebra and I will be the first to admit that much of the course material is well over my head. Having access to Dr. Ron Rivest, one of the developers of the now famous RSA encryption technology however, is a privilege and an eye opening experience. The first lesson I learned is that cyber security is neither an exact science nor are there perfect solutions.
As we go about our daily business, we naturally assume that our information is immune from attack; after all, why would a hacker in Asia be interested in my personal information? I don’t have great secrets on my computer and our company has a good defensive plan in place. This is what I call, “old world thinking”… i.e. ignoring the recent advances in technology and the increasing interconnection of internet devices. Remember the Stuxnet Virus that took down many of Iran’s centrifuges? The virus was introduced by an employee who plugged a USB drive into one of the administrative computers. We can have all of the fancy systems in place, but the user is still the weakest link in the chain.
A recent study by industry experts suggested that over 74% of small-to-medium sized businesses are vulnerable to cyber attack. This is bad enough for the individual company, but because we are all interconnected through the internet, a virus introduced at your local drugstore could infect thousands. Has this happened? Yes, and many more times then what we see in the press.
The best answer from the experts is to have both defensive and offensive plans/postures in place. A defensive posture means having the appropriate hardware and software security for prevention, resilience and recovery. An offensive posture means anticipating possible scenarios that might occur and planning for them. The first step to see where your security systems stand vis à vis best practices, is to have your computer vendor do an audit. For those who want to delve into more detail, the ISO 27001:2013 Information Security Standard provides the most comprehensive set of guidelines. The Global Fiduciary Standard of Excellence, itself based on ISO 19011 and ISO/IEC 17021 Standards, incorporates criteria that requires advisors and plan administrators to have cyber security plans in place. The same criteria will be coming to fiduciaries of retirement plans, foundations, associations and endowments. Insurance companies favor organizations which have been proactive in this area by offering significant discounts in the cost of their policies.
Cybersecurity is a hot topic now. The White House has included $19B in the most recent annual budget for updating and developing current federal information systems. As fiduciaries, we, too, need to understand the risk of a cyber breach and takes steps to secure our own information.
Perhaps the most important lesson I have taken from the MIT Course is that there are a lot of very smart people out there working hard to overcome our defenses. Think of it as this generation’s “arms race”.