Perhaps one of the most important things the 2007 credit crunch and the ensuing global economic recession demonstrates is the degree to which the world depends on the financial industry. Consequently, the rationale for robust regulatory oversight of the financial industry is compelling.
Technology is a fundamental enabler of the finance industry. The financial system is interwoven with and highly reliant on technology. Technology changes quickly and the threat environment may be characterised as agile and blended, with a need for constant vigilance.
Today the Alternative Investment Fund Managers Directive (AIFMD) and the Capital Requirements Directive IV (CRD IV) are primary tools governing the core business of UK domiciled alternative investment firms. Technology is governed by Financial Conduct Authority (FCA) guidelines in conjunction with the Information Commissioner’s Office (ICO) which carries out enforcement action for breaches of the Data Protection Act (DPA).
As a result there is a mix of recommendations and mandatory compliance points. This means some areas are open
to interpretation and there is a need to understand where any distinctions exist, and act appropriately.
The objective of this regulatory approach appears to be to create a culture where financial services businesses demonstrate a responsible approach and a willingness to consider their use of systems and any risks that need to be mitigated.
In this guide we discuss 7 ways alternative investment businesses, and professional services companies supplying services to regulated firms, are able to improve the ability to meet FCA or ICO/DPA regulatory guidelines for using technology within their businesses.
Download this White Paper
1. Drive it from the top down
Where ever there is a failure of leadership to assert control and set high standards for a business and its employees, there is often the potential for significant problems.
Take responsibility at board level
Ultimately, FCA/ICO compliance is a governance matter and it needs to be owned by the board and driven from the top down. Leave no doubt about standards by promoting a culture of resilience and security. There should never be complacency around the value of information and cyber security.
The board should set up a process to ensure it is satisfied about policies and procedures for protecting information, especially where dependencies lie with third parties or with a parent group. Cyber security should be under the control of a CIO (Chief Information Officer) or someone with the equivalent accountability at board level.
It is important that for procedures to deal with cyber-attacks; the prevention of fraudulent communications through both voice and email; and safeguarding against money laundering activities are all in place.
Enforcement action
Think W3 Limited (Thomas Cook subsidiary)
Date: 23 July 2014
Type: Monetary penalties
Sector: Online technology and telecoms
Think W3 Limited, an online travel services company, has been served a £150,000 monetary penalty after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.
2. Keep your systems up-to-date
Many fines are issued by the ICO for failing to take reasonable steps to prevent hacking. Hackers often exploit ‘vulnerabilities’ (that’s IT code for holes in security) to gain unauthorised access to networks, systems and data.
Simple to plug security gaps
One of the most fundamental principles of IT security is to plug gaps by maintaining up-to-date software versions. This is done by regular updating or ‘patching’ with updaters downloaded or automatically pushed out by software vendors. Many of the firms that have been fined could have escaped financial penalty by simply taking the reasonable step of ensuring systems were kept up-to-date.
3. Tighten up staff security
Employees are only human, and even in the most secure environments, people are often responsible for breaches, either through deliberate action or failing to observe security policies and procedures.
Passwords
One key aspect is password access and control. Companies should have strict password control policies. Users should not use the same name and password combinations for company and personal accounts, as this would allow hackers to gain access to company data and systems by stealing account data from personal or consumer accounts. Forcing regular password changes is one option, or consider Dual Factor Authentication. This means a unique, One Time Key is required at every login, so just knowing a user/password combination is not enough to permit access.
The case for the defence
The reason Shadow IT is so popular amongst non-IT workers is that it is an enabler of productivity. It is widely used to fill in for perceived gaps in the technology tools centrally managed and deployed by the business for performing specific tasks and collaboration.
In a jobs market which is characterised by insecurity and with high competition for well paid jobs, anything that helps workers acquire a performance edge is an attractive proposition.
Employees are under pressure to hit deadlines, achieve target and deliver results that support the case for their continuing employment. The desire to be seen to be a good performer who helps the business achieve its objectives is strong.
In such circumstances, many find it difficult to resist the lure of Shadow IT, even though they suspect or know that it is in contravention of company policy. Consequently, many seek out alternative software and devices that helps them perform or improve productivity.
To practitioners of Shadow IT, it seems harmless. The response of the IT team is viewed as something of an over-reaction, because it threatens IT jobs and equates to a major assault on the ‘empire building’ mind set of IT departments that exists in many businesses.
Historically, IT and the wider organisation has been characterised as an ‘us and them’ situation. The negative response by the technology function to discovering the use of Shadow IT is often interpreted as an extension of this.
Summary
In summing up the case for the prosecution, Shadow IT is something of a villain. It is highly questionable practice which leads to business data leaking into the cloud in an uncontrolled way, creating unacceptable risks for firms.
Summing up the case for the defence, Shadow IT has a heroic value, in helping individuals and departments to be more productive and efficient, likely helping the business to better performance.
The Verdict
The jury goes out but not for long…
In a straight analysis of weighing the potential threat against the benefit of Shadow IT, it seems clear that the risk of uncontrolled data leakage poses a serious risk with unknowable consequences.
Any net gain in performance resulting from Shadow IT, is likely to be short lived and limited in scope to the individuals or department in question. It is unlikely to be of mid to long term strategic value because it cannot be translated onto the rest of the business.
Once data is misused, there is a good chance that any benefit will be wiped out by the impact and ensuing fallout. For all organisations, steps should be taken to identify and shut down uncontrolled data leaks. In regulated firms, for which uncontrolled data leakage constitutes a compliance failure, measures should be taken ensure the organisation is in control.
If you are affected by the issues of Shadow IT, talk to HTL Support
HTL provides a range of services to support the use of technology in today’s businesses. Whether it is infrastructure and user support, internet connectivity or voice communications, we provide the high degree of personalised service. We are very proud to be able to say that we offer impartial advice because we are independent of suppliers, vendors and manufacturers. Ultimately this enables clients to obtain more value from business technology.
If you are affected by any of the issues raised by The Trial of Shadow IT, HTL Support services include cloud solutions which enable the problem to be tackled. For many businesses, the benefits of our solutions extend far beyond preventing the uncontrolled leakage of business data into the cloud.
About HTL Support
HTL Support was initially founded in 2009 by Managing Director Justin Dean, to provide specialist IT support and IT consultancy services to financial services sector clients. Since its launch, HTL has rapidly evolved to offer a full range of cutting-edge, integrated and flexible products and services to a worldwide client base across all industries. Our experience and professionalism has been endorsed both by our clients and by many of the world’s leading hardware and software manufacturers.
All companies need to know that their IT support provider is not going to let them down when it comes to important projects. We will always find the right solution and are equally happy either functioning as project managers for your internal IT department or providing an experienced team to work under your own IT Director or project leader.
References and further reading
HTL Support
Countdown to resurrection – A step-by-step guide to Disaster Recovery in 20 minutes
https://www.htl.london/white-paper/countdown-to-resurrection
HTL Support
Sold down the river by moonlight – Protecting business with productivity monitoring software
https://www.htl.london/white-paper/sold-down-the-river-by-moonlight
Shadow IT
From Wikipedia, the free encyclopedia
https://en.wikipedia.org/wiki/Shadow_IT
1. Drive it from the top down
Where ever there is a failure of leadership to assert control and set high standards for a business and its employees, there is often the potential for significant problems.
Take responsibility at board level
Ultimately, FCA/ICO compliance is a governance matter and it needs to be owned by the board and driven from the top down. Leave no doubt about standards by promoting a culture of resilience and security. There should never be complacency around the value of information and cyber security.
The board should set up a process to ensure it is satisfied about policies and procedures for protecting information, especially where dependencies lie with third parties or with a parent group. Cyber security should be under the control of a CIO (Chief Information Officer) or someone with the equivalent accountability at board level.
It is important that for procedures to deal with cyber-attacks; the prevention of fraudulent communications through both voice and email; and safeguarding against money laundering activities are all in place.
The case for the defence
The reason Shadow IT is so popular amongst non-IT workers is that it is an enabler of productivity. It is widely used to fill in for perceived gaps in the technology tools centrally managed and deployed by the business for performing specific tasks and collaboration.
In a jobs market which is characterised by insecurity and with high competition for well paid jobs, anything that helps workers acquire a performance edge is an attractive proposition.
Employees are under pressure to hit deadlines, achieve target and deliver results that support the case for their continuing employment. The desire to be seen to be a good performer who helps the business achieve its objectives is strong.
In such circumstances, many find it difficult to resist the lure of Shadow IT, even though they suspect or know that it is in contravention of company policy. Consequently, many seek out alternative software and devices that helps them perform or improve productivity.
To practitioners of Shadow IT, it seems harmless. The response of the IT team is viewed as something of an over-reaction, because it threatens IT jobs and equates to a major assault on the ‘empire building’ mind set of IT departments that exists in many businesses.
Historically, IT and the wider organisation has been characterised as an ‘us and them’ situation. The negative response by the technology function to discovering the use of Shadow IT is often interpreted as an extension of this.
Summary
In summing up the case for the prosecution, Shadow IT is something of a villain. It is highly questionable practice which leads to business data leaking into the cloud in an uncontrolled way, creating unacceptable risks for firms.
Summing up the case for the defence, Shadow IT has a heroic value, in helping individuals and departments to be more productive and efficient, likely helping the business to better performance.
The Verdict
The jury goes out but not for long…
In a straight analysis of weighing the potential threat against the benefit of Shadow IT, it seems clear that the risk of uncontrolled data leakage poses a serious risk with unknowable consequences.
Any net gain in performance resulting from Shadow IT, is likely to be short lived and limited in scope to the individuals or department in question. It is unlikely to be of mid to long term strategic value because it cannot be translated onto the rest of the business.
Once data is misused, there is a good chance that any benefit will be wiped out by the impact and ensuing fallout. For all organisations, steps should be taken to identify and shut down uncontrolled data leaks. In regulated firms, for which uncontrolled data leakage constitutes a compliance failure, measures should be taken ensure the organisation is in control.
If you are affected by the issues of Shadow IT, talk to HTL Support
HTL provides a range of services to support the use of technology in today’s businesses. Whether it is infrastructure and user support, internet connectivity or voice communications, we provide the high degree of personalised service. We are very proud to be able to say that we offer impartial advice because we are independent of suppliers, vendors and manufacturers. Ultimately this enables clients to obtain more value from business technology.
If you are affected by any of the issues raised by The Trial of Shadow IT, HTL Support services include cloud solutions which enable the problem to be tackled. For many businesses, the benefits of our solutions extend far beyond preventing the uncontrolled leakage of business data into the cloud.
About HTL Support
HTL Support was initially founded in 2009 by Managing Director Justin Dean, to provide specialist IT support and IT consultancy services to financial services sector clients. Since its launch, HTL has rapidly evolved to offer a full range of cutting-edge, integrated and flexible products and services to a worldwide client base across all industries. Our experience and professionalism has been endorsed both by our clients and by many of the world’s leading hardware and software manufacturers.
All companies need to know that their IT support provider is not going to let them down when it comes to important projects. We will always find the right solution and are equally happy either functioning as project managers for your internal IT department or providing an experienced team to work under your own IT Director or project leader.
References and further reading
HTL Support
Countdown to resurrection – A step-by-step guide to Disaster Recovery in 20 minutes
https://www.htl.london/white-paper/countdown-to-resurrection
HTL Support
Sold down the river by moonlight – Protecting business with productivity monitoring software
https://www.htl.london/white-paper/sold-down-the-river-by-moonlight
Shadow IT
From Wikipedia, the free encyclopedia
https://en.wikipedia.org/wiki/Shadow_IT