Skip to main content
Open menu
Resources & insights

What business leaders in capital markets need to know about cyber security right now

If you are a founder or a business leader, you probably won’t have time to delve into the fast-expanding universe of contemporary cyber security.

But there are certainly things that you should know about in your position. What may be most helpful, is to concentrate on a small number of cyber security ‘home truths’, that can help you navigate conversations about how to protect your business and keep it moving in a world of rapidly evolving threats.

These ‘truths’ should help you ask the right questions, identify priorities, and make the best decisions about your cyber security programs.

The threat today is often highly sophisticated

At the sharp end, you are not only up against insider risks such as a rogue or disgruntled employee, but also dedicated teams of commercial hackers working in a professionalised shadow ransomware industry. These are highly organised individuals and groups who work in glass-walled offices, just like our own. They have finance departments, managers, and sophisticated channels for different services. Specialisms exist for each stage of the offensive operation, such as initial access, malware development, stolen data management and ransom negotiation, to name a few.

Are you up to date? 

The cyber security threat landscape is constantly changing. Financial services and capital markets organisations that haven’t reviewed their security systems and processes since the pandemic, should prioritise a review. Protective and defensive standards continue to evolve on a day-by-day basis in response to new offensive tactics.

This needn’t mean changing everything immediately, but rather identifying the things that are most important to your business and the associated controls around them. This risk-driven threat modelling approach for a private equity firm might include adding stricter data leak controls around sensitive board minutes, or detecting and preventing client information from leaving corporate systems for a law firm or barristers’ chambers. With operational technology playing an increasing role in everyday manufacturing, the automated machinery on which such businesses rely is a new front of vulnerability and risk. 

Assume breach

Operate on the assumption that you will be breached. Approaching the risk from this ‘assumed breach’ perspective helps with the essential legwork involved in sharpening your incident response and business recovery plans. As a leader, you need to check and double check these are in place and are regularly tested. You don’t want to test your response plan for the first time during an actual cyber incident!

One recent shift that’s important to understand (and to impress on others) is that security should be heavily focused around the employee or workers identity, not just the organisation’s office perimeter. This is a significant development in terms of external risk as organisations adopt more SaaS cloud services. Threat actors continue to target these systems, aiming to gain access to cloud hosted data through compromised identities.

Today, response is as important as protection

One of the largest challenges around a data breach is determining the scope of the incident. If you are breached, and you can’t quantify the extent of the information that has been compromised, you must assume – as investors, insurance companies and regulators must assume – that all data on impacted systems has been compromised.

This is why having the right levels of logging and proactive monitoring is so important. Without the right tools to capture the details of an intrusion when it occurs, organisations will struggle to accurately determine the scope and impact of a breach.

What can I do about all of this?

The key to combatting the myriad of cyber threats is to develop a robust cyber security strategy. Fortunately, a lot of the hard work has already been done for you. For example, the NIST cyber security framework helps you think holistically about your cyber security approach, ensuring you cover all your bases, and that your investment in cyber security aligns with your business priorities.   

The NIST framework consists of five components (or pillars). Each pillar represents a set of questions to answer and objectives to achieve. When you combine them, you have the basis for an effective cyber security strategy that covers all eventualities. 

The five pillars are: 

  • Identify – What types of cyber threats pose a risk to your business? 
  • Protect – How do you effectively safeguard the assets you identified? 
  • Detect – How will you find out if there are cyber threats against your assets? 
  • Respond – If you detect cyber security threats, what’s your action plan? 
  • Recover – If a cyber-attack impacts your infrastructure and wider business, how will you fix it and bounce back? 

Creating an effective business cyber security strategy 

Let’s look at five areas you need to consider as you formulate your cyber security strategy. 

1 – Planning 

Planning is the absolute key to success with your cyber security strategy. The amount of planning you do at the start of the process will serve you well if you ever have to use it in anger. Plan for the worst, then hope for the best. 

Think about everything from conducting regular risk assessments to implementing access controls, ensuring secure network configurations and staying up-to-date with patches and upgrades. Leave no stone unturned. 

Follow the five pillars of NIST to ensure you don’t miss any essential aspects in your strategy.  

2 – Cover all bases 

Bear in mind that not all cyber threats will come in the form of malicious emails containing malware attachments. There are more cyber threats out there than you can imagine, with more sophisticated threats emerging all the time.  

For example, the people within your organisation can cause as much damage as those outside. Develop robust business processes to protect against invoice fraud and payroll fraud.  

You’ve probably heard of phishing, but what about smishing (phishing in the form of text messages) or quishing (QR codes that trick people into visiting malicious websites)? How will you train your people to stay vigilant against new threats? 

3 – Tools vs people 

You need to invest in the right tools to protect your environment and have good visibility. However, many cyber attacks are down to human error in some form (opening a malicious email and clicking on the attachment, for example).  

Make sure you educate your employees about cyber security best practices and reinforce the importance of staying vigilant. As part of your plan, you should also have people named to respond if a threat is detected (with backup people if they’re on holiday). 

4 – Test, test, test 

Before you put your plan into action, test it as thoroughly as you can. Penetration testing, where you simulate a cyber attack on your organisation, is an excellent way to evaluate your plan and identify areas where you can improve. Here are three aspects to consider: 

  • Vulnerability scanning – An automated scan of your entire system to look for weak links in your defences 
  • Phishing simulations – Use dummy phishing emails of various accuracy levels to see how your people respond. Do they open, click or delete these emails? 
  • Business continuity – In the event of an attack, how will you keep the wheels turning in your organisation? 

5 – Work with IT and Security Professionals 

Fortunately, there are continually advancing security capabilities being developed that can protect your business, without constraining it. Get the latest advice, training and simulations to make your business stronger. Talk to Doherty Associates. We’ll help keep you safe and resilient while you get on with your core business. 


As a business leader, you have enough to deal with before you consider the complex and evolving world of cyber security. But if you neglect cyber security, and fail to plan for a cyber attack on your business, the impact can be devastating.  

Develop a robust cybersecurity strategy that follows the principles of the NIST framework. Invest in the best tools and train your people to be cyber aware. Finally, to ensure you’re always up-to-date with the latest cyber security developments, partner with cyber security specialists who can take the hard work off your hands.  

Talk to Doherty Associates. We’ll help keep you safe and resilient, so you can focus on your core business. 

Related posts


Business innovation: How IT is driving competitive differentiation

Read more
Doherty Associates IT Solutions


Why Cloud Computing

Read more


Staying competitive in today’s legal market: 4 problems cloud solves

Read more

We’re here to help

If you want to achieve better outcomes for your business through a more intelligent use of technology, talk to us.

Contact us