Traveling with electronic devices puts personal and critical business information at risk. As we embark on the busy holiday travel season, we decided to share some useful tips to help prevent your data and devices from falling into the wrong hands. Here are our top 10:
Back up Your Data Before You Leave: Prior to traveling, back up data that is stored on your device(s) onto media that will not be taken with you on your travels. For example, on a storage card, cloud, or computer, if you are not bringing the latter device on your trip. Furthermore, ensure you do not have social security numbers, passwords, credit card information and other sensitive data stored on your devices. If you do, save this information in a more secure place and remove it from your portable devices.
Travel Light: If you do not need it, do not bring it on your trip. Only devices that are necessary should accompany you while traveling.
Here at Eze Castle Integration we have a pantry full of thoughtful policies that help ensure we keep everything in tip-top shape. In past Hedge IT articles, we’ve shared our recipes for creating security incident policies, BYOD policies and social media policies.
Today, we are going to share our recipe for creating an Acceptable Use Policy, which governs how a company and its employees use computing resources. The SANS Institute, which has policy templates galore, also has an Acceptable Use Policy template that you can find HERE and is the foundation for our award-winning recipe.
First, define the purpose and scope of your policy by answering questions including:
Why are the rules in place (i.e. protect firm from virus attacks, compromising of the computing network, etc.)?
Who does the policy apply to (i.e. employees, consultants, contractors, etc.)?
Is your password “123456” or just plain old “password”? If so, you’re not alone. When media company-Gawker Media’s million plus user database was compromised by hackers, the passwords of nearly 200,000 users were decoded and made public. Of those exposed, over 3,000 people used the password “123456” and nearly 2,000 were using “password” as their password.
Think your name is an original password? Apparently lots of Michelle’s and Jennifer’s did because those made the most common password list as well. Check out the complete list to see if you have a popular password.
This past weekend on the dark web hackers were offering to sell 590,000 Comcast email addresses and associated passwords. Of those, Comcast verified that 200,000 accounts were still active and had the account owners reset their passwords. According to Cnet, hackers didn't breach Comcast's computers to steal the information. Instead, they created their list of passwords with information stolen from [people across the web]." Hackers are skilled at tricking individuals into sharing their passwords. Then, since people often use the same password for multiple sites, the hackers have gold.
Gawker and Comcast being hacked are yet more reminders of the importance of having strong passwords and updating them regularly, especially in the hedge fund and investment management industry. Here are some tips to create safe passwords and keep them safe:
First off, passwords are essential but simply having one isn’t enough. Remind users not to leave passwords on sticky notes or under their keyboards. One way to remember a new password is to use it immediately and often.
Today's investment firms are extremely focused on cyber security preparedness, as they should be. With regulators and investors demanding more transparency than ever, it's critical for hedge funds to spend time making their own employees aware of cybersecurity threats and how to mitigate risk. With that, let's discuss a topic that we’re passionate about – education and security awareness.
We’ve told you about the types of threats that can harm a business, the steps you should take in the event of a security incident, and the policies you should create to keep your organization safe. But now it’s time to talk about training your employees to understand each of these.
A firm’s security strategy will only work if employees are properly trained on it. Therefore, the importance of providing information security awareness training cannot be understated. The goal of an awareness program is not merely to educate employees on potential security threats and what they can do to prevent them. A larger goal should be to change the culture of your organization to focus on the importance of security and get buy-in from end users to serve as an added layer of defense against security threats.
Once you have buy-in from employees, your focus can turn to ensuring they get the necessary information they need to secure your business.
Many building tenants have a daily interaction with their building’s management. The interaction may be a friendly “good morning” or “goodnight”. Perhaps you’re on a first name basis with some of the front desk employees. Typically, that is where the relationship ends, and if so, that can potentially lead to some issues in the future.
Being able to quickly communicate and respond in the case of an emergency or interruption can make a big difference to building management and tenants alike. Additionally, having each other’s contact information can be extremely helpful during regular business hours, as well as, off-hours or holidays and weekends.
During regular business hours, building management has several options to notify tenants. Depending on the type and severity of an emergency, facility management may choose to utilize passive notification, such as email, or they may use more aggressive notification like public announcement (PA) systems or alarms. While alarms and PAs might help grab the attention of tenants, they aren’t the most effective tools to communicate long or detailed messages. Even planned drills, such as fire drills during regular business hours, are not fool-proof. During this commotion, it may be difficult to locate members of building management and even harder to efficiently communicate.
The security threat landscape continues to evolve, and security through obscurity is no longer (and probably never was) an ideal approach to protecting the sensitive data of the hedge fund industry. A 2015 Cyber Security Intelligence Index study by IBM found that over 62 percent of cyber incidents targeted three industries -- Finance, Insurance, and Information and Communications -- highlighting the serious risk cyber intrusions present to financial firms.
The report found that in 55 percent of all cyber attacks in 2014 were carried out by either malicious insiders or inadvertent actors and that unauthorized access triggered nearly twice as many incidents in 2014 compared with 2013. According to the report, “certain types of unauthorized access incidents rocketed to the top, accounting for 37 percent of the total—nearly doubling from 19 percent in 2013. ShellShock and Heartbleed were the game changers here.”
Another example cited was that malicious code and sustained probes together accounted for 40 percent of all the incidents observed. According to IBM, with an ever expanding array of malware from which attackers may choose— including viruses, worms, Trojans, bots, backdoors, spyware and adware—it seems fairly certain that malicious code incidents will continue to wreak havoc for the foreseeable future.”
These examples demonstrate that the risks facing large organizations and smaller firms (read: hedge funds) are just as real. To that end, we regularly team with eSentire to speak with hedge fund CTOs about the security landscape and their managed security technology. Additionally, Eze Castle Integration utilizes eSentire intrusion detection technology within our Eze Private Cloud and to power our Eze Active Threat Protection services.
Feedback on eSentire’s offering and approach is always received positively and the spark for this tech spotlight article.
This article first appeared in HFMWeek's Special Report: How to Start a Hedge Fund in the EU 2015.
HFMWeek catches up with Eze Castle Integration’s executive director, Dean Hill, to discuss the importance of selecting the right business service providers and the key technology factors new funds must consider when starting out in the EU.
HFMWeek (HFM): Are you seeing a healthy market for new hedge fund launches in the EU?
Dean Hill (DH): Yes. I think going into 2016 we will see an increase in terms of the amount of new hedge fund launches across the UK and European markets. Not only are these launches coming more frequently, but their size, structure and launch AuM is greater than anything we have seen in the last two-to-three years. It is certainly on the uptake.
Among the many technology decisions your firm will face during the launch phase is selecting the appropriate telecommunications needs to power daily operations. High-speed Internet and voice connectivity are necessary to access market data feeds, communicate with investors and facilitate trade orders and other investment decisions. To help you make an informed decision about your voice and Internet needs, we’ve provided a few suggestions below.
The Internet, of course, is an essential vehicle for collecting and distributing market data, as well as communicating with your clients, investors and partners via email. You’ll likely find four Internet access choices, depending on availability in your area. There are benefits and drawbacks to each, as described below.
On September 15, 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert providing additional guidance on key focus areas for round two of its cybersecurity examinations. Specifically OCIE stated exams will “involve more testing to assess implementation of firm procedures and controls.” The Commission intends to focus on the following areas as a means to collect information on cybersecurity-related controls and assess the controls in place at firms:
Governance and Risk Assessment: According to the Alert, OCIE may evaluate the governance and risk assessment process for areas including, but not limited to, access control, employee training, third-party/vendor management and IT systems management. Examiners also expect to see that assessments and associated policies are specific to a firm’s business.
Access Rights and Controls: OCIE warns that the lack of basic access controls and user management policies can result in unauthorized access to systems and information. Examiners may request details on how a firm manages user rights and what supporting technologies are in place.
Back on July 8th of this year, the New York Stock Exchange (NYSE) experienced a temporary outage and proactively suspended trading. In many ways, the NYSE acted swiftly and responsibly when they noticed that there was a technical issue with its trading platform. The NYSE realized quickly that traders would not be able to reliably trade and ultimately decided to suspend trading across the market until full functionality could be restored. In total, NYSE trading was suspended for nearly four hours.
Although the overall impact of the downtime was minimal in the grand scheme, had this event impacted the public market data feed which traders and investors use to access critical information on public markets, the impact would have been more severe. Even still, there are some takeaways from this event. A positive: the success of the SEC Regulation NMS implementation. A negative: critique of the initial communications from the NYSE. Let’s examine these a little closer.
A Win for SEC Regulation NMS
The technical issues that caused the NYSE to suspend operations on July 8th occurred as the result of a new software rollout. All open orders at the time were canceled. Most investors were able to continue trading utilizing one or several of the 11 other Exchanges or 40+ dark pools to execute trades. A recent Wall Street Journal article1 indicated that as of 2005, 80% of the trades conducted across the U.S. stock market were via the NYSE. That figure currently stands at about 20%, in part because of a 2007 regulation commissioned by the SEC called Regulation NMS (national market system). This rule, enacted in 2007, allows for orders to be directed to the exchange that quotes the best price. It also reduces transaction fees for investors as a result of increased competition. Therefore, there is fortunately redundancy and flexibility for traders if a single or multiple markets are experiencing downtime. Had July’s technical glitch taken place a decade earlier when the majority of US stock trades were executed on the NYSE, the impact would have been more severe.