Is Dropbox becoming a noun? For the sake of this article, let’s say it is.
With over 200 million users, Dropbox (and similar services) is gaining popularity based on its ability to allow users to share files and sync data between devices. These capabilities are very appealing but rely on a public cloud platform that can introduce security and compliance concerns for hedge funds.
Dropbox made headlines last year when it was discovered by security researchers that the service opens some files once they are uploaded. While Dropbox provided an explanation, this can be a serious issue for businesses where employees are using Dropbox to share sensitive company and investment data.
So are your employees using Dropbox? Probably. A study conducted by Gigaom of 1,300 business professionals found that one out of five use public file sharing services, such as Dropbox, with work documents. And, half of those users know their companies have rules against it. This raises the question, how do you give employees access to a valuable tool in a way that meets compliance and security protection obligations?
It has been said that cyber weapons can be as dangerous as weapons of mass destruction. To emphasize this, at last night’s FBI Citizens Academy seminar on cyber security in financial markets, the speaker noted that if you take out an industry (think financial, teleco) you can cripple an entire country.
But just how would this happen? What’s in a hacker’s tool kit? Quinn Shamblin, executive director of information security at Boston University, provided a glimpse into the cyber security underworld.
Targeting Your Favorite Device
Let’s start with Mobile Device Security. Hackers are shifting their focus and resources to mobile devices. They recognize that a user’s life is virtually encapsulated on his/her mobile device. From contacts and email to documents, passwords and banking apps, mobile devices now hold as much as or more personal information than PCs or laptops. And most devices do not have anti-virus/malware software installed.
Just last Friday, Apple released a critical update to its iOS 7 operating system after a flaw was identified that could give an attacker with a privileged network position the ability to capture or modify data in sessions protected by SSL/TLS (aka public key encryption). Following that announcement, researchers at a cyber security firm (FireEye) published a proof of concept for a surveillance app that, if created and distributed by hackers, could capture every tap on an iPhone’s screen. The information captured, including passwords and credit card numbers, would be accessible to the attacker. These are just two examples of the cyber security threats facing mobile devices. Users need to be aware that these threats exist and practice smart computing on all devices.
In honor of our 400th post on here on Hedge IT (400 - wow!), we are celebrating with our annual blog awards. We've gathered the most popular articles according to our readers and included a few of our personal favorites, too.We hope you enjoy!
Have you been enamored by the coverage of the Winter Olympics the last two weeks? We sure have. And watching all of these great sports we don’t normally get the chance to witness got us thinking – there are a lot of similarities between technology and Olympic sports. They’re both complex in many ways and require experts (engineers and athletes) who are the best of the best at what they do.
One of our favorite sports to watch is curling. And we couldn’t help but notice that Olympic curling and the private cloud are a lot alike. Don’t believe us? Take a look.
Both are safe and secure.
Let’s be honest: curling clearly presents the least amount of danger and lowest risk for injury at the Winter Olympics. Skiing and snowboarding? We’ve seen our fair share of wipeouts this year. Bobsled, luge and skeleton? Those are terrifying enough just as a spectator. Even figure skating poses a risk when skaters are leaping and twizzling left and right.
But curling? Extremely safe. Athletes can be fairly certain – whether they are curling or sweeping – that they will come out of the event unscathed.
Investment risk plays an important role in the life of a hedge fund manager, but technology risk should not. When it comes to your firm’s technology systems and operations, you want things to run efficiently, not add more stress to your already crowded plate.
Mitigating technology risk is a critical step to ensuring your hedge fund operates smoothly and successfully. Following are a few areas to keep in mind as you evaluate your firm’s technology risk:
Layers of Redundancy
One way to reduce your firm’s technology risk is to add layers of redundancy throughout your infrastructure. Whether you’re utilizing a cloud infrastructure or an on-premise environment, your servers, networking and telecomm lines should feature N+1 availability, a configuration in which multiple components have at least one independent backup component to ensure system functionality continues in the event of a failure.
Notice anything different? That’s right, your favorite hedge fund technology blog got a facelift, and we didn’t stop there -- we overhauled our corporate website too. Our goal with the overhaul was to make it even easier for visitors to get the valuable information they expect from the industry’s technology leader (us!). We hope you like it.
Now on to today’s hot topic. The U.S. Securities and Exchange Commission (SEC), at a recent industry event, said that they plan to examine the cybersecurity policies and procedures asset managers have in place to prevent and detect cyber attacks.
Specifically, according to Reuters, SEC national associate director Jane Jarcho said, “We will be looking to see what policies are in place to prevent, detect and respond to cyber attacks [and] we will be looking at policies on IT training, vendor access and vendor due diligence, and what information you have on any vendors."
Some have indicated that the SEC cybersecurity exams could be coming by late-September 2014. In many cases they will be conducted as part of the SEC's routine examinations of investment companies, however, Jarcho advised that inquiries could be done as separate exams.
Last week, we kicked off our 2014 webinar series with our first topic, “Security Incident Response Priorities: How to Prepare Your Firm Before a Breach Occurs” featuring our own VP of Technology, Steve Schoener, along with eSentire’s Chief Technology Officer, Eldon Sprickerhoff. Topics discussed included common threat actors and potential security scenarios to be aware of as well as the importance of planning a response to such attacks.
A Quick Brief
In 2012, IBM reported that companies were attacked an average of 2 million times per week, and unfortunately, the statistics aren’t declining anytime soon. It’s no longer “what if” a security breach or cyber-attack occurs, but when and how it will occur. With targeted attacks that are bypassing existing security infrastructures, the topic of security has become even more important to all firms.
The most common security threat actor lately has been attacks from criminal organizations, most notably international occurrences. Criminal organizations are out for profit and the most difficult to track down, especially in international instances. There has been less impact from Nation States, but these are still threats to be cautious of, along with insiders and hacktivists.
Categorized under: Security
At the end of last year, we predicted security would continue to be a hot topic in 2014 - and our experts agree. It's still such an important topic for hedge funds and investment firms to be educated on that we even dedicated our first webinar of the year to it.
Expert speakers from Eze Castle Integration and eSentire spoke earlier today about security incident response priorities and offered best practices for investment firms looking to plan before a security breach occurs.
Watch the video below and learn more about the three critical phases of security incident management:
First of all, let’s clear up what phishing is for those of you who aren’t sure. Phishing is a psychological attack used by cyber criminals in order to trick you into giving up personal information or taking action. Phishing has developed over time.
The term initially described email attacks that would steal your username/password information. Phishing now refers to any message based attack, whether that be email, IM, or on a social media network.
Categorized under: Security
First and foremost, Happy New Year everyone!
2014 has officially begun, and as with every New Year, it is important to reflect on the previous year and set goals for the future. Many of the resolutions that we made last year are still prevalent this year because they are foundational for a hedge fund’s success. This year we are offering a few more critical recommendations to ensure that your company and IT operations run efficiently and effectively.