Eze Castle Integration

Hedge IT Blog

> Subscribe to Blog Entries about Security

Happy Halloween! A Look at the Scariest IT Moments of 2014

By Katie Sloane,
Thursday, October 30th, 2014

Over the years, cybercrime has evolved, matured and increased in frequency. Target groups vary from case to case and victims range from big merchants and high-end retailers to celebrities and common folk. On the eve of Halloween, we’ve dug up some of the scariest cyber-attacks in 2014. Scary IT Hack Ghost

CryptoLocker

One of the more innovative hacks in recent years started making headway in Great Britain in September 2013. CryptoLocker utilizes malware to encrypt and freeze victims’ sentimental and valuable files on infected computers. After successfully locking the computer, a ransom note appears on the victim’s screen demanding money in return for their files. If the victim fails to make payment, the computer remains locked and files are unsalvageable.

Categorized under: Security  Cloud Computing  Communications  Software  Trends We're Seeing 



Four Signs It's Time to Break up with Your IT Provider

By Kaleigh Alessandro,
Thursday, October 16th, 2014

Broken HeartIn any relationship, when things are good, they’re usually pretty good. And when things are bad, sometimes they are really bad. There may come a point when you need to evaluate whether you’re still a good fit together.
 
Just like with a romantic relationship, your firm’s connection to a service provider (especially an infrastructure/cloud provider you rely on daily) should be strong enough to withstand a few hiccups and healthy enough to warrant open communication at all times. In some cases, it might be clear that you’re in a good place and moving forward together, but sometimes there are sure signs it’s time to call it quits.
 
Here are a few of those signs:

1. Your provider’s service levels are not up to snuff.

Maybe you recently experienced a major service outage or find that you not-so-conveniently have to work around confusing and interrupting maintenance schedules during work hours. You’re constantly frustrated and don’t feel like you are receiving the level of support that was agreed to – both verbally and as part of your Service Level Agreement (SLA).

Your SLA should clearly indicate the uptime standard (e.g. 99.995% availability) as well as repercussions to any breaches in the contract (for example, service credits) and associated RPOs if disaster recovery is involved

Categorized under: Cloud Computing  Disaster Recovery  Security  Hedge Fund Due Diligence  Hedge Fund Operations  Help Desk  Infrastructure  Communications  Outsourcing  Trends We're Seeing 



51 Hedge Fund IT Due Diligence Questions You Can Expect From Investors

By Mary Beth Hamilton,
Thursday, October 9th, 2014

On our recent Hedge Fund Marketing and Due Diligence webinar we looked at how the hedge fund investor due diligence process is evolving especially in terms of scrutiny on technology processes and security safeguards. 

The reality is that investors have a greater understanding of technology, are asking more probing questions and care about the responses they receive.  We’ve even heard investors say that deficiencies in IT infrastructure and security contributed to the decisions to redeem from or not invest in a fund.

So at Eze Castle Integration we regularly assist our hedge fund clients in completing the IT portions of investor due diligence questionnaires. The wording of questions varies but here is a handy list of 51 common IT due diligence questions we see.

Organization

  1. Provide an organization chart for the Company, its affiliates and key personnel.

  2. Provide the physical address and general contact information for each of the Company’s office locations.

  3. Provide the name and contact information of the Company employee(s) assigned to the client’s account(s).

  4. Provide a list of compliance personnel, their roles and qualifications, the date of his/her appointment and position within the Company’s organizational structure.

Categorized under: Hedge Fund Due Diligence  Launching A Hedge Fund  Cloud Computing  Disaster Recovery  Security  Hedge Fund Operations  Trends We're Seeing 



Cybersecurity Remains at the Forefront for Hedge Funds, Investment Firms

By Kaleigh Alessandro,
Thursday, October 2nd, 2014

This article first appeared in Hedgeweek's September 2014 Special Report on Risk Management.Thinking About Security

Cyber security has quickly become a headline risk for hedge fund managers. On 15 April 2014, the SEC issued its Cyber-Security Risk Alert, a detailed 26-point questionnaire that aims to address various elements of a hedge fund’s technical and operational infrastructure to determine how vulnerable it is to cyber attacks and data theft.

This initiative is being driven by the SEC’s Office of Compliance Inspections and Examinations. It will assess 50 individual firms and based on its findings will draft a set of final guidelines for hedge funds to adhere to. This is essentially a way to address ‘technology risk’ and implement best practices through documentation in the form of a Written Information Security Policy (WISP).
 
According to Assured SKCG Inc, an insurance advisory firm, 37 per cent of security breaches between 2012 and 2013 affected financial organisations. Hedge funds are a high profile target. Establishing a WISP and becoming as data secure as possible is critical.
 
At Eze Castle Integration, the phones haven’t stopped ringing as clients look to address any gaps in their IT infrastructure and operational policies. 

Categorized under: Security  Hedge Fund Due Diligence  Hedge Fund Operations  Hedge Fund Regulation  Trends We're Seeing 



NASAA Cybersecurity Report Recap: Our Favorite Graphics and Findings

By Katie Sloane,
Tuesday, September 30th, 2014

The North American Securities Administrators Association (NASAA) recently released survey results of cybersecurity practices of 440 registered investment adviser firms across nine states. The purpose of NASAA’s pilot project was to better understand cybersecurity practices of state-registered investment advisers, how they communicate with clients and what types of policies and procedures they currently maintain. Of those surveyed, 47% have assets under management of less than $25 million, 37% manage more than $25 million and 16% do not manage assets. In today’s post, we will share our favorite graphics and findings from the organization’s survey.   

Client Contact via E-mail and Use of Secure E-mail

NASAA's survey reported 92% of investment firms contact clients through e-mail and/or other electronic messaging and only 54% of that group utilizes secure email. While 14% were unsure, a staggering 30% responded that they did not utilize secure messaging whatsoever.

Hedge fund secure e-mail














 

Categorized under: Security  Business Continuity Planning  Software  Trends We're Seeing  Videos And Infographics 



Educate Employees About Cybersecurity: A Hedge Fund's Security Depends On It

By Mary Beth Hamilton,
Thursday, September 25th, 2014

The following article originally appeared last month on the Tabb Forum.

Cybersecurity is a hot topic -- and rightfully so -- as headlines tout new vulnerabilities or incidents with increasing frequency. In the fight to prevent attacks, technology safeguards are typically the focus. A firm must have layers of security that include, but are not limited to, anti-virus, firewalls, intrusion detection systems and Internet monitoring and reporting, as well as procedures that restrict and monitor access. 
 
However beyond technology, the role employees play cannot be underestimated. The reality is that employees can be one of a firm’s best lines of defense or weakest link. The deciding factor in which way it swings often comes down to access control policies and cybersecurity training.

Getting the Access Right

Employees require access to the data necessary to complete their job functions. But beyond that, firms should be limiting what data employees have access to. It’s not about not trusting your employees, but more so about not trusting the technology behind those employees. The less data employees can get to, the less damage can be done via an internal breach or external hack.

The SEC Cybersecurity Risk Alert issued in April 2014 highlights the importance of access control by asking about the controls a firm maintains to “prevent unauthorized escalation of user privileges” and how firms “restrict users to those network resources necessary for their business functions.”

Part of a firm’s cybersecurity planning must be defining how company data is protected, where it is located and who has and needs access. Once access levels are defined, they must be reviewed at least annually to ensure adherence firm wide.

Categorized under: Security  Cloud Computing  Hedge Fund Operations  Trends We're Seeing 



Apple to iPhone Users: Here's How to Protect Your Devices

By Kaleigh Alessandro,
Tuesday, September 23rd, 2014

Security has been THE topic of 2014 thus far and was amped up last week when many A-list celebrities’ phones were hacked and racy photos released. The hack was allegedly the result of an iCloud infiltration, prompting many Apple users to question the company’s privacy settings. In response, Apple CEO Tim Cook released a letter to consumers, and the company’s website will now feature a privacy section:
 

Apple CEO Tim Cook


Apple’s privacy site includes details on both the built-in security features within Apple devices as well as how users can manage their own privacy settings and tailor them to individual needs. Here is a brief snapshot of some security functions highlighted:

Built In Privacy

  • iMessages and FaceTime calls are protected with end-to-end encryption

  • iMessages and SMS messages are backed up to iCloud, but can be turned off by the user

  • All iCloud content is encrypted in transit and when stored (in most cases)

  • iCloud Keychain allows users to create strong passwords and stores them securely without giving Apple access

  • Safari blocks third-party cookies on all devices and offers private browsing

Categorized under: Communications  Cloud Computing  Security  Software  Trends We're Seeing 



How the Financial Cloud Should Be Protected (A Presentation)

By Mary Beth Hamilton,
Tuesday, September 16th, 2014

Last week our SVP of client technology, Steve Schoener, presented at a hedge fund due diligence event on the topic of protections in the cloud.

Since cloud security and ensuring a hedge fund’s data is protected is such a hot topic we thought we’d share his presentation. In a nutshell, the presentation looks at the layers of security that should be built into a cloud environment, which includes deep and detailed practices around:

  1. Principle of Defense in Depth

  2. Principle of Least Privilege

  3. Audit & Logging

  4. Secure User Authentication Protocols & Encryption

Check out the complete presentation for more details:

Categorized under: Cloud Computing  Launching A Hedge Fund  Security  Hedge Fund Due Diligence  Infrastructure 



Assessing Your Firm's Attitude Toward Security: What's Your Type?

By Kaleigh Alessandro,
Thursday, August 21st, 2014

If there’s one thing we’ve learned over the years when it comes to security, it’s that there’s a whole lot more to creating a secure hedge fund (or any business for that matter) than robust technology. Before identifying infrastructure components and implementing operational policies, a firm must first be clear on what its attitude is toward security. This attitude will filter through the company from the top down, and will therefore dictate how employees and the business as a whole operate on a daily basis.Security
 
To give you a clearer understanding of what we mean, we’ve created three security profiles that cover a wide spectrum in terms of security attitudes and practices.

Under the Radar: Low Security

If you’re attitude toward security is low, odds are you’re barely scraping the surface in terms of what practices and policies you should be employing to maintain proper security firm-wide. You likely rely on quick fixes to solve problems instead of looking at the bigger picture and thinking strategically about how security can both benefit and protect your business. You’ve employed minimal preparedness efforts and could be in for a difficult task if faced with a serious security incident. You probably take a “it won’t happen to me” attitude and don’t take security seriously enough – a stance that could endanger your firm in the long term.

Categorized under: Security  Launching A Hedge Fund  Cloud Computing  Disaster Recovery  Hedge Fund Due Diligence  Hedge Fund Operations  Hedge Fund Regulation  Infrastructure  Communications  Outsourcing  Business Continuity Planning  Trends We're Seeing  Videos And Infographics 



Putting the Smart in Smartphone Security: Six Consumer Tips

By Katie Sloane,
Thursday, August 14th, 2014

Mobile devices have transformed the way we manage our everyday lives: from how we track our bank accounts, to interacting with friends and family to booking travel, and so on.  Everything you need is at your fingertips, but are you taking the proper security measurements to protect your device?  Below are a few tips to help keep your smartphone’s data safe. 

  1. Set a Password: When you do not set a password to lock your phone, anyone who obtains possession of the device has instant access to all of your apps that automatically log-in upon launching. This is a simple security measure to take and yet, according to Consumer Reports' annual State of the Net Survey, only 36 percent of smartphone owners have a passcode. From a business use perspective, any device that accesses corporate email or networks should have a complex password and be managed by mobile device management tools such as AirWatch or Good Technology.

  2. Mobile Security Apps: Looking to the future, we expect the adoption of mobile device security apps that provide antivirus, privacy and anti-malware protection to increase. And for good reason. According to the June 2014 McAfee Labs Threat Report, mobile malware has increased by 167 percent in the past year alone. Companies, such as AirWatch, aim to ensure your enterprise mobility deployment is secure and corporate information is protected with end-to-end security. 

Categorized under: Security  Communications  Software  Trends We're Seeing 



View earlier posts in the archive

Recent Posts / All Posts