It's time for another Tech Tip video! Today, we have five security practices your investment firm should not overlook. Watch and learn!
This article was written by Bob Guilbert, Managing Director, and first appeared in Hedgeweek's 2016 Guide to Setting Up an Alternative Investment Fund in the USA.
You're a new fund manager, and somewhere on your task list the letters "IT" are probably followed by a question mark. Odds are, you don't have a technology background, so as your firm's Chief Operating/Financial/Compliance Officer (or in some cases, Portfolio Manager), the sudden responsibility you've undertaken as your firm's de facto IT Manager is intimidating at best.
The good news is, as a startup, your IT options are pretty clear. In 2016, there's no better technology decision a new firm can make than selecting a cloud platform – an infrastructure that has proven benefits including scalability, flexibility and robust security, among others. And while the thought of hosting IT offsite was once a worry for allocators, today's investors find comfort in knowing hedge fund and alternative investment firms are focusing on their investment priorities and leaving the technology decisions to the experts.
From our perspective, the cloud is now a tried and tested infrastructure environment that is acceptable to the institutional investor community. They have become very thorough in their operational due diligence process, understanding exactly what cloud providers provide from an operational, management and security perspective. This has allowed managers to become much more comfortable at appointing a cloud provider to deliver an infrastructure that will perform well in any type of trading environment.
Where managers need to spend their time is deciding on the best cloud provider to work with, as opposed to thinking about whether or not they should use a cloud provider in the first place.
And how exactly do emerging fund managers embark on that decision-making process?
You’re about to embark on a business trip or drift away with the waves and a margarita or two on an overdue vacation. To let your clients, partners, colleagues, and the like know that you won’t be able to respond to their emails, you create an out-of-office message.
The typical auto-reply includes a brief explanation of why the recipient is out of the office, an approximate date of return and who the sender can alternatively contact. You may also list your chain of command and if you manage multiple departments, perhaps include the names and contact information for each division. Although this may appear innocuous to the untrained eye, those who are well-versed in information security, or simply read the latest cybersecurity headlines, would immediately cringe at the various red flags.
Let’s examine the probable scenarios that could transpire upon the auto-reply’s launch.
Physical Security Threat
Auto-replies that disclose travel details pose a physical threat as they provide criminals or intruders with the recipient’s whereabouts. Regardless of whether location is provided, one can link travel dates to a popular industry trade show. Criminals may gather this information from other resources, such as a company’s posts and images shared across social networks (e.g. Twitter, Facebook).
We're back with another Tech Tip video!
This time, we're tackling the subject of password security. Think your passwords are strong? Watch the video below and see if they meet these seven criteria.
The importance of employee security awareness cannot be understated. We hear and read stories too often about employees being victims of social engineering schemes. From downloading a malicious virus to falling for a wire transfer scam, these occurrences not only have financial implications to an investment firm but can also impact an employee personally and directly.
Most employees who fall prey to social engineering tactics never intend to hurt a company. In cases of wire transfer scams, for example, often an employee doesn’t follow the appropriate checks and balances at the firm or is being too "responsive" in order to impress a colleague or boss.
Just last week we learned of yet another inbound ransomware email (subject line: debt fax from <your domain here>) that had the ability to impact hedge funds if opened by an employee.
Pop Quiz: Phishing Email Example
Following is an example of the type of phishing or imposter emails that enter employees’ inboxes. Would your employees catch at least one of the items that make this email suspicious? Note the sender email address, which includes Eze Castle Integration’s domain, the balance due amount and the type of company (medical) sending the invoice. You may (and hopefully do) have advanced email security mechanisms in place, but you still have to train your employees because scams are only going to get more sophisticated.
Security Awareness Tips for Your Hedge Fund Employees
Phishing attempts can occur via email, phone, instant message, SMS or social media. Here’s what to look out for:
Check the sender email address as well as “to” and “cc” fields
Is it personalized? Be wary of generic greetings
Improper spelling and grammar can be giveaways as well
The financial services industry is currently under tremendous pressure to meet both investor and due diligence requirements. Thus, it is increasingly important to maximize technology to meet these pressures. To conclude our six-part hedge fund launch webinar series, we spoke with Eze Castle Integration’s own managing director Vinod Paul, who shared insights about current IT challenges and demands and how today’s hedge funds can employ best practices for operational excellence.
Key Priorities for New Managers
Paul defined cybersecurity and scalability as two primary technology considerations for new managers. You must first understand your firm’s specific vulnerabilities and exposures. One of the most common mistakes new launches make, according to Paul, is assuming that they only require the basic bare minimum in terms of technology. He urges new managers to pick an IT solution with operational growth in mind -- considering the business not at the onset, but in three to five years.
Service Provider Selection Criteria
Paul continued to place emphasis on customized IT, stating that when it comes to outsourcing, it is imperative that a firm carries out proper due diligence in choosing a provider to meet the firm’s unique needs. “You want enter into a true partnership that offers open lines of communication, flexibility, and ultimately, trust and accountability,” he said. Brand and reputation, long lasting relationships with clients, and industry experience are some of criteria Paul feels are most important when selecting a service provider. “Don’t step in to it with the attitude that a current provider is good enough, for right now,” he cautioned. The service provider should not only address day-to-day operations but also anticipate potential problems down the road.
The official definition given in TechTarget’s IT Dictionary reads: “Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server. If the credentials match, the process is completed and the user is granted authorization for access.”
At the heart of authentication is controlling access to ensure individuals only access the information they need. With stories of password compromises becoming more common it is important to understand the types of authentication factors available and good computing practices.
As part of Information Security Planning, firms should also identify applications, services or websites that require at least one level of authentication (e.g. password protection, PC certificate, or security tokens) as well as any that may require multi-factor authentication.
Following are the three commonly used authentication factors:
Because holiday expectations weren’t high enough for parents masquerading as the Easter Bunny or Elf on the Shelf, the latest craze is now centered around St. Patrick’s Day, giving parents the new role of leprechaun. Setting leprechaun traps the night before St. Patty’s has emerged as the newest trend for kids hoping to discover where the mighty leprechaun has hidden his pot of gold – or at least hoping to snag some chocolate coins.
But there is another trap you should be wary of, and that’s the one hackers are setting for you right now. A phishing trap.
Did you hear the story of the Central Bank of Bangladesh that lost $81 million to hackers? It happened in February 2016 and goes like this. The bank believes hackers executed a hack that allowed $81 million to be taken from the bank’s foreign exchange account at the Federal Reserve Bank of New York. It appears that the initial point of entry for the hackers was a spear-phishing email, potentially sent weeks before the fraud took place, which allowed the criminals time to remotely monitor and probe the bank’s networks without detection.
This is just the latest advanced threat facing financial organizations. Beyond cyber technology (which is essential), organizations need an internal culture of security, an ongoing, organization-wide commitment to defining and adhering to careful, thoughtful policies that reduce or eliminate “people vulnerabilities” through assessments, awareness, and education.
We recently published a Four Step Guide to Creating a Culture of Security. Here are some highlights – you can read the full paper HERE.
1. Create a Computer Incident Response Team
Your first step is to find the right people who can oversee your information-security policies and be part of a “Computer Incident Response Team.” Although IT professionals are responsible for overseeing and maintaining your computing infrastructure, you also need business users to play a central role in your security initiatives.
After all, they’re the ones who use these resources – and the ones who can represent the biggest vulnerabilities and risks. While the team’s responsibilities can vary, many CIRTs are active in several key areas:
Create a Plan
Create Training Programs
Respond to Incidents
Communicate with Peers/Industry Groups
According to TechTarget’s SearchSecurity, “an advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time.” As with most sophisticated cybersecurity attacks, the goal of the intruder is to capture valuable information and steal data. APT intrusions are often focused on high-value information and sectors such as the financial industry.
The cybersecurity landscape is constantly changing and today the cyber threat actors range from organized crime to state sponsors.
How do hackers gain access?
When it comes to advanced persistent threats, the cyber criminals often use targeted social engineering tactics including spear phishing. In a spear phishing incident, criminals target specific companies or individuals and conduct background research to compile employee names, titles and contact information. Social networks are common resources crawled for this information. Obtaining such details and observing communications provides criminals with the tools to mirror email addresses, website URLs and dialect. The end result is the criminal’s identity masqueraded as a legitimate, trustworthy source.