As the frequency of cyber-attacks increases, so too do the maturity of attacks and their methods of prevention and remediation. Think of cybersecurity as a two-way street. One side is trying to deceive and breach, and the other is trying to protect, prevent and detect. The commonality is both are progressing towards automaticity.
Cybercrime: The Evolving Chameleon
A common misconception about cyber-attacks is that they only take the form of fake virus alerts, spam, outlandish emails and the like. On the contrary, a threat can take many forms, and cyber criminals are getting smarter. Today, hacktivists target the automaticity of our behaviors, responses and daily routines. This applies to both the human and business side of things. Cyber criminals now study and familiarize themselves with the daily activities and internal processes of firms to identify gaps and find a way in. The idiosyncrasy is in the simplicity with which cyber schemes are pulled off.
Whether you are a new hedge fund startup evaluating technology solutions or an established investment firm looking for an application upgrade or technology refresh, you’re likely to consider the cloud as one of your infrastructure options. If a cloud platform is ultimately your preference, however, your decision-making is far from over.
Deciding between a low-budget public cloud environment (think: Amazon Web Services, Microsoft Azure) and a vertical-specific private cloud (hint, hint: The Eze Private Cloud) is not always an easy choice for financial services firms. Despite the clear advantages of the private cloud, many investment management firms are drawn to the low-cost and high flexibility of a public cloud. While this type of infrastructure may suit a variety of other verticals, financial services firms have high standards and require a level of service and infrastructure beyond what public cloud platforms can offer. Trading via the public cloud can pose a host of challenges and concerns - let's look at a few.
Preparing for Cyber-Attacks and Breaches
At the top of everyone’s priority list these days is cybersecurity preparedness. And rightfully so. Security breaches and attacks are seemingly occurring on a daily basis, and hackers have become savvier than ever. As a result, large public cloud enterprises – the Googles and Amazons of the world – are inherently more susceptible to attacks and, as a result, downtime. While these public cloud services are surely beefing up security and have billions of dollars’ worth of resources to dedicate to security planning, it remains to be seen if they can sustain a targeted attack or significant downtime.
At Eze Castle Integration we see thousands of due diligence questions about hedge fund technology and operations each year. The questions around security are getting more specific with investors wanting details about each layer of a firm’s security stack.
A new question we’ve seen pop up one or twice centers around whether a firm’s online systems have undergone an ethical hack. So what is ethical hacking and how is it different from penetration testing?
What is Ethical Hacking?
Going back to our trusty security dictionary, SearchSecurity defines ethical hacker (aka white hat hacker) as a “computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker [aka black hat hacker] could potentially exploit.”
The increased focus on all things cybersecurity related – cyber-attacks, cyber warfare and cyber terror – has even led to the creation of a Certified Ethical Hacker (CEH) designation, which hacking pros can earn by completing online courses offered by the EC-Council.
In an interconnected world, there is a trade-off between enjoying limitless information at our fingertips and threats that are just one click away. Most of us have become so accustomed to being plugged in, that we forget the world is simultaneously plugging in to us as well.
The global evolution of cybercrime continues to push boundaries and raise the bar for technology innovation and advanced security solutions. Indicating the evolving regulatory landscape, the US Securities and Exchange Commission (SEC)'s Office of Compliance Inspections and Examinations (OCIE) announced back in 2014 that it planned to inspect the cybersecurity preparedness of over 50 registered broker-dealers and investment advisers. In 2015, their examinations will continue across the financial services industry, and firms are locking down security practices in advance of these inquiries. Additionally, in Asia, the Singapore Personal Data Protection Act governs the collection, use, and disclosure of personal data.
The amount of data and information that passes through the Internet every day is – for lack of a better term - enormous. And truth be told, sometimes we are sharing information that we don’t want to get into the wrong hands, whether it be via email, instant message or other communications. Think: credit card information, personal information (name, address, social security number, etc.), bank account information or sensitive company or financial data.
A secure way to transmit this information is through encryption. According to TechTarget, encryption is “the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties.”
The history of encryption, believe it or not, began a long time before the Internet existed and we started sending electronic data. The ancient Greeks and Romans, in fact, sent secret messages by substituting letters that only a secret key code could decipher. In the time of Julius Caesar, he created a cipher by which he shifted letters to the left or right to hide his messages.
The official definition given in TechTarget’s IT Dictionary reads: “Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server. If the credentials match, the process is completed and the user is granted authorization for access.”
At the heart of authentication is controlling access to ensure individuals only access the information they need. With stories of password compromises becoming more common it is important to understand the types of authentication factors available and good computing practices.
As part of Information Security Planning, firms should also identify applications, services or websites that require at least one level of authentication (e.g. password protection, PC certificate, or security tokens) as well as any that may require multi-factor authentication.
Following are the three commonly used authentication factors:
In a constantly connected world, the majority of us cannot help but feel reliant on our mobile devices, especially when it comes to battery life percentage.
Whether you’re in the airport, train or just on the go, keeping that effervescent green light out of the red zone becomes a priority, and most will plug into just about anything. With public smartphone chargers on the rise, this resource seems ideal for the battery conscious user. However, prior to plugging in to power up, we suggest proceeding with caution. After all, do you know whose hands that charger was in before?
In today’s market, the pressure from both investors and regulators is at a steady incline. Reporting obligations have grown complex, transparency is in high demand and compliance technology has become a vital component to a firm’s success. With various demands tug-o-warring hedge fund managers in multiple directions, a Client Relationship Management (CRM) platform could be the solution your financial firm has been searching for.
Introducing Ledgex CRM, the revolutionary, stand-alone Client Relationship Management solution launched today by our sister company, Ledgex Systems. Ledgex CRM is ideal for managing and tracking investor communications, sales pipelines, client relationships and capital movements. The highly configurable, centralized platform is tailor-made for hedge funds, family offices and asset allocators.
The new product offers the sophisticated Client Relationship Management capabilities necessary to raise and retain more assets, maintain and grow clients, provide outstanding client service and meet heightened reporting requirements. Out of the box, the web-based solution delivers efficiencies, transparency and flexibility without increasing headcount or costs. By streamlining investor relationship management and capital activity, Ledgex CRM enables managers to optimize their time and focus on fostering relations and growing business.
By now, you’ve no doubt heard about Apple’s latest tech craze: Apple Watch. Revealed during the company’s latest announcement earlier this week, the Apple Watch is expected to revolutionize the mobile world. Available starting April 24, the Apple Watch will appeal to a variety of end users – with prices ranging from $349 (for the aluminum version) to $10,000+ for gold-plated versions.
The Apple Watch will feature many of the same abilities of the iPhone – making/answering phone calls and texts, Internet surfing, and app integration as well as new advanced health monitoring features and Apple Pay. But with a user’s data now on his/her wrist in addition to in his/her pocket, should we be concerned about security?
Let’s start with the good news.
Apple Pay, in and of itself, has been thought out well in terms of security, it seems. Users can opt in to use a PIN number which will need to be entered every time the watch is put on a wrist. So if that watch was stolen, it would be impossible for the thief to make purchases via Apple Pay unless they had a user’s PIN number. According to Apple:
“Even if you lose Apple Watch, your accounts are protected. Because when you set up Apple Pay, you’re required to create a passcode. Each time you take Apple Watch off your wrist, the passcode must be entered to access it. And you can quickly remove your cards on iCloud.com."
In the last 30 years, how many weather events can you remember? Maybe some recent “super storms” come to mind – Hurricane Sandy (2012), and Winter Storm Juno (2015) are probably at the top of your list. How prepared for these storms was your firm?
A 2007 study by the National Association of Insurance Commissioners (NIAC) found that more than 90% of small businesses interviewed had property/liability coverage while less than half (48%) of firms with annual revenues of more than $1 million have business interruption insurance.
It may not come as a surprise then that, following disasters such as these, many small business (20-40%) are forced to shut down, according to an Institute for Business & Home Safety (IBHS) report. It is important to understand the losses that can affect businesses and prepare accordingly. These losses can include: disruption of critical supplies and inability to move product, utility outages and power failures, employee transportation issues or remote access problems, and connectivity issues, just to name a few.