Educate Employees About Cybersecurity: A Hedge Fund's Security Depends On It

By Mary Beth Hamilton | Thursday, September 25th, 2014

The following article originally appeared last month on the Tabb Forum.

Cybersecurity is a hot topic -- and rightfully so -- as headlines tout new vulnerabilities or incidents with increasing frequency. In the fight to prevent attacks, technology safeguards are typically the focus. A firm must have layers of security that include, but are not limited to, anti-virus, firewalls, intrusion detection systems and Internet monitoring and reporting, as well as procedures that restrict and monitor access.

However beyond technology, the role employees play cannot be underestimated. The reality is that employees can be one of a firm’s best lines of defense or weakest link. The deciding factor in which way it swings often comes down to access control policies and cybersecurity training.

Getting the Access Right

Employees require access to the data necessary to complete their job functions. But beyond that, firms should be limiting what data employees have access to. It’s not about not trusting your employees, but more so about not trusting the technology behind those employees. The less data employees can get to, the less damage can be done via an internal breach or external hack.

The SEC Cybersecurity Risk Alert issued in April 2014 highlights the importance of access control by asking about the controls a firm maintains to “prevent unauthorized escalation of user privileges” and how firms “restrict users to those network resources necessary for their business functions.”

Part of a firm’s cybersecurity planning must be defining how company data is protected, where it is located and who has and needs access. Once access levels are defined, they must be reviewed at least annually to ensure adherence firm wide.

A Little Education Goes a Long Way

With access controls set, a firm must train employees on handling confidential data and define their responsibilities around cybersecurity. One compromised computer can infect an entire organization, so at least annually, employees should complete security awareness training on a range of topics including:

Importance of Security Policies: Outline employee responsibilities concerning information security, the incident escalation process and how to protect data from malicious intrusion;
Cybersecurity Threat Landscape: Define the techniques a hacker may use to access confidential data or systems and how employees can avoid being victims. Common social engineering threats targeted at employees include pre-texting, phishing via email or phone, baiting and quid pro quo;
Practicing Internet Safety: Help employees recognize the signs of malicious activity, how it can spread and prevention strategies. Threats employees may encounter on the Internet include network spoofing, viruses, worms, password crackers and Trojan horses. Employees need to know the signs, such as missing files, that may indicate a computer is infected;
Email Safety: Identify what makes an email message suspicious, such as a strange subject line or unexpected sender, and how employees should handle the message – best practice is to delete;
Access Control Responsibilities: Train employees on how access controls and passwords are maintained and expectations for employee behavior in both areas. For example, employees should never share their login information and must maintain complex passwords;
Preventing Identify Theft: Educate employees on how identify theft occurs, including shoulder surfing/eavesdropping and dumpster diving, how to prevent and what to do if they are a victim; and
Physical Security Threats: Focus gravitates towards cyber threats, but firms and their employees must still take physical security precautions including locking workstations and offices, storing sensitive documentation and locking computers to reduce risks.