A Proactive Approach to Cybersecurity for Hedge Funds, Investment Firms
This article originally appeared on TABBforum and was contributed by Steve Schoener, senior vice president of client technology at Eze Castle Integration.
Cybersecurity certainly made its mark on the hedge fund and alternative investment industry in 2014. Threats consistently increased in frequency, sophistication and form. With the release of the SEC’s Cybersecurity Risk Alert this past April, firms were forced to react swiftly and leave their outdated security practices behind. 2014 was a reactive year for hedge funds, but we envision a shift in trends for 2015.
Prior to heightened regulations and detailed due diligence and IT security questionnaires, the majority of financial firms were drawing their curtains closed when it came to facing the reality of the threat landscape. But it was only a matter of time until businesses no longer could turn a blind eye to threats and investors knocking at their front doors.
Over the past year we have witnessed an unceasing number of cyber-attacks and potential threats, as well as heightened security regulations placed upon hedge funds. Consequently, we’ve all read the headlines and best practices guidelines when it comes to cybersecurity. While these resources are all helpful, there is an untapped core that lies beneath this hot topic’s surface layer. That is, the ever-evolving future and forthcoming trends for hedge fund information security. So what do we at Eze Castle Integration forecast for cybersecurity in 2015?
Went to Work, Caught a Phish
A common security threat on the rise among the industry is phishing. In traditional phishing, cyber criminals send mass messages to millions of users to increase the chances of infecting recipients (generally by enticing users to click a link and infect their environments or, in some cases, require financial action be taken). Spear phishing, on the other hand, utilizes a much more targeted approach and selects specific individuals and companies to attack. In this case, attackers do their homework and research social networking profiles as well as company employee names and titles. Tapping into personal and sensitive information provides attackers with the means to mirror familiar email addresses, dialect and URLs in their messages and ultimately better deceive users.
We anticipate this type of targeted attack on financial firms to continue to proliferate in 2015, primarily because cybercriminals utilize tools that are tested and true to hack intellectual property. To reduce the chances of getting hooked, users need to double check email addresses, websites and sender contact information. Variables that differ between authentic and fraudulent may come down to one special character, letter or number.
Successful high-profile breaches have paved the way to global opportunity for attackers. Cybersecurity headlines crossed borders and continents in 2014, and this trend will continue to burgeon in 2015, but on a much larger scale. Contributing to this expansion is the drop in prices of malicious malware in underground markets. Additionally, syndicates are hired by international crime organizations to exploit computer software flaws and security gaps. This increasing movement toward remote attacks means firms need to expand their security reach to become as safeguarded as possible.
The Social Side of Cybercriminals
Our constant connectivity to social networks has opened the floodgates to impromptu soirees with cybercriminals. We predict social campaigns, along with new, diverse hacking tactics, will escalate in 2015. Through social networks, criminals are able to track our likes, contacts, places and searches. Familiarizing themselves with our personal information and Internet routines gives hackers an upper hand in curating deceptive origins and forms.
Staying Ahead of the Hacker’s Curve
Approaches to security in 2015 will vary firm to firm. However, awareness of threats is no longer enough and common information security mistakes need to be a way of the past. It is imperative that all businesses understand the risks, strengthen and implement security measures, and have Business Continuity Plans (BCP) in place to prepare for the possibility of a data breach. Every employee needs to be more conscious when opening emails, downloading programs and connecting to networks, both in firm offices and when working remotely. In order to have a proactive year for security in 2015, firms need to cover all of their bases, both internally and externally.