The Threat Within: Mitigating insider risk
The following article first appeared in Hedgeweek's special report: Cybersecurity for Fund Managers 2016.
Mitigating insider risk is one of the biggest challenges that organisations face when it comes to remaining cyber secure.
One thing we've seen a lot of with clients is their need for consulting support," says Mark Coriaty (pictured), Senior Vice President Strategy & Partnerships, Eze Castle Integration. "They don't necessarily have the biggest IT teams and/or might have been more focused on the engineering side than the cyber side. Consequently, they are spending more time learning about the business, as opposed to just putting a solution in place.
"Cybersecurity comes down to operational and procedural policies as well as employee training, which is by far one of the biggest threats to any firm."
Many of the reasons for internal breaches come down purely to human error, but on occasion it may be the actions of a rogue employee that lead to data misappropriation. To limit the impact, fund managers can put in place permission controls as a way to manage their policies and procedures, this might allow them to shut off a USB drive, protect different file sets on the back-end etc.
"It is important for whomever is managing the overall IT infrastructure to ensure that people only have access to data that they need for their day-to-day responsibilities, and block them from accessing data in other parts of the organisation," says Coriaty, adding that employee training has to be an ongoing process. "For larger firms who hire new employees regularly, managing the process of training them is crucial to maintaining good security. Most hackers target smaller investment managers not to collect credit card numbers, or investor details, but for extortion purposes using the likes of CryptoLocker to pay ransoms.
"This is where proper training becomes instrumental in teaching employees to recognise what potential threats, such as CryptoLocker, look like. Eze Castle Integration recently launched its Eze Managed Phishing & Cybersecurity Training Service specifically for this purpose – to increase security awareness and change cybersecurity behaviors company-wide. We provide it as part of our managed service when we take on a new client," explains Coriaty.
Rather than run a phishing exercise all at once, Eze Castle performs it in stages with different groups in an organisation. After the first round of training, Eze Castle's team will send a report to the client's COO detailing how many people opened the email. This may be 20 out of 50 people, but in the second wave of training progress starts to be made and perhaps only 10 people open the email as education starts to take effect.
"From a best practice standpoint, we visit the client's office, produce a WISP with their internal IT team and conduct employee training biannually. This ensures that all documentation is kept up-to-date. With respect to the phishing exercises, we do these on a rolling basis throughout the year. The aim is not to target all employees at once but in batches so that they aren't aware of it happening, much like a real phishing campaign," says Coriaty. Training, and the use of common sense, is often the best remedy to reduce internal breaches.
"We put together black and white lists based on types of websites and social media platforms to let firms understand the risks and allow the COO to use permissions to control what employees are doing on the web," concludes Coriaty.