Social Engineering: The Human Element to Hedge Fund Hack Attacks

By Mark Coriaty | Thursday, October 20th, 2016

The following article was written by Mark Coriaty, Chief Strategy Officer for Eze Castle Integration, and originally published as part of Opalesque's 'Other Voices'.

As financial firms become increasingly interconnected and globalized, their dependence on cyberspace has skyrocketed. While this amplified reliance on the infobahn has accelerated productivity and growth, it has also exposed firms to larger risks, such as hacking, malware, spyware and social engineering. The latter, which is the most disregarded element of an organization’s security program, is also the most dangerous.

Social engineering (e.g. phishing, pretexting, baiting, etc.) relies on the exploitation of human behaviors to breach an organization’s information security system. Hackers prey on propensities of human nature, including:

Trust: Some people are trusting to a fault; therefore, they do not question the intentions/identity of another person until proven to be false.
Ignorance: Disregard for the consequences of carelessness with sensitive business information.
Laziness: Willingness to cut corners, such as not filing away confidential paperwork and leaving it exposed for others to see.
Kindness: Employees want to feel that others can leverage them for their assistance and information because we’ve trained them to do so. However, this can lead to divulging too much information to the wrong person.

Social Engineering Techniques

During a social engineering scheme, criminals will typically attempt to trick victims into clicking on malevolent attachments and hyperlinks by promoting them as relevant, insightful and/or significant content. For example, a hacker sends the target firm a PDF attachment via email that appears to be an invoice. However, the PDF is actually an executable file (.exe) that runs a malicious program. The unwary employee downloads the authentic-looking PDF and unleashes the malware file into its organization’s network, granting it access to sensitive data and leaving the company at risk.

In many cases, the malware may be ransomware, meaning the compromised computer would be locked and victim demanded to make a payment in order to regain access to files. According to the FBI’s 2015 Internet Crime Report, ransomware was among the three major fraud types reported to the Internet Crime Complaint Center (IC3) last year. The other two were business e-mail compromise and e-mail account compromise (targeting of personal email).

Internet of Things (IoT) and Mobile Security

The Internet of Things encompasses billions of online devices, and its growth over the years is ever-burgeoning. Think of how many devices in your office are connected to the Internet. Computers, wristwatches, TVs, cameras, printers and phones are just a few examples of devices that fall under IoT’s scope.

There are several egress points for a corporate data breach and the mobile device is a main entrance. Playing a fundamental role in many business operations, we rely on cell phones to communicate and exchange information with prospects, clients and partners. The mobile device has become an extension of a firm’s data, roaming outside of its firewalls and risk management tools. Consequently, it also serves as a gold mine for criminals. For these reasons, it is critical that firms implement mobile security strategies to enforce policies and procedures and apply layers of security to devices.

As a best practice, firms should have a Bring Your Own Device (BYOD) policy in place that includes Mobile Device Management (MDM). MDM enables IT staff to monitor devices real-time, remotely wipe data and revoke access to your firm’s network.

Mitigating the Human Hack Risk

Hedge funds and alternative investment firms may believe they have a robust security program with advanced technology in place; however, an employee could unlock the gates to a firm’s IT infrastructure and confidential business data with just one click. So, what can organizations do to mitigate the human hack risk? In order to change employees’ security behaviors, proper security training and education is required, and the onus is on the firm to expect and demand compliance. At the end of the day, the liability for data breaches rests in the hands of the business, not the third party software leveraged, so you want to select technology partners based on value, repute and dependability, not because they’re the biggest bang for your buck.

Furthermore, simply requiring an annual review and sign-off of IT policies will not resonate in an employee’s mind when faced with a potential security threat. Security awareness training needs to be dynamic, interactive, ongoing and provide actionable insights so businesses may improve security practices moving forward. Beyond general awareness programs, specific tools such as phishing simulations, are cost-efficient and extremely effective in preparing employees to detect unwanted and malicious emails. Employing these tools and working with experienced, industry-specific managed service providers is necessary to ensuring financial services firms are able to protect against the single most dangerous threat to their firms: insiders.

With threats increasing in number and sophistication, inaction is not an option. The time to act is now.