Hackers are Watching: New security threats facing investment firms
As you’re probably aware, the topic of cybersecurity has been splashed prominently across headlines lately. Earlier this year, the former US director of national intelligence, James Clapper, identified cybersecurity as the top global threat.
In his testimony before the Senate Armed Services Committee, Clapper stated “I think the private sector needs to up its game on cyber security and not just wait for the government to provide perfect warning or a magic solution.” So what should you be doing to better protect your firm’s critical systems and data?
The truth is both large, well-established hedge funds and smaller startups are equally at risk of intrusion. Hackers may target large firms because they see an opportunity to profit from their substantial asset pools. Additionally, they might be after the notoriety associated with successfully hacking a well-known fund’s critical systems, especially in cases that will likely garner media attention. For smaller funds, hackers are likely after intellectual property, namely business plans, market forecasts and investment strategies.
What new security threats are out there and how can investment firms better protect themselves from a cybersecurity breach?
Hackers are always seeking new ways to gain access to protected systems and accomplish their goals. Antivirus and anti-malware developers are likewise on the hunt for ways to protect these systems and data from new intrusion methods. To increase protection, investment firms should employ a “defense in depth” strategy. This includes maintaining up-to-date antivirus and anti-malware software as well as network firewalls, deep inspection proxy and IDS/IPS to reduce the amount of traffic on the network. (Checkout: Malware Definitions & Security Tips.)
Unfortunately, even a network that’s equipped with the most recent O/S and fully upgraded applications with robust anti-malware tools in place can still be vulnerable to a cyber attack. This is because, in the ongoing Hackers v/s Anti-malware Developers Arms Race, hackers maintain the upper hand. They simply familiarize themselves with the most widely used antivirus tools, exploit software vulnerabilities that have not yet been acknowledged by the vendors and outsmart endpoint protection programs.
The Good News?
In years past security developers had deeper pockets than hacker groups. However, it appears that this is changing. One troubling new trend that has grown recently is state-sponsored hacking. News articles and investigations continue to swirl around Russia’s cyberattacks and hacking activities around the US elections. And, according to a New York Times report, the Chinese government has been accused of fostering the efforts of hackers targeting organizations in the US and around the world to gain access to sensitive information. With sponsorship from national governments or other large resource pools, hackers are going to get more sophisticated and more difficult to detect.
So, what should you do to protect your investment firm?
First, be sure to have all of the defense layers in place that we mentioned earlier, such as anti-virus and endpoint protection and next-generation firewalls. You may also want to consider a more robust, comprehensive intrusion detection systems, which can mitigate a potential security threat before irreparable damage is done.
Once these tools are in place, fund managers should educate their employees on potential security risks and train them on best practices for mitigating those security threats. Training should be ongoing and include in-the-moment training techniques such as simulated phishing tests. Policies should be in place around:
Information Security Incident Management
Incident Response Plan
Mobile Device Management
Often times, staff members don’t realize the extent of the risk to the organization if a cybersecurity attack occurs or sensitive company data is compromised. Employees who understand security threats and how to thwart them will serve as your fund’s best asset for keeping systems and information secure.
Want more security best practices for investment management firms?
*Editor's Note: This article has been updated and was originally published in March 2013 by Dina Ferriero (Eze Castle Integration).