The tide is changing for private equity firms. They continue to grow in popularity – some say private equity is the new hedge fund – but with increased interest comes amplified speculation and heightened expectations.
In technology, private equity firms have found a fierce enabler for continued growth, and one that has shone the light on organizational benefits to be had far beyond the IT closet.
Eze Castle Integration commissioned its Private Equity CTO Survey to more closely examine the evolution of the private equity industry as driven by – and driven to – technology. In reaching the top IT executives and chief technology officers (CTOs) at these firms, the survey highlights their priorities, successes and even failures, and in doing so, sheds light on this industry that has risen to the forefront of the greater financial community.
Our Private Equity CTO Survey encompasses four primary sections: business priorities, cybersecurity, outsourcing trends and the evolution of the private equity CTO.
If one thing is to be derived from the advent of information technology, it is that IT enablement extends well beyond the recesses of the Communications Room. Accordingly, technology decision-making is also impacted by an organization’s business objectives, and the two work in alignment to derive achievements across the firm. In this section of the survey, we’ll highlight areas where business goals have impacted IT budgets and where private equity firms plan to focus their attention in the coming year.
The cybersecurity threat landscape continues to evolve, leaving behind significant operational and reputational harm for financial services firms. Cyber-attacks such as those impacting LinkedIn, Talk-Talk, Yahoo and Sony have forced cybersecurity into the limelight via news making headlines, enough to fill any business with trepidation. We hear and see a lot of information floating around – some of which, unfortunately, can be misleading or, at times, inaccurate. It is imperative that firms understand how to separate the facts from fiction and develop and deploy sophisticated and appropriate approaches to information security.
So, what are these myths exactly? Let’s have a look.
Myth #1 Cyber Security? Just leave it to the IT department.
Cyber awareness needs to be embedded in the culture of the company, not just the IT team. Firms should communicate the importance of managing cyber risk to every employee in order to strengthen and integrate protocols into daily business operations. Never underestimate the effectiveness of social engineering attacks. Educating staff to avoid opening unsolicited attachments or clicking on suspicious links within emails is one of the most important areas for organisations to concentrate on today.
Myth #2 Cyber criminals don’t target small businesses.
This myth can be particularly dangerous. Many small firms believe that because they are small, there is no risk of a cyber-attack. Therefore, there is no reason to take any precaution to prevent such an attack. In fact, the very opposite is true. In the eyes of the hackers, small businesses are often easy targets since they sometimes fail to take necessary measures to protect themselves.
As we prepare our turkeys for Thanksgiving and retail stores of all shapes and sizes prepare their inventory for Black Friday and Cyber Monday sales, cyber criminals are preparing their attacks. Your inboxes are likely already flooded with the newest and most popular deals for this holiday season, but while we all prepare to shop til we drop, it is important to practice safe computing practices while you are out-of-office and in the stores.
Here are some popular scams to watch out for this holiday shopping season:
Phishing emails pose one of the biggest threats to shoppers during the holiday season. Cyber criminals may be spoofing retailer emails with blowout deals on the best toys for your family, and one click on a spoofed email could result in malware or a virus installed on your computer. Another email spoof could appear to be from one of your frequently visited retail sites and ask you to enter personal information to either confirm a purchase or verify payment. To avoid handing your sensitive information over to hackers, be sure to check the sender and any links in emails before opening or taking action on any suspicious emails.
Email isn't the only way hackers can spread the season's "hottest deals". Another new scam being used to gather banking and payment information is phishing texts. Your phone will receive a fake text message asking to verify a payment due to irregular activity. The text will provide you with a number to call and secure your account. Once you call this number you will be asked to verify your home address and social security number for identification. Amidst the flurry of your Black Friday or Cyber Monday shopping spree, you could get tripped up and provide a hacker with all of the information that he/she needs to steal your identity, access your financials or worse.
Operational due diligence meetings have become impactful moments for hedge funds to impress both current and potential investors. Firms have the ability to answer questions, alleviate fears and market themselves in a one-on-one setting that affords more opportunity than a completed due diligence questionnaire and an up-to-date performance sheet.
But how can today’s hedge funds truly set themselves apart and impress investors during these ODD meetings? Here are five ways:
1. Demonstrate your knowledge of and commitment to regulatory compliance.
Increasing regulatory oversight of investment firms has been a consistent trend over the course of the last few years, and it can be a challenge for hedge funds to keep abreast of changing legislation and regulator expectations. Disclosure and reporting requirements under the Investment Advisers Act of 1940, record-keeping requirements under the Dodd-Frank Act, and growing cybersecurity recommendations as part of the SEC’s ongoing inquiry are just a few of the initiatives to keep track of. But demonstrating to investors that your firm has knowledge of these regulations and takes them seriously will serve you well.
Whether your firm is compliant to the SEC, FINRA, NFA, CFTC, FCA – phew! – or another regulatory body, it’s imperative that you take the time to fully understand your firm’s legislative requirements and, in writing, show investors your level of preparedness. For example, if you’re a registered investment adviser with the SEC, are you aware of the proposed rule that would require firms to implement business continuity and transition plans? Have you compiled a document that outlines the SEC’s 28 points identified in its cybersecurity risk alert? Coming to your next investor due diligence meetings with this knowledge and the appropriate documentation will demonstrate that you take regulatory compliance seriously and are equipped to comply with the necessary requirements facing your organization.
The Internet of Things (IoT) is what allows us to connect all of our devices to the Internet - these devices that we use every day to make our lives easier, more efficient and, most of the time, safer. IoT devices can be usually be monitored or controlled from a remote location. For example, we use baby monitors and cameras to watch over our kids and houses, apps to control the temperature and lights in our homes, and webcams chat with long-distance friends or conduct business meetings and interviews. Although there are enormous benefits to streamlining and connecting these devices across both business and personal settings, the Internet of Things can also pose a real threat to the security posture of both an individual and an organization.
Like the recent DDoS attack which brought down major sites such as Twitter, Reddit and Netflix, sophisticated hackers can take advantage of these everyday IoT devices to gain access to networks and sensitive information. For example, hackers can release malicious malware onto the Internet that looks for vulnerable devices, including IoT devices. Once a device or devices are detected, the malware is then able to get into the network and cause disruptions, potentially leading to users losing control of functionality, shutting down of websites, or theft of information.
One concern is that when developers design IoT devices, they often overlook the software needed to protect consumers. In many cases, they may be more concerned with functionality, design and the value said device will bring to users. IoT devices are easy to attack because they usually connect to the Internet by default and use stock code from open source software. Developers also can’t assume that consumers know the risks they face when using IoT devices. While robust security features, such as firewalls, can't truly be installed within IoT devices themselves, in the future designers need to pay closer attention to security to prevent devices from becoming easy targets.
Social engineering schemes continue to grow in their sophistication, and phishing campaigns, in particular, are causing concern as they make their way to employee inboxes. These fraudulent email campaigns (and phone calls too!) appear legitimate and take advantage of employees who are often too busy or simply unprepared to identify a scam. In either case, if the employee clicks a link, downloads an attachment or provides credentials or financial information to a hacker behind the scenes, it is a gateway to potentially very serious scenarios.
And these scams are working. A 2016 study by Verizon found that 30 percent of phishing emails are opened by the recipient. According to the FBI, spear-phishing campaigns between 2013 and 2015 cost companies more than $2 billion.
And while there are next-generation firewall protections and email security features and tools to act as security barriers to targeted attack emails, unfortunately, some of these emails are still going to get through and pose a threat to your firm’s security posture. (Side note: to learn more about each of these cybersecurity defense layers, watch our webinar replay below).
Due to changes in the cyber security landscape, traditional firewalls on the port level are no longer effective at managing traffic. Malicious traffic has the capacity to enter any open port, which provides great risk to firm security. Next-generation firewalls work further than port-based firewalls by adding application inspection and intrusion prevention. Next generation firewalls have the ability to scan traffic as it enters and leaves the network, therefore stopping potential threats.
Eze Castle Integration is increasingly implementing Palo Alto next-gen firewalls for our hedge fund and alternative investment firm clients. Palo Alto is not only a next generation firewall but it is also the market leader based upon ratings, support, pricing and overall performance. A Palo Alto firewall has the ability to detect what traffic is doing and immediately stop threats from spreading by distributing protection.
Unknown traffic is analyzed by Palo Alto Wildfire, where new threats are identified and protections are simultaneously developed. Upon the discovery of an unknown threat, the threat is not only blocked but updates are sent to all global subscribers within five minutes to be able to stop them from spreading. Due to this feature each threat and its variants are blocked without having to go through the analysis process again. Through Wildfire information is also fed through a filter which allows for automatic blocking of any correlated threats.
Older port-based models do not detect what traffic is doing, therefore allowing threats to port hop until they find an open port in which they can enter. Viruses are not port specific and can therefore utilize any port. Without analyzing what traffic is doing threats can easily bypass a port-based model.
The current threat landscape is such that security threats are more likely to arise from within your network as opposed to external sources. Internal users opening malicious emails or becoming victims of phishing schemes are now preferred methods for attackers. The next generation capabilities of the Palo Alto firewalls allow for deep application level inspection to detect and thwart these threats from opening backdoors to your network.
Additional Advantages of Next Generation Firewalls
All-in-one functionality: Next-generation firewalls bundle traditional firewall functionality with intrusion prevention, antivirus and protocol filtering.
On occasion, hedge fund C-level execs don’t see eye to eye. It’s inevitable. One such topic of occasional discord is outsourced IT. Chief technology officers (CTOs), for example, are immersed in every level of technology, from applications to security to disaster recovery, and they have a vested interest in concerns from user experience to business continuity and beyond.
Meanwhile, chief financial officers (CFOs) must focus on the bottom line, factoring in the cost-benefit of new technologies and projects. Elsewhere in the C-suite, the chief operating officer (COO) is looking at opportunity costs and asking key questions including if the CTO is managing day-to-day IT “plumbing,” which strategic projects are getting pushed aside?
Following is an excerpt from a whitepaper we recently published looking at various C-level perspectives on IT outsourcing – including where certain executives may differ on its value, where those same executives can agree, and ultimately why outsourcing IT and using the cloud sets alternative investment firms up for success. DOWNLOAD THE FULL PAPER HERE.
The cloud point-counterpoint
Based on investor comfort, the SEC’s increased scrutiny of cybersecurity practices and the impact of legislation like the Dodd-Frank Act, moving to private cloud services seems like a no-brainer. The cloud creates a far more cost-efficient and effective way for alternative investment firms to improve security and manage day-to-day IT demands. So why the conflict between CFOs/COOs and CTOs?
Total Control Comes with Risks
One reason for the conflict is that CTOs want to retain control, and understandably so. Outsourced security measures may seem opaque compared to the control they impart – it is tempting to believe that no third party could be as invested in system resiliency (i.e. disaster recovery) and security as the firm itself.
The reality is that most CTOs are so tasked for time and money that they cannot maintain complete control over their environments. The burden of ensuring continuous, reliable and secure operations is difficult even for large enterprises that have vast time and budgets and potentially unsurmountable for smaller teams. Often only the largest firms can adequately invest in and manage the layers of security necessary to defend against growing cybersecurity threats.
In seeking to retain control, CTOs are limiting their options. Embracing the idea of cloud-based services expands the CTO’s team, provides greater redundancies and enables more cost efficiencies. Most importantly, it lets the CTO focus on priority IT projects that enhance and improve the company’s bottom line.
CTO’s Role is Evolving
Procuring, maintaining, testing and upgrading adequate technology on-premise is out of reach for most alternative investment firms. It is also becoming an antiquated strategy. Today’s progressive CTOs are increasingly drawing on cloud technology to create agile firms that can quickly deliver the applications users require.
CFOs/COOs must recognize the valuable business knowledge and insights the CTO can insert into functions including risk management, product development, operations and innovation. CTOs must understand where they can deliver functional results and utilize the cloud as an IT-enabler for the firm.
As the CTO’s role evolves, so does the entire IT team. Too often in-house IT teams are allocating valuable time to reacting to IT issues and troubleshooting rather than proactively solving user issues or addressing regulatory mandates.
Outsourcing Has a Track Record
CFOs and COOs have the advantage of positive experiences with outsourcing. Many have used third-party providers for functions like payroll, accounting or even hiring, so it’s not surprising that they tend to be more comfortable with bringing in cloud service providers to deliver more efficiencies and dedicate focus to revenue-producing activities.
Last month, BlackBerry introduced its final smartphone to the market, signifying the company’s strategic shift to focus on software. While Apple’s iPhones and Google’s Android devices continue to dominate the market, BlackBerry will finally pull back and remove itself from the competitive device landscape.
And while its last entrant to the race, the DTEK60, has much to offer in terms of encryption technology and security software, the outlook remains grim. To many, this has, perhaps, signaled the beginning of the end for BlackBerry. Thus, we take a glance back at what was once a hugely successful enterprise:
September 1996 – Research in Motion/RIM introduces its Inter@ctive Pager 900, a two-way paging device.
January 1999 – The first device with the name “BlackBerry”, the BlackBerry 850, hits the market as an email pager.
June 1999 – BlackBerry Enterprise Server (BES) is released for general availability. BES, at its height, was the de facto operating software solution for enterprise handheld communications.
There’s a lot of confusion across the industry about the difference between cybersecurity vulnerability assessments and penetration tests. A common reaction we hear is:
“You mean they aren’t the same thing?!”
Since we hear the two terms interchanged a lot, we thought it might be helpful to clear up some definitions and use cases for each. Let’s start with vulnerability assessments.
A vulnerability assessment is a discovery action used to identify and categorize potential exposures across your environment. The VA is a broad-spectrum effort designed to gauge your firm’s security posture with regard to external threats. (NOTE: Internal vulnerability assessments are also growing in frequency)
Here’s what the vulnerability scanning process typically looks like:
Identify systems, networks, and infrastructures at hand
Scan networks to determine areas of vulnerability toward external security threats
Create a database of known vulnerabilities and classify based on their unique severity
Make recommendations around remediation of risks and vulnerabilities
So how is penetration testing different?