HFMWeek: How important is it for employees to have an understanding of the range of cyber-threats that their business is susceptible to?
Grigoriy Milis (GM): Making sure employees are aware of cyber-threats is crucial. In analysing the largest security breaches that have occurred over the course of the last year, the majority of those breaches are due to human error of some kind. Security technology is only one part of the solution.
Yohan Kim (YK): Previously, due diligence focused on the technology that financial firms were implementing to secure their networks. In the latest version of the SEC’s regulations, however, there is more concern about the policies and training that firms have adopted. It’s important to reinforce processes and procedures that have been implemented and educate staff on the appropriate preventative measures. Training and policy implementation make up a large part of the latest SEC cyber-security initiative.
HFM: How should firms set up their internal security structures?
Michael Asher: Historically, the issue of internal security has not been of major significance in the hedge fund com-munity. Resources were not properly allocated and there was no internal team dedicated to preventing cyber-security tasks. Today, we see that firms are beginning to realise the importance of external and internal security.
Many firms rely on third-party consultants and experts who have a breadth and depth of industry experience documenting security policy and training. These firms understand best practices with regards to compiling security policies and can implement comprehensive staff training programmes to support these policies.
YK: When we look at the financial sector and hedge funds, the majority are not large entities that can dedicate a person to oversee their security. At many medium and smaller-sized funds, we oft en see a hybrid solution where a chief technology officer and a compliance officer will share responsibilities.
GM: Compliance has to be a big part of any company’s cyber-security procedures. When we discuss cyber-security, the conversation isn’t limited to external threats or intrusions. We need to think about potential internal threats as well. A compliance team can play a very important role in helping to deal with potential internal threats or data loss. The compliance process, especially in the financial industry, is increasingly concerned with the propensity for internal attacks.
If you break down the cyber-security mechanisms that companies typically have in place, the technology implementation falls under the IT department’s umbrella. However, the IT department is not in a position to identify what data has to be protected. They need guidance regarding the specifi cs of the data they are protecting and that is where a compliance department comes into the picture. By definition, the compliance team will have knowledge of every company department along with an understanding of what confidential or sensitive data the business possesses. Companies that have the capacity for a compliance unit can oft en
create a good partnership with the IT department to define the policies and procedures the company needs to implement.
Also, since the compliance team deals with the governance of various communication operations within the company, they already possess certain tools that allow them to monitor employee behaviour. These tools can often be transferred to assist with security solutions.
Together with the IT department, the compliance team can play a vital role not just in writing security policies, but also by participating in the day-to-day monitoring of procedures to make sure they are followed.
HFM: Do companies overlook the importance of human factors in their cyber-security programs?
MA: Absolutely. For many firms, there needs to be a balance between the ability to allow your users to have freedom while at the same time implementing technology and policies that will monitor their activity and limit user exposure to potential malware and phishing attempts.
Although such security polices and technologies are becoming more common and standardised across the industry, we sometimes see a pushback from firms that value employee independence. It is important to work with these firms on creating the right mix of access to data and resources while preventing security breaches.
GM: The hedge fund industry is not what it used to be five or six years ago. The industry would oft en reject any policies or procedures related to security but we have seen a steady change in this attitude over time.
Virtually everyone in the industry has become aware of what a security breach can do to their company. Firms are starting to operate on an enterprise level, realising that they could lose their competitive edge if they lose company data.
HFM: How important are the new SEC guidelines in improving company and employee awareness?
YK: The purpose behind the SEC’s cyber-security initiative is to raise the level of awareness to a point where the majority of funds are mindful of the importance of these guidelines and will implement the required security precautions, both from a technology and procedure perspective.
I would say there are three goals in security management: confidentiality of information, integrity of information and availability of resources. If a firm is operating in the digital world, security management is required in or-der to achieve these three objectives.
MA: As we see with any other type of training or procedural change, there has to be an ongoing cycle of improvement. If a security policy is created simply to satisfy a checkmark on a compliance manual, the internal attitude towards such policies will be that they are not important, thereby greatly diminishing their effectiveness. Security management has to be a
thoughtful, ongoing process that involves everyone. When we analyse the most common types of breaches, the targets are frequently low-level employees with minimal training who can unwittingly facilitate an attack by clicking on a link or answering the phone and revealing confidential information. Security management has to cover everyone from interns to administrative staff to top-level employees.
GM: I think that the SEC guidelines are very helpful in encouraging companies to address their lack of security knowledge and understanding. Since the SEC has compiled cyber-security best practices covering aspects from technological to procedural, the industry has become much more supportive of reform as well as increasingly aware of what guidelines they need to implement.
Financial services professionals are starting to realise that cyber-security is a continuous war between the data owners and those who want to gain illicit access to that data. No matter how technology develops, there will al-ways be counter-technology created. Employees need to be educated so they can be the first line of defence.
People Power (HFMWeek, June 2014)
TECHNOLOGY ADVISORY FIRM RICHARD FLEISCHMAN & ASSOCIATES OUTLINES THE IMPORTANCE OF WORKFORCE AWARENESS AND THE NEED FOR EXPERT PERSONNEL WHEN TACKLING CYBER-SECURITY THREATS