Social Media a Potential Cybersecurity Weak Link for Hedge Fund Managers: Over the last 12 months there has been enormous media coverage of cybersecurity, and seemingly endless headlines. Anyone could be forgiven for thinking the end of the world was nigh.
It was therefore a refreshing change for hedge fund managers to attend a recent lunch event hosted by Intralinks that attempted to cut through the white noise and outline a sensible approach to establishing a robust cybersecurity program.
Hedge funds are looking for a way to navigate through the issues sensibly, and proportionately, based on their size. And one of the first points raised in the cybersecurity panel, which took place at the Reform Club in London on Tuesday 15 September, was the need for managers to protect the fund’s ”crown jewels”.
Thomas Deinet, CEO of the Hedge Fund Standards Board – one of four panellists which also included George Ralph, Managing Director at Richard Fleischman & Associates, Matthew Martindale, Director, KPMG’s cybersecurity team and Richard Anstey (pictured), CTO, Intralinks in Europe – stressed that cybersecurity needs to be treated as a business issue, not solely an IT issue, and that, collectively, senior management must agree on what the most sensitive assets are that need to be protected – this could be trading algorithms for systematic CTAs and quantitative funds, it could be trading research for global macro funds and so on.
Once the crown jewels have been identified, the next step is to move into the practical area of determining what some of the quick fixes are that managers can undertake.
“These should include such things as emergency contingency plans, staff training and certification, and should be kept up-to-date as part of an ongoing exercise,” said Deinet. “One part of that is to develop a cybersecurity emergency contingency plan that can help managers to firstly think through the cybersecurity threats and then secondly to know what to do – and what steps to take – if and when a breach takes place.
Ultimately, the success of any cybersecurity program hinges on data management. As the panel pointed out, every other aspect of the program, from vendor due diligence to internal staff training and enhancing the business continuity plan, is predicated on having properly identified the most sensitive elements of the fund.
Social media, and the growing risk of social engineering was a particularly interesting aspect of the panel discussion. As George Ralph observed, these are cyber criminals who exploit the one weakness found in every organisation: human psychology. According to Ralph
48 per cent of enterprises have been victims of these attack types
86 per cent of IT professionals are aware of the risks associated to social engineering
75 per cent success rate of social engineering phone calls to businesses
“Security should be discussed regularly and not just included in the firm’s contractual policies and then forgotten about. I always tell my clients that the first step in raising employee awareness is simply to implement a cybersecurity culture by making staff ‘expect’ an attack. It goes hand in hand with the saying ‘plan for the worst, hope for the best’,” said Ralph.
He went on to say that the five typical social engineering exploits are:
Stealing Passwords – using a social networking profile to work out somebody’s password using the password reminder question
Pretexting or Friending – the hacker gains your trust to get your to click on a link or an attachment to exploit system weaknesses, or in a physical sense they may pose as an external IT auditor to manipulate the building security staff in to letting them in.
Phishing – incorporates threats, fear and a sense of urgency, often via email, in an attempt to manipulate the user into acting promptly.
Baiting – similar to Phishing and Pretexting but involves the promise of items or goods. Baiters may offer free music or movie downloads if the user surrenders their login credentials to a certain site
Tailgating – involves someone who lacks proper authentication following an employee into a restricted area. The attacker asks the employee to hold the door, thereby gaining access.
Martindale made an interesting observation by stating that fund managers are potentially at risk if they don’t embrace social media, such as establishing a Twitter account, because they run the risk of someone setting up a bogus account in their name. This could lead to reputational damage if malicious messages are posted, or someone deliberately writes something that could impact the markets. When talking about the use of social media, and the importance of staff training, Martindale said:
“We run a series of simulated cyber exercises to help our clients prepare for a potential cyber breach and one of those often used is where we say that the Manager’s Twitter account has been compromised,” said Martindale, who went on to explain that the KPMG team were able to use LinkedIn to step-by-step build the internal infrastructure (organisational chart) of a firm:
“A search engine is an attacker’s best friend as they prepare to launch an attacker on an organisation. Social media sites store a wealth of personal information about individuals – from their employer and job description through to their key skills and areas of specialism. Attackers can collate and analyse this information to gain a greater understanding about an organisation’s key lines of business through to the technology and systems in use.”
The reason for highlighting social media, as part of a successful cybersecurity program, in this blog is precisely because it is something that most managers will overlook. But if a proper social media and staff training policy is not established, such that all hedge fund staff know what best practices to adopt, the results can be disastrous.
One aspect of this is something known as the Advanced Persistent Threat; a “slow and low” approach undertaken by crime groups that infiltrate the internal network – be it a hedge fund or any other business entity – and patiently sit, monitor and observe activity; keystrokes, key words in emails, learning who the different personnel are.
By using that information, hackers can pivot across different systems within the network. Over the long term, the cyber group essentially gains remote control over the network and is able to work out how best to extract value from the target organisation.
KPMG did a survey recently and nearly 79 per cent of institutional investors said they would be concerned with their investments if any of the managers suffered a cyber breach.
There was broad agreement across the panel that poor staff training, especially in relation to social media, could represent a weak link in even the most robust cybersecurity programs.