Every business is a potential victim of cybercriminals, however, those in the financial services sector such as hedge funds are frequently prime targets for hackers whose motives range from espionage, fraud, insider theft or sabotage, and even fun. The troves of sensitive data on investment capital from high-net-worth investors and individuals is all the motivation hackers need to breach your IT environment. It is therefore unsurprising that financial services firms are 300 times more likely to be targeted than companies in other industries, according to Boston Consulting Group. Hedge funds cannot afford to overlook these risks and must prioritise cybersecurity by implementing key controls of the Cyber Essentials Scheme.
For hedge funds, cyber risks could include from a denial of service, an attack that prevents organisations from conducting businesses, halt their ability to complete trades or the diversion of funds to criminal accounts. Cyber risk for hedge funds could also range from fraud to stolen data relating to trading, portfolio, finances or investors. Whatever form it takes, a cyber breach can result in reputational damage and ultimately, a loss of investor’s confidence and financial damage.
Hedge funds cannot afford to pay lip service to Cybersecurity. It is imperative that they stay ahead of cybercriminals by continually measuring the effectiveness of their IT security infrastructure against growing threats that target them, enforcing access policies and maintaining high defences.
Where is Cyber Essentials?
As a compliance manager working in a hedge fund, a good place to start is the Cyber Essentials Scheme, an assessment by a 3rd party based on guidance from the UK National Cyber Security Centre (NCSC), a government funded organisation dedicated to protecting the interests of UK businesses. This effective framework sets out basic technical controls that will protect organisations against cyberattacks. The certification has two different levels -The Cyber Essentials and Cyber Essentials Plus. Cyber Essentials focuses on 5 areas. They include:
- User Access Controls
- Patch Management
- Security Configuration
- Malware Management
This can be summarised as, do you have internal policies that dictate how staff should work with data, are security systems in place and are all the systems you have in place covered by a third-party support and patching agreements?
Of all 5, patch management can be the most challenging. It encompasses critical questions around 3rd party software updates, system updates, supported operating systems, and software licensing. How do you manage your software? Are all your systems up-to-date or are there critical vulnerabilities to your network? Do you have supported operating systems on the network or does your organisation still use Windows 7 or Windows server 2008? If your answer to any of these questions is no, you need to immediately reassess your IT security infrastructure.
In a building, a firewall prevents or inhibits the spread of fire, a firewall, in the computing sense, offers the first line of defence in network security system.
A computer or network firewall is a security system designed to prevent unauthorised access in or out of your systems perimeter. It also secures your computer from malicious software, creating a barrier between untrusted outside networks and your secured internal networks. An absence of a firewall or a breach means that any program or individual can enter, and access data and send to an external system. Does your organisation have any “holes” in its firewall such as open ports, or firewall rules that are no longer required, e.g., because a legacy system has been decommissioned? Is there a managed change process in place if you are going to open ports on your firewall? Who authorises the changes? Is there a documented process? Is admin access strictly restricted to specific IP addresses?
Malware is a code or a file that infects and provides remote access for an attacker to investigate the infected user’s computer and network resources, send spurious emails from infected machine to unsuspecting targets, and steal sensitive data.
Malware protection prevents execution of untrusted software and known malware. It also prevents harmful code from accessing sensitive information or causing damage. Is there an anti-virus software installed on all machines? Does the anti-virus software update itself regularly with the latest signatures? Are all new files automatically scanned upon access? Does your software automatically scan web pages when accessed through a web browser and prevent connections to malicious websites? Do you deploy application whitelisting and sandboxing?
User Access Control
User management is an intrinsic control of the Cyber Essential Scheme. It simply refers to the management of user accounts, particularly accounts with special access privileges to protect against unauthorised access and misuse. Organisations that fail to implement an effective user access control policy, risk exposing their networks, applications and computer to hackers. Critical questions you may want to answer include:
- Does your organisation have a policy for handling leavers and joiners’ user accounts?
- Do you have separate account for regular tasks, or do you use network and system administrator user accounts for non-administrator activities?
- Are user account access privileges reviewed regularly?
- Do you have an effective policy for setting user permissions?
- Can only successfully authenticated user accounts access computers, applications and network?
Failure to manage user access control doesn’t solely expose your networks and computer to hackers, it may also lead to employee deliberately accessing and misusing data they shouldn’t be authorised to see.
One of the most common gaps hackers exploit to detect vulnerabilities are secure misconfigurations. Secure configuration management identifies these misconfigurations.
Secure configurations are measures that are implemented when installing or building network devices and computers to reduce cyber vulnerabilities. Does your organisation have a password policy? How effective is it? Do you deploy multi-factor authentication for staff as an added layer of protection? Do you disable unnecessary user accounts on company system? Do you change the default login details on network devices? Are auto-run features that allows file execution without user authorisation disabled?
Getting started with cybersecurity can be a daunting especially if you lack technical IT skills. Tivarri’s Cranberry Cloud exists to simplify this process by providing managed IT security services as part of our hosted desktop solution.
Tivarri’s Cranberry Cloud is FCA and ISO 270001 compliant, the basis for due diligence and meet key customer requirements including accessibility, enhanced security, data loss prevention and business continuity measures. However, you don’t need to be an existing Tivarri customer to access our services, our consultants can help you achieve both Cyber Essentials and Cyber Essentials Plus with your existing systems.
If you want to learn more about how to develop cyber resilience for your hedge fund, contact us for more details.