Most of Agio’s new and prospective hedge fund clients understand they are firmly on the target map for cyber-criminals and they have the best intentions with respect to cybersecurity, but we’ve also noticed that many funds suffer from the same cybersecurity misconceptions.
Correcting misconceptions, and avoiding the risk that comes along with them, is fundamental to implementing efficient and effective cybersecurity controls for the firm. Below are three of the most common misconceptions we see at our new or prospective hedge fund clients.
1. Cybersecurity is an IT issue, not a firm-wide issue
If your firm is like most today, its implemented multiple forms of protective perimeter technology to keep the bad actors out. Next-Gen firewalls, IDS/IPS, VPNs, multi-factor authentication – the list goes on and on. Today’s cybercriminals fully understand this and have adjusted their tactics accordingly – they know that exploiting your technology is no longer the cheapest, fastest, and easiest path to the firm’s sensitive systems and data. They know it’s now much more effective to target your end-users with targeted social engineering attacks.
Targeted social engineering attacks are most often spear-phishing emails custom-crafted to be particularly appealing to the target(s). These spear-phishing emails are most often informed by open source intelligence – the cybercriminals scour targets’ social media accounts and other sources of publicly available information and use that data to craft particularly compelling phishing emails. Spear-phishing emails purporting to be from alumni associations, running clubs, volunteer organizations, charities, and children’s schools are common, and are nearly always informed by the targets’ recent social media posts.
Other forms of targeted social engineering attacks include direct phone calls and attempts to gain unauthorized physical entry into offices, home offices, or other sensitive areas. And if you have a title that implies you may be a party to the funds transfer process, you are the most common target of these social engineering attacks for our hedge fund clients.
Educating all of your users is a key part of securing your firm. Your users need to understand how cyber-criminals are targeting them, how bad actors are using their social media posts to craft targeted social engineering attacks, how to identify those social engineering attacks, and what to do when it happens.
2. If we can detect it, we don’t need to correct it
Would you trust your life savings with a bank that told you they don’t need a vault or locks on the doors because they have security cameras? Not a chance, right? Why then, would investors entrust their capital with a firm applying the same philosophy toward cybersecurity?
Believe it or not, we sometimes hear, “if we can detect it, we don’t need to correct it,” cybersecurity argument from hedge funds. Consistently reliable visibility of traffic into, out of, and within the firm’s network is invaluable in identifying potentially malicious activity and providing actionable cybersecurity intelligence, as is the ability to receive alerts on potentially malicious activity like privilege escalation, failed login attempts, access or exfiltration of sensitive data, etc. However, the firm’s cybersecurity responsibilities don’t stop there.
Investors, and regulators, have very reasonable additional expectations with respect to how the firm is protecting its sensitive systems and data. The SEC lists 6 areas of focus and 28 areas of interest in its cybersecurity Risk Alerts. While some of those do require monitoring and alerting, the vast majority require the implementation of cybersecurity controls like those outlined in the NIST Cybersecurity Framework. Preventative or proactive controls such as identity and access management, strong user access credentials, controls to limit lateral movement within the network, established and tested incident response procedures, up-to-date cybersecurity policy and procedure documents, and myriad other controls are required. While typically not as comprehensive as SEC requirements, most investor due diligence questionnaires received by Agio’s hedge fund clients require similar controls.
Having visibility of potentially malicious activity, while vitally important, is no longer adequate to meet the firm’s cybersecurity obligations. From the perspective of investors and regulators, it’s very clear that the firm’s cybersecurity responsibilities extend well beyond simply monitoring and alerting.
3. Technology alone makes the firm secure
Protective technology is vitally important – don’t get me wrong. Next Gen firewalls, IDS/IPS, SIEM systems, end-point protection applications etc. are all vital components of a functional and effective cybersecurity governance regimen. However, technology alone is only 1/3 of the formula for effective cybersecurity. A mature cybersecurity governance regimen addresses the firm’s people, process, and technology.
Often, we encounter new hedge fund cybersecurity clients that invest in the latest protective technologies but fail to properly implement or configure them. Agio’s technical testers often identify basic misconfigurations that allow them to bypass protective technologies quickly, easily, and with relatively unsophisticated attacks. What good is that Next Gen firewall if you’ve got vulnerable protocols globally accessible from the internet, or systems on the production network are accessible from your poorly protected guest-wireless network? What good is the firm’s new end-point protection application if end-users (and bad actors) can modify its configuration or turn it off? What good is that SIEM system if you’re not alerting on potentially malicious activity like privilege escalation, failed login attempts, access or exfiltration of sensitive data?
Agio also often encounters new hedge fund cybersecurity clients that have solid technical implementations but lack the necessary governance policies and user education to achieve effective control of cybersecurity. What good is your IDS/IPS and SIEM if the firm can’t properly prioritize its response to an event or incident, hasn’t defined the response workflows, or the firm’s responders can’t contact the appropriate decision makers? What good are the firm’s cybersecurity protocols if policy permits the use of weak or easily-crackable passwords? What good are any of the firm’s controls if users aren’t educated such that they sufficiently understand their roles and responsibilities with respect to the firm’s cybersecurity?
Regardless of hedge fund size, complexity, or the nature of its operations, Agio often encounters variants of these common cybersecurity misconceptions at our new and/or prospective hedge fund clients. If your fund isn’t fully addressing all aspects of its people, process, and technology, then you have gaps in your cybersecurity governance regimen. Agio can help eliminate those gaps. Contact us.