Every fund manager knows that the risks of cyber attacks impacting the way they do business are exponentially rising. For some managers, knowing the proper approach to cybersecurity, within the limits of available resources and budget, can feel disorientating.
To overcome this, firms are best advised to think about taking a layered approach to building a robust cybersecurity posture. Eze Castle Integration refers to three tiers, with Tier 0 representing the most basic must-have protections. The next level up, Tier 1, is a standard framework that builds on the basics of Tier 0 and incorporates additional enhanced features and employee security awareness training; presently, this is where most investment managers fit.
The third, Tier 2, is considered an advanced tier and features state-of-the-art progressive tools, next generation firewalls and puts managers in the best possible light with institutional investors.
Each layer of the pyramid includes a number of measures that fund managers must have in place to handle a cyber attack. These can be broken down into four components:
- Perimeter & Network Security
- Access Control Measures
- Policies & Procedures
- Employee/User Behaviour
1. Perimeter & Network Security
Tier 0:
For any fund manager to stand the chance of thwarting a cyber attack, they will need to ensure that firewalls are installed along with anti-virus software and software patching. Software patching should be part of a firm’s ongoing IT management. As a best practice, this will prevent software vulnerabilities from potentially being exploited by threat actors.
These tools will go some way to protecting a firm’s perimeter from low-level attacks and prevent unwanted spam.
Tier 1:
Tier 1 security builds on the above by introducing greater network access control beyond reliance on standard firewalls and anti-virus software. It also focuses on enhanced email security features to protect sensitive information. These features often include targeted attack protection, attachment scanning and encryption.
Tier 2:
Mid-sized and large asset management firms wishing to demonstrate their commitment to the best and most advanced security measures are finding that through IT outsourcing as are smaller managers who seek fully managed protection.
Building on anti-virus software and patch management software, enhanced email security and network access control, Tier 2 Perimeter & Network Security will also utilize next-generation firewalls, allowing firms to filter network traffic by application and implement additional security protocols to keep harmful traffic at bay.
Some advantages to next-generation firewalls include:
•All-in-one functionality
•Greater visibility and control
•Simplified management
•Better security
•Lower total cost of ownership
2. Access Control Measures
Tier 0:
With employees increasingly working remotely, either from home or on work trips, perimeter security extends way beyond the four walls of the office. As such, the way that people access data needs to be as secure as possible. Eze Castle recommends Citrix as a tool for secure remote access when logging in to use work applications on the move. Another option is the use of Virtual Private Networks (VPN), giving employees a “remote desktop” that allows them to use any applications on the work computer’s server.
Tier 1:
The next layer of security is to employ a mobile device management (MDM) solution. This will ensure that an administrator is able to set and control protocols and guidelines in terms of what level of access employees have to company/investor information on smartphones and other mobile devices. This is particularly important for asset managers who use a “Bring Your Own Device” policy.
Tier 2:
Multi-factor authentication builds on the above to give firms top-line access control. This is growing in popularity, especially among those who wish to control how employees access information on the cloud. Multi-factor authentication requires the end-user to verify credentials and prove that they are who they say they are. As Eze Castle points out, there are three types of multi-factor authentication:
•Knowledge-based (e.g. security questions)
•Possession-based (e.g. cryptocard, authentication app on mobile device)
•Inherence-based (e.g. fingerprint, biometric scan)
As well as multi-factor authentication, there are a number of advanced technologies that Tier 2 firms might seek to utilize. These will typically include intrusion detection and prevention systems, which monitor one’s network and prevent threats from taking hold, using encryption tools for data at rest, and also data loss prevention software to prevent sensitive information from being sent outside the network perimeter.
3. Policies & Procedures
Tier 0:
Although policies tend to be perceived as rather dry and mundane, in respect of cybersecurity they are the central nerve system of a firm’s cyber risk management program. As a basic requirement, even if an asset manager has no other policies it should establish an Acceptable Use policy for employees, with respect to network access, system logins, Internet usage and so on.
Eze Castle also advises that the “principal of least privilege” is applied. In short, this dictates that only those who need access to certain systems and data are granted such access.
Tier 1:
In addition to having an Acceptable Use policy and principal of least privilege, Tier 1 firms will have various policy documents that include a written information security policy (WISP), a Business Continuity Plan (BCP) and an Incident Response Policy. The WISP document what data a firm has, where it is stored, and who has access to it, while a BCP outlines how the firm will maintain a business as usual stance in the event that a cyber breach has occurred.
The Incident Response Policy should explain what steps the firm will take to mitigate the situation, who the key personnel will be and what their roles are. It should also detail how and when to notify investors and key service providers.
4. Employee/User Behaviour
Tier 0:
No matter how limited one’s budget, a simple cybersecurity defence posture can easily be achieved by applying strong password enforcement. People are often the weakest link, no matter the technology and processes in place. Ideally, fund managers should prompt employees to change their passwords every 90 days using a combination of upper and lowercase letters and special characters. Limitations on the use of personal information within passwords are advisable.
Tier 1:
Building on the best practice of strong password usage, the next layer of security asset managers can apply to their cyber preparedness is training and education. This will help to keep them abreast of new cyber threats and, importantly, to understand the firm’s policies and procedures in the event of an attack. This commitment to ongoing training can make a significant difference to remaining as secure as possible.
Tier 2:
The third layer to consider in ensuring your firm’s information is kept out of the hands of nefarious sources is to conduct periodic phishing simulation exercises. These will help to test and train employees to identify and act upon potentially harmful email threats entering the network. These exercises are a good way of building on the training and education aspect and are relatively inexpensive to run. Moreover, by conducting these exercises randomly, employees will be kept on their toes, allowing firms to benchmark the efficacy of their staff using a range of different simulations.
The above examples demonstrate that firms need not be overawed by the expense and complexity of becoming cyber secure. Starting from a basic level, fund managers can evolve their technology tools and policies as the business grows and the potential threats grow. All the while, demonstrating to investors that they are committed to establishing best practices when and where possible.
