Risk Assessment - Keeping Cyber Bully Away

Paul Ernst, CIO, Sandler Capital Management

Two roads diverged in a wood, I took the one less travelled by, and that has made all the difference.” – Robert Frost

This sounds like a great way to mitigate risk in some instances, but in today’s advanced, technology-driven capital markets, it’s all about who gets there first. Every day, companies invest capi­tal into their network infrastructure to ensure that they receive real-time information and best execution on their trades–per­haps just nano seconds faster than their peers. While the goal for many firms is to build the ultimate shortcut, we can’t cut corners when it comes to security. As CIOs and CTOs, our goal is to ultimately reduce the risk profile of our companies.

Risk Assessment

The risk assessment is the all-encompassing identification of risk across the enterprise, and the subsequent determination of an acceptable level. While companies use different methodolo­gies when performing an assessment, it is generally a combina­tion of the following:

- Policy development and review

- Gap analysis

- Security assessment and penetration testing

- Vendor assessment and due diligence

- Employee awareness and training

Large companies will likely have an internal team to han­dle this, but for many of us in the hedge fund space, I find it best to engage a third party to perform the risk assessment. There are a number of excellent firms that provide this ser­vice, and while not cheap, I am very comfortable spending the money to have an expert with an objective eye to analyze my operations and make the appropriate recommendations.

 ​It is absolutely essential to realize the threats that we face or else we have no chance of stopping them 

While you may have solid policies already in place, valida­tion is crucial. One misstep can throw off an entire incident response plan, or perhaps, you might be missing a critical ele­ment of a vendor assessment. Firms have been made increas­ingly aware that they are still responsible for investors’ data even if it resides with a third party. As the trend of enhanced scrutiny by investors and regulatory agencies will undoubtedly increase, a formal independent risk assessment is more likely to become a requirement at some point, rather than an option.

Perimeter and Endpoint Protection

Tune into any mainstream news media outlet on a given day, and you will al­most certainly encounter a number of headlines regarding massive company data breaches, nation-state hacking and reports of new ransomware variants. As these cyberattacks continue to escalate, so do our security budgets.

Financial companies need to imple­ment a scalable security solution that not only protects the perimeter, but also propagates down to every last endpoint. This list is by no means exhaustive, but a hybrid of next-generation firewalls, intru­sion detection/prevention (there are some excellent third-party SOCs for smaller to mid-sized companies that don’t staff their own), multi-factor authentication, encryption, patch management, backup, web fil­tering, unified mail security products as well as endpoint access and control platforms should all be deployed through­out the organization.

Employee Awareness/Training

The adage may be a tired one, but none is truer than ‘your employees are your biggest threat’. While deliberate acts by an employee are cause for concern, those aren’t the ones that keep me up at night. It’s the other ones. It’s the ones where employees open email attachments from unknown senders and click links in emails supposedly from UPS and FedEx. It’s the untrained ones.

In my opinion, it’s not an accurate or comprehensive risk assessment un­less it involves thorough and continuous employee awareness and training. While the format should be highly tailored to the company size and culture, general training sessions should be held regu­larly. As new threats evolve, so should employee awareness.

One highly effective component of security awareness is phishing and social engineering tests. Prior to a seminar, run a phishing campaign and share the results with the attendees. There’s no benefit to individually calling anyone out in public, but be assured that this is one area that will command their attention, so embrace it. After the meeting, run another campaign. And in a month, run another campaign. Of course this is pointless, if you don’t then train those employees based on their results. Statistics have shown a very high success rate training with this method.

Educate Yourself

“I am always doing that which I cannot do, in order that I may learn how to do it.” – Pablo Picasso

While the first three topics are fairly common across the industry, I seldom see this final one in this context. Every so of­ten, I like to take a step back and take a look at my own performance-let’s call this my own personal gap analysis if you will. In our industry, it is absolutely essential to realize the threats that we face or else we have no chance of stopping them.

Granted, I don’t have the time to keep up to date with every technology in every publication, but what I have found to be incredibly beneficial, is peer net­working. I’ve come across a wealth of instantly actionable information just by joining peer groups and attending indus­try events.

Finally, while I simply don’t have the bandwidth to address all of the sales pitches that are sent my way; I do find value in building meaningful relation­ships with a handful of vendors and in­tegrators. I consider them to be a great source of knowledge on today’s security trends and products, and they are always anxious to educate me. So don’t be afraid to return that sales call. You might be surprised.