Risk Assessment - Keeping Cyber Bully Away

Paul Ernst, CIO, Sandler Capital Management

Paul Ernst, CIO, Sandler Capital Management

Two roads diverged in a wood, I took the one less travelled by, and that has made all the difference.” – Robert Frost

This sounds like a great way to mitigate risk in some instances, but in today’s advanced, technology-driven capital markets, it’s all about who gets there first. Every day, companies invest capi­tal into their network infrastructure to ensure that they receive real-time information and best execution on their trades–per­haps just nano seconds faster than their peers. While the goal for many firms is to build the ultimate shortcut, we can’t cut corners when it comes to security. As CIOs and CTOs, our goal is to ultimately reduce the risk profile of our companies.

Risk Assessment

The risk assessment is the all-encompassing identification of risk across the enterprise, and the subsequent determination of an acceptable level. While companies use different methodolo­gies when performing an assessment, it is generally a combina­tion of the following:

- Policy development and review

- Gap analysis

- Security assessment and penetration testing

- Vendor assessment and due diligence

- Employee awareness and training

"It is absolutely essential to realize the threats that we face or else we have no chance of stopping them"

Large companies will likely have an internal team to han­dle this, but for many of us in the hedge fund space, I find it best to engage a third party to perform the risk assessment. There are a number of excellent firms that provide this ser­vice, and while not cheap, I am very comfortable spending the money to have an expert with an objective eye to analyze my operations and make the appropriate recommendations.

While you may have solid policies already in place, valida­tion is crucial. One misstep can throw off an entire incident response plan, or perhaps, you might be missing a critical ele­ment of a vendor assessment. Firms have been made increas­ingly aware that they are still responsible for investors’ data even if it resides with a third party. As the trend of enhanced scrutiny by investors and regulatory agencies will undoubtedly increase, a formal independent risk assessment is more likely to become a requirement at some point, rather than an option.

Perimeter and Endpoint Protection

Tune into any mainstream news media outlet on a given day, and you will al­most certainly encounter a number of headlines regarding massive company data breaches, nation-state hacking and reports of new ransomware variants. As these cyberattacks continue to escalate, so do our security budgets.

Financial companies need to imple­ment a scalable security solution that not only protects the perimeter, but also propagates down to every last endpoint. This list is by no means exhaustive, but a hybrid of next-generation firewalls, intru­sion detection/prevention (there are some excellent third-party SOCs for smaller to mid-sized companies that don’t staff their own), multi-factor authentication, encryption, patch management, backup, web fil­tering, unified mail security products as well as endpoint access and control platforms should all be deployed through­out the organization.

Employee Awareness/Training

The adage may be a tired one, but none is truer than ‘your employees are your biggest threat’. While deliberate acts by an employee are cause for concern, those aren’t the ones that keep me up at night. It’s the other ones. It’s the ones where employees open email attachments from unknown senders and click links in emails supposedly from UPS and FedEx. It’s the untrained ones.

In my opinion, it’s not an accurate or comprehensive risk assessment un­less it involves thorough and continuous employee awareness and training. While the format should be highly tailored to the company size and culture, general training sessions should be held regu­larly. As new threats evolve, so should employee awareness.

One highly effective component of security awareness is phishing and social engineering tests. Prior to a seminar, run a phishing campaign and share the results with the attendees. There’s no benefit to individually calling anyone out in public, but be assured that this is one area that will command their attention, so embrace it. After the meeting, run another campaign. And in a month, run another campaign. Of course this is pointless, if you don’t then train those employees based on their results. Statistics have shown a very high success rate training with this method.

Educate Yourself

“I am always doing that which I cannot do, in order that I may learn how to do it.” – Pablo Picasso

While the first three topics are fairly common across the industry, I seldom see this final one in this context. Every so of­ten, I like to take a step back and take a look at my own performance-let’s call this my own personal gap analysis if you will. In our industry, it is absolutely essential to realize the threats that we face or else we have no chance of stopping them.

Granted, I don’t have the time to keep up to date with every technology in every publication, but what I have found to be incredibly beneficial, is peer net­working. I’ve come across a wealth of instantly actionable information just by joining peer groups and attending indus­try events.

Finally, while I simply don’t have the bandwidth to address all of the sales pitches that are sent my way; I do find value in building meaningful relation­ships with a handful of vendors and in­tegrators. I consider them to be a great source of knowledge on today’s security trends and products, and they are always anxious to educate me. So don’t be afraid to return that sales call. You might be surprised.

Read Also

Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Bolstering Cybersecurity

Bolstering Cybersecurity

Amr Taman, Chief Information Security Officer, Al Ahli Bank of Kuwait
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank