By Jonathan Bohrer, CFO at Abacus Group
I recently had the pleasure of attending several cybersecurity roundtables, including the HFM US Operational Leaders Summit in White Plains, NY, and an event hosted by Abacus Group in Boston for hedge fund and private equity COO’s and CTO’s, including several Abacus clients. As the operational leader of Abacus Group, being part of these events gave me the opportunity to discuss cybersecurity with my industry peer counterparts. I was also joined at both of these events by Abacus CISO Dave Parsons, and at our Boston event we also included a cybersecurity specialist from SentinelOne who contributed greatly to the discussion.
The sessions were an open dialogue that spanned many topics across security and technology, but resoundingly, I walked away with three major themes in terms of what’s currently on the minds of COO’s and CTO’s in the alternative investment space: security behavior, social engineering and what I’ll call “security is not just for hackers.”
I was somewhat surprised that technical leaders did not want to discuss firewalls, server anti-virus and next-gen endpoint protection. The general sentiment was that firms like Abacus will take care of the technology, that most firms are willing to spend budget dollars on the most current software and appliances available to protect their firms and that macro-level prolific viruses such as WannaCry and Meltdown/Spectre will be handled by the army of technical resources available.
What had everyone talking was the human element of security, whether that be employees falling for a phishing campaign, or some bad actor acquiring IP because of basic physical or electronic data protection policies not being followed by employees. Related to this was an eye opening discussion of statistics around cyber training and phishing campaigns.
Statistics show that the percent of virus click-throughs by employees at companies in successive phishing campaigns decreases dramatically between the first and second training, and again to the third training. Aggregate statistics for this as gathered by Abacus’s testing across our entire client base showed click through at 19.8% in the first campaign and 6.9% in the next. Most of the panel attendees agreed that they have seen the same results at their firms. The bottom line is that security training works and is an effective tool to protect from hackers. A good option for cybersecurity education, training and phishing tests is KnowBe4, which is what we use internally and is also included in our product offering to clients.
There is a preponderance of data out there on social websites such as Facebook and LinkedIn. Operational leaders are concerned with how people with dubious intent are using such widely available data to target vulnerable employees. This seemed to be one of the biggest concerns that lacks a distinct solution. The consensus was that vigilance and common sense are the best protection, and that, although ambiguous, the best guidance is to tell employees to watch out for activity that seems out of the ordinary and always ask questions.
The groups all agreed that AI and machine-learning are likely the path forward to a more systematic approach to protecting against social engineering, but as of yet, there is no foolproof solution. I shared a story about how a young life Insurance salesperson used LinkedIn to reverse engineer the entire organizational structure of a company where I used to work, so as to target higher net worth individuals. This was an interesting example of the use of social websites for alternative intent, which leads me to the last topic - “security is not just for hackers.”
Security is not just for hackers
The theme of data transfer to employees leaving a firm came up again and again during the security discussion. This is because the tools that we use to detect and prevent data loss from hackers are the same tools that we use to monitor the activity of our employees. Managers want access to this data in an easy to digest and plain English reporting style. The native outputs of security logs and file audits are almost unreadable to a normal person without a technical or security background, but they don’t have to be. One of the biggest requests of COO’s at these panels was a call for better reporting.
When New York City began requiring access to every New York City sidewalk via a ramp to facilitate disabled access, this was a great day and accomplishment for New Yorkers with disabilities. An often overlooked tangential benefit was the relief and ease of use to walking moms with strollers. While the regulation was not designed for this, it was a benefit. The same goes for security. While we design systems and data collection in order to be able to protect against sophisticated hackers, a byproduct of this is that the data audit trail can also help us to protect our firms against employees with ill intent, so long as we format the data in a way that it can be read and used effectively. We’ve built easy-to-read reporting functionality into our Abacus Portal, providing clients with the tools they need to have transparency into how data is accessed by their employees as well as satisfy increasing investor due diligence requirements for auditable, trackable and accountable data management policies.