Social Engineering and Social Media: A Top Security Concern for Hedge Funds
11 November 2015
Given the growing threat of data breaches, hedge funds are vigilantly seeking solutions for a robust security program.
At a recent event hosted by Intralinks, Thomas Deinet, CEO of the Hedge Fund Standards Board, emphasized the importance of treating cybersecurity as a business issue, not exclusively an IT issue. In doing so, senior management must agree on selecting the most sensitive assets to protect, from trading algorithms for quantitative funds, to trading research for global macro funds.
Of particular interest at the event was social media, and the growing risk of social engineering. Industry professionals pointed out that cyber criminals exploit the inevitable weakness found in most organizations: human error.
According to the panel at the event, five typical engineering exploits include:
- Stealing Passwords – Hackers use a social networking profile to work out somebody’s password using the password reminder question.
- Pretexting or Friending – The hacker gets you to click on a link or an attachment to exploit system weaknesses; or they may pose as an external IT auditor to manipulate the building security staff to get into the firm.
- Phishing – Hackers incorporate threats, fear and a sense of urgency, often via email, in an attempt to manipulate the user into acting promptly.
- Baiting – Similar to Phishing and Pretexting, but baiting involves the promise of items or goods. Baiters may offer free music or movie downloads if the user surrenders their login credentials to a certain site.
- Tailgating – This exploit involves someone who lacks proper authentication following an employee into a restricted area. The attacker asks the employee to hold the door, thereby gaining access.
It’s especially important to highlight the risks associated with social media, as it’s an area most managers often overlook. If the appropriate social media and staff policies are not implemented, the results can be detrimental to the fund.
“A search engine is an attacker’s best friend as they prepare to launch an attacker on an organization. Social media sites store a wealth of personal information about individuals—from their employer and job description through to their key skills and areas of specialization,” Matthew Martindale, director of KPMG’s security team explained. “Attackers can collate and analyze this information to gain a greater understanding about an organization’s key lines of business through to the technology and systems in use.”
Ironically however, fund managers are potentially at risk if they do not embrace social media because they run the risk of someone creating a bogus account under their name. Consequences of this identity theft include reputational damage if the hacker publishes malicious messages or posts that could influence the markets.
Martindale pointed out that KPMG runs a series of simulated cyber exercises to prepare for potential data breaches, and also used LinkedIn to reinforce their internal infrastructure.
To mitigate risk and reinforce your security solution, invest in efficient staff training, especially in relation to social media—this component could represent a weak link in even the most robust cybersecurity programs.
Kylie Horner is an Associate in Strategy and Product Marketing at Intralinks. She is part of the team responsible for determining go-to-market strategies for the debt capital markets and alternative investment businesses. Prior to joining Intralinks, Kylie worked in marketing and communications at ACTIV Financial, a financial information technology firm. She graduated from the University of Colorado at Boulder with a degree in Journalism, and a specialization in global media.