The emergence of cyber-threats to a fund’s information security.
When it comes to managing and mitigating risk, private equity fund managers are wrestling with growing threats on the information security front.
From the inside out, the risks to PE firms grow daily, with savvy and experienced hackers looking to target firms — and perhaps more concerning — untrained and unaware employees blindly putting their fund’s operational standing in danger.
Many small and mid-sized financial firms (wrongly) consider themselves too small to be of interest to cybercriminals and choose to ignore the threat, leaving them open to attack. Private equity firms are particularly vulnerable as most operate with small cybersecurity budgets and limited IT staff.
Does your firm think it’s safe from cybersecurity breaches? Think again.
Cybercrime has skyrocketed in recent years and several corporate giants have endured catastrophic breach events. Cyberattacks targeting behemoths like Target, Home Depot and Talk Talk have triggered a contagion effect that impacts organizations spanning all industries, regardless of scope or size.
With that in mind, according to recent EY research, only 7% of investors are satisfied with the current cybersecurity policies of their fund managers.
How then, with all of the aforementioned security threats do private equity firms manage and mitigate the risks they face?
We turned to our CTO, Clint Sieunarine who holds a PhD in computer science from Oxford University and leads the development of Hockeystick’s own security and privacy.
Below are his recommended starting off points.
1. Physical Security is of utmost importance when mitigating risks against data breaches and malicious attacks. Although these attacks are common occurrences (remember Yahoo and MySpace?) they can be avoided by hardening application servers.
Hardening is the process of securing your computer system which typically refers to software configuration. Software can be configured, for instance, to enforce password requirements at the OS level. Furthermore, software can be configured to make web servers and databases less vulnerable to attacks.
Another security practice is the need for firewalls and monitoring at all levels of your infrastructure. Firewalls monitor access to applications at a port level, and, consequently, allows you to thwart malicious attacks by blocking access to certain ports.
At Hockeystick, we have traversed the extra mile of hardening all our servers in accordance with best practices, as well as installing firewalls at every level of our infrastructure from the load balancer to the virtual private cloud for each environment to even our bastion servers.
2. Organizational Security works in tandem with physical security. At an organizational level, employees must take the necessary precautions to enforce security. Such simple precautions include locking your computer and even office when stepping out. Other initiatives include documentation.
Documentation is incredibly important in any organization — specifically, documenting which employee has access to what resource. For example, when hiring employees, an orientation checklist should include what resources new users would have access to initially. Likewise, when terminating employees, a similar checklist should exist for all access that needs to be revoked.
Moreover, mandatory security training should occur periodically; security training ensures that all employees are aware of the safety measures that need to be adhered to for a secure and private environment.
We take data security and privacy very seriously at Hockeystick, and have quarterly employee security training. Furthermore, all employees use multi-factor authentication when accessing software applications on their respective computers.
Ultimately, the best cybersecurity investment you can make is better training.
The advent of the digital world and the inherent connectivity of people, devices and organizations open up a whole new playing field of vulnerabilities. As it grabs increasing attention in the news media, cybersecurity is ramping up in importance for all players in the private equity space.