5 Steps to Cyber Resilience: A COVID-19 Cybersecurity Checklist for Investment Managers
Around this time every year, individuals and organizations are encouraged to evaluate their current technology platforms, policies, and procedures, as well as potential threats to cybersecurity and resilience, and make proactive decisions to enhance their safety. With the continued and unforeseen challenge of navigating a global pandemic, this year is unquestionably different from years past.
COVID-19 has altered our worlds and turned remote working into the new norm. With employees working outside the traditional office setting, stringent cybersecurity practices and a set business continuity plan are more vital than ever before. While there are some silver linings to working remotely, such as flexibility and continuity, the remote work environment has also created new avenues for cyber attackers to take advantage of the situation.
Starting early in the pandemic, the FBI saw a significant increase in the number of cybersecurity complaints, including one period where complaints almost quadrupled week-over-week. These cyber-attacks have caused growing concern among investment managers and investors alike.
It is imperative that your firm knows how to stay safe. At SS&C Eze, security is a core benefit we deliver to our clients. In 2020, we again achieved ISO 27001 recertification, exemplifying our commitment to keeping clients’ data safe and confidential. We are continually monitoring and making improvements to keep up with the latest cybersecurity challenges and finding ways to combat them. Follow the tips below to help your organization build cyber resilience.
1. Phishing Attacks Are on the Rise: Take Precautions with Emails and External Links
Since the start of the COVID-19 pandemic, there has been a significant increase in phishing attacks with subject matter relating to (or purporting to relate to) the pandemic and public health. Attacks like these are perpetrated through the distribution of fraudulent email messages in an attempt to gain access to sensitive information and networks.
To avoid falling for a phishing attempt, which could leave your firm exposed to cyber criminals, make sure your team takes extra precautions when opening emails, especially if they’re unsure as to why they received them or what they may contain.
Check to make sure employees are familiar with the red flags denoting that a sender may not be legitimate. Red flags include:
- Unknown sender; can be internal as well as external
- Requests or demands for sensitive information or to take an action (e.g. logging in, sending documentation, etc.)
- Attachments and links
- Typos or poor grammar
- An urgent demeanor
- A spoofed domain name
- A mismatched, misspelled, or fake URL
As a rule of thumb, pause and consider before opening or clicking on these types of emails. If you are uncertain, verify the sender and the content of what was sent via another means. For example, if you receive an email from a known contact that you suspect could be phishing, call that contact instead to verify the email is legitimate.
Bonus Tip – Other Attack Vectors: Today, phishing attacks are not limited to just email. Instead, there are a variety of different mediums and tools available to perpetrate this type of fraud, including using calls, texts, and social media. In some cases, these messages can appear as if they are coming from a legitimate or known source or even could be from a known source that has been compromised. Your firm should be on the lookout for these types of attacks as well.
2. Avoid Public WiFi, Use VPN, and Make Sure Computer Systems and Software are Up-to-date with Security Updates
With the state of the world today, many of us have gone from days spent working in the office to days spent working from wherever we can find a quiet and internet-accessible place. This can leave us more vulnerable than ever before.
Public WiFi is certainly convenient and can help keep your cellular data usage down, but when you use it, you don’t always know who is really providing that service. Is it your local coffee shop, or someone just pretending to be so they can eavesdrop on your digital communications? If using a corporate device, connecting to your organization’s Virtual Private Network (VPN) can help thwart those would-be data thieves and can take advantage of other security mechanisms in place on your company network.
To ensure your team’s devices stay secure, encourage them to pay attention to reminders to update systems and software with security updates and to be on the lookout for communications from your IT and Information Security personnel. While recently publicized attacks involved attackers who took advantage of a particular company’s patch offerings, patching is still one of your best defenses.
Bonus Tip – Be Aware of Your Surroundings: One of the simplest ways for bad actors to gain access to sensitive information doesn’t require hacking into your device at all but simply looking over your shoulder. Be aware of your surroundings and take precautions when entering passwords, PINs, or viewing sensitive information in public. If you can avoid it, don’t conduct sensitive work in public places or using public WiFi.
3. Encourage Teams to Contact IT or Information Security with Questions or Suspicions
Keeping your firm cyber-secure and helping defend against cyber attacks is the responsibility of each member of the organization, regardless of level or position. Your IT and Information Security teams should be available to help.
Encourage your employees to turn to IT and Information Security with any questions they have related to your organization’s cybersecurity and resilience. These teams are experts in addressing these types of concerns and would much rather field an uptick in employee questions than to respond to a security incident impacting your firm.
4. Revisit and Promote Your Company’s Information Security Policies
Although this post covers many of the steps firms should take to build cyber resilience and help protect against bad actors, your team should also take some time to refresh themselves on the contents of your company’s Information Security Policies. These written policies are essential to organizational information security and all firms should have them, regardless of size.
Bonus Tip – Check In with Colleagues: It’s a good idea to check in with your colleagues periodically to reinforce the tips and best practices outlined in this post and to make sure employees are familiar with your organization’s information security policies and procedures. This can also help alert your overall organization to attacks (sometimes individuals might think they’re alone in receiving a suspicious email or phone call when the issue is actually more widespread).
5. Cybersecurity and Vendors: Selecting Partners You Can Trust
With outsourcing on the rise, many firms have existing outsourcing relationships. In fact, a recent report on outsourcing and the buy-side found that almost 60% of respondents have existing outsourcing relationships, while nearly one-third are considering outsourcing some parts of their business. Almost half of respondents cited security concerns as their primary challenge associated with these outsourcing relationships.
Lack of cybersecurity and resiliency by the outsourced systems and services your organization relies on can put your firm at risk. Therefore it is imperative that your vendors take security and reliability seriously and remain committed to regularly monitoring and continuously improving processes to keep up with the latest cybersecurity challenges. This will help reduce your risk of cyber attacks, as will selecting vendors with good reputations as reliable and trustworthy partners. These precautions can also help you in raising capital and institutional fundraising, as investors want to see that you have selected partners you can trust.
One good way to find firms that are committed to protecting you and your clients’ data is to ask whether the vendor is ISO-certified. ISO certification means that the firm you’ve chosen has met international standards for security and data protection.
At SS&C Eze, we provide effective, comprehensive reviews and evaluations that are not a one-size-fits-all approach. We adhere to the most stringent cybersecurity requirements, including ISO 27001, which encompasses ISO 27017 and 27018 for cloud security and cloud privacy. As a vendor, we make sure our clients are protected by always keeping cybersecurity top of mind and instilling trust through preparation.
Bonus Tip – Questions for Vendors: If your company is already outsourcing, consider asking your vendors these 6 questions, which will allow you to evaluate their preparedness in terms of remote capabilities, business continuity, and associated concerns as they relate to the COVID-19 pandemic.
Stephen Pyne, Director, Information Security Operations, uses his 20+ years of experience in his field to lead and enhance information and physical security practices at SS&C Eze. Stephen's role involves designing and implementing secure software development lifecycle (SSDLC) processes for Eze's best-in-class suite of product offerings, ensuring continued compliance and expansion of ISO 27000 series certifications, and ensuring all Eze employees receive thorough security awareness training.