AIMA, the Alternative Investment Management Association, launched its Guide to Sound Practices for Cyber Security yesterday with a panel discussion hosted by MacFarlanes.
The guide is relatively short for such a large subject, but information dense. It is pragmatic and helpful and has been targeted at the hedge fund and wealth management industry. The supporting panel discussion, comprising industry practitioners was highly insightful.
One of the big frustrations communicated by the panel was the yawning gap between firms’ policies and day-to-day practice. A management view that “we should have controls” contrasts sharply with practical and technical detail. Unfortunately, IT is still badly represented at board or partner level.
Currently, the FCA does not explicitly regulate information security, but this is likely to change. The SEC holds to Regulation S-P, directed at ensuring firms have in place comprehensive information security programmes. What takes place in the US soon follows in the UK, and yesterday’s European Court of Justice ruling against the transatlantic Safe Harbour agreement is an indication that European regulators will likely be looking harder at data protection.
Against this background, and in a climate of increasing threats, the subtext of the launch was simple.
Information security starts at a very basic level; it starts with education and attitude.
Approximately 70% of threats are totally indiscriminate. Indiscriminate threats are characterised by traps for the unwary which litter the legitimate web. Infected websites and bogus paid-for search engine links that users visit can lead to the unintentional download of malicious code. Website legitimacy is no guarantee of safety. Some of the most popular and innocent looking sites on the web have been compromised at one time or another.
As an example, earlier this year, Jamie Oliver’s website was infected, on three separate occasions, with malicious code including password stealing software. And whilst corporate IT policy may rule against access of some internet sites, this will be no protection against the home use of work laptops or the use of home PCs to log on to work environments.
The next most common threat source is also facilitated by unintentional user action, but can be considered a more targeted phenomenon. Socially engineered emails, telephone calls or fake virus protection dialogues all fall into this category, and do not have to be terribly sophisticated to be effective.
This category is closely followed by intentional user action, malicious or otherwise; users employing company IT resources to visit less safe areas of the web, users downloading what they think are legitimate movies or music files, data theft by disgruntled employees or sale of passwords by the same.
Next come IT deployment or configuration mistakes. These can arise through under-resourcing coupled with time or speed pressures and can be deeply damaging. Anecdotes involving the transfer or storage of unencrypted sensitive information on the open web abound.
Interestingly, targeted, professional and persistent threats funded by nation states or other corporates make up only the last 1% of threats.
From this, it is an elementary step to conclude that information security risk can be substantially mitigated through user education and basic good practice. This area of mitigation should be regarded as fundamental to securing a firm. No quantity of firewalls or monitoring software will be effective against unintentional or intentional internal user activity.
A recurring theme to the panel’s discussion was that effective information security has to be embedded in a firm’s governance, risk and compliance framework. It affects all departments and all levels within a firm.
By approaching the subject from a risk perspective, a firm can assess where it believes threats originate, can enumerate the information assets that it considers threatened and start to quantify the impact the compromise of those assets will have on the firm both in terms of finance and reputation.
A firm can then adopt measured and coherent ongoing responses to the risks it has identified.
Omitting user education from the mix could be a serious error
If you wish to discuss information security issues further, please contact us or view our cyber security service offering.