Understanding risk is central to investments. But all too often overlooking the changing nature of work environments exposes investment infrastructures to additional risk. Cybersecurity issues are on the rise throughout the financial services sector and pose a particularly acute risk to those firms and institutions with many remote workers.
As Cybersecurity month comes to a close, Alternatives Watch spoke with Helen Johnson, chief technology officer with COMPLY, a provider of compliance software, consulting and education resources for the financial services sector, about the shifting threats facing financial services providers, and especially those with robust alternatives practices.
Johnson puts it bluntly, that “the risk profile for the industry is more complex than it has been in the past,” but there are ways to enhance and protect the critical trading and data infrastructure with the right team and systems in place.
AW: Over the past several years and especially since the Work from Home revolution, we have seen a significant uptick in regulatory concerns related to cybersecurity. These issues seem more acute within the highly regulated alts space. What advice do you have for CTOs and CCOs in this segment when addressing these new regulatory realities?
Johnson: The biggest cyber challenge when working from home is the illusion of security. For many, especially those who have spent years or decades in financial services, working on in-office hardwired devices, the shift to personal computers running on home Wi-Fi networks represents a major regression in cybersecurity.
While your home network, or that of the local coffee shop, may seem secure, almost nothing can come close to the level of security that chief technology officers, chief information security officers and chief compliance officers provide in the office. And in reality, that local Wi-Fi hotspot is a hotbed of potential cyber risk. Even your home’s closed network is less secure than you think.
Today, it’s almost too easy for bad actors to listen to Voice over IP calls, sniff the network, and, ultimately, gain access to your company’s data.
For CTOs and CCOs looking to navigate this cyber maze, a critical first step is a somewhat obvious one: identifying unique risk factors and policy weaknesses.
Additionally, teams must ensure employees’ home hardware and software include the latest patches and updates, a task which is especially critical in preventing malware attacks. And finally, I always recommend using a privacy screen, which can make a significant difference when working in a semi-public location. From the most technical to the simplistic, taking proactive steps to protect your network will help reduce non-compliance risk.
AW: Many of these changes seem to come from an increase in risk. What is your assessment of the risk profile for financial services firms, especially those with robust alternative platforms?
Johnson: There is no question that more cyber-attacks are occurring today than the average person realizes. In fact, some industry estimates suggest that every 14 seconds, a company is attacked.
Bad actors have a range of motivations, but for our industry, it’s safe to assume these actions are driven by financial considerations. Financial service firms, and those with elaborate alts-trading platforms, are exposed to significant risk and have fewer protections in place than they had in the past.
The shift to remote work changed the equation, and technologists within these institutions and firms need creative approaches to mitigate those increasingly sophisticated risks. This requires a convergence of strategic roles, with a firm’s CTO, CISO, CIO, and CCO working together to develop the tools, resources and solutions needed to protect a firm’s data, infrastructure and reputation.
With heightened criminal activities and the less-than-perfect security nature of most remote work environments, the risk profile for the industry is more complex than it has been in the past. Decision makers must allocate resources and work with partners to ensure they have the right infrastructure, policy and educational approach to reduce their firm’s exposure. After all, the personal benefits of remote work cannot come at the cost of noncompliance and cyber exposure.
AW: Oftentimes we get wrapped up in these changes and believe our own hype. Is that possible today? Are we overreacting to the risks in the marketplace?
Johnson: A quick story may help illustrate our reality today.
There was a recent rash of burglaries on several homes in my neighborhood, all of which boasted sophisticated security systems. However, the thieves bypassed the security system by cutting through the roof. Who would have thought you would need security sensors on your roof?
You may be saying to yourself, cutting through a roof is not quiet, so how were the thieves able to get away with it undetected?
The answer: The thieves monitored social media posts, tracking homeowners’ vacation timelines to gain access to the home when they were sure it would be empty.
What does this have to do with the financial services space? Cybercriminals have been known to cut holes in the roof of many (sophisticated) networks.
It’s important to note that these risks can be mitigated and, in some cases, eliminated. However, such initiatives require investment in hardware, software and security services. And beyond technology, it requires a shift in company culture to ensure that employees and others with access to data follow the necessary policies and procedures.
I always say that while we must be cautious, there is no reason to be paranoid. We know how to keep the bad guys out of our homes — no matter their point of entry.
