Cyber Threats Could Risk Your Data, Fund managers. Be prepared
It’s a busy Monday at the office. Amid frantic meetings, calls, and discussions, you notice an intriguing email from a company and decide to open its PowerPoint attachment, only to find that the file is corrupt. You dismiss it and get on with your work. Over the next few days your laptop starts acting absurd with unexpected disturbances.
Congratulations, you’ve just been hacked!
You became a victim of a widespread hacker phenomenon known as spear phishing. The corrupt attachment in that email was the culprit. A recent report by Cisco states that file formats such as Word, PowerPoint and Excel make up the most prevalent group of malicious file extensions at 38 percent of the total.
Financial institutions have always been one of the top targets for hackers. Unlike large corporations, venture capital (VC) and private equity (PE) firms have small teams, mostly consisting of investment and operations teams, with no dedicated resources for tech or cybersecurity, making the firm vulnerable to threats. Now maybe the right time to evaluate your policies and implement new measures.
I’m sure the MIT kid we had here last summer took care of security…
Well, maybe so. Here’s a sniff test to figure out if you are covered on all bases on the security front:
- On any of the websites you visit, do you login with your Google credentials?
- If your phone or laptop was stolen/lost today, would you be worried that vital or sensitive data will be lost or misused?
- You get a message informing you that your account was hacked. Do you search online for a solution?
If your answer to any of the above was yes, you are very much at risk. We know, because we were in your shoes.
Okay, so how do I make myself secure?
Cybersecurity seems to be the buzzword in town these days. If you search for “cybersecurity,” you’ll be overloaded with information that can make you paranoid. I can tell this from experience that, by the time you cut through the noise, you’ll be as lost as when you started.
To make things easier for fund managers who are, by definition, handling lots of money and generally understaffed, we’ve put together a simple, bare-essentials guide to help you get started.
Here’s your security mantra – EDA.
EDA stands for:
- Email security
- Device protection
- Awareness about policies
Write that down, memorize it and tell it to everyone you know, even your family. And to get you started, we’ve summarized below each topic — too vast in itself to be covered in detail here — with links for further reading.
E is for Email Security
Email has now become our digital ID, effectively the social security number of our digital lives. With more than 3.9 billion users worldwide, email has become the basic necessity for our digital presence. So, it goes without saying that we need to keep our email as secure as we keep our passport.
But do we? We give out our email addresses like flyers on a street corner, to every other website we visit.
We fail to understand that our email inbox has a snapshot of our life – bank statements, tax returns, transaction alerts, offer letters, verification codes for accounts and more. PhishMe reports that phishing emails are responsible for about 91 percent of cyber attacks. With google becoming widespread, we’ve even started using google credentials to login into websites and giving them access to our inbox. Did you know that even if you have a strong password, you can be a victim of identity theft just by using a social login?
Top 5 things you should do to keep your account secure
- Monitor your email. Check if your email and password have been a part of any external breaches through websites like HaveIBeenPwned.com and Dehashed.com. If they have, immediately change your passwords. Sign up for email monitors like Firefox Monitor or SpyCloud to get breach alerts.
- Use aliases or proxy emails. You don’t need to use your email everywhere to sign up. Consider creating an email alias controls subscriptions and prevents the use of your original email. You can also access important data on demand.
- Switch to a password manager. If you are a Gmail user, as soon as hackers get your email password, they can simply log in into any Chrome browser and access all your other saved passwords? They can also access your search history, saved information you fill into forms and more. I would strongly suggest that you stop using Chrome to save passwords and switch to password managers like 1password, Roboform or Bitwarden. They work across devices and are inexpensive and easy to use. You can bypass key loggers, set super strong passwords and keep all your info in one place. The best part is you don’t have to remember hundreds of passwords, just one strong one.
- Use two-factor authentication (2FA). Set up 2FA (biometric, if available) for your email and social accounts as these are the primary access points for identity theft. 2FA prevents remote logins and makes your account difficult to access. Usage wise it requires one extra step but is well worth the trouble. If you use a password manager, it will just be an extra key. Additionally, I would suggest you have good security questions, especially info that can’t be found online through social media or other channels. That means no birthdays, no favourite colors, no pet names or school years— and if you are a Forgetful Fred, you can save them in your password manager.
- Know what access you’re giving to third party websites. Whenever a third party website asks for google access, read what you’re giving access to. Avoid giving “Full Account Access” to websites. Also, periodically check your “Manage third-party access” and “Signing in with Google” settings in Google to remove websites and apps you no longer use.
D is for Device Protection
We live in “smart” times using smartphones, smartwatches and smart devices, and some even have smart homes with IoT (Internet of things). As much comfort and accessibility these devices provide, they also open us to major risks if not monitored right. Even bigwigs like Amazon and Google have admitted to this.
Wait, how does this relate to me?
Finance and banking institutions top the list of ransomware attacks over the last year, followed by healthcare, government and manufacturing sectors. Ransomware is costing businesses more than $75 billion per year (see Datto). What was just a buzzword a few years ago has become a very real threat now.
Top 5 things you should do to keep your devices secure –
- Restrict access to your devices. A study by Symantec reveals that information that apps most often leak are phone numbers (63 percent) and device location (37 percent). This might be a no brainer but when installing apps, don’t hit “allow” for every permission it asks. For example, a visiting card scanner doesn’t need access to your location or a music app doesn’t need access to your contacts. Apps will install and work even if you deny some permissions.
- Back up your data. Make it a practice to keep a backup of all your data in an external system. The important thing here is to make sure the system is disconnected from your existing systems. For instance, don’t back up your Google docs on Dropbox, which your email can access. When your email is hacked both Google and Dropbox data will be gone. Instead back it up in an external drive. Experts recommend the 3-2-1 backup strategy is the best approach to recover from a ransomware attack.
- Update your software. We are often prompted to update our software but since the popups have an option of “remind me later,” we end up pushing it to a later date, till the update takes over. One day it may be too late and too expensive. Don’t believe me? Read how within a day more than 230,000 computers in banks, hospitals and other critical services across 150 countries were affected by the WannaCry ransomware resulting in nearly $4 billion in financial losses. The punchline was that Microsoft had identified this vulnerability months before and had released a patch but everyone just clicked “remind me later”.
- Use of VPN when traveling. These days we have access to free Wi-Fi everywhere, from airports to coffee shops. For the sake of speed and connectivity, we end up using them. But beware, using a public Wi-Fi is riskier than using a public restroom. Surfing on an unsecured network means you’re placing your private information and anonymity at risk. If you are doing anything sensitive, we recommend you use a Virtual Private Network (VPN) to connect via the most secure channel possible. We recommend Surfshark. But if you do have to rely on a public connection, remember to “forget” or delete the public Wi-Fi network from your saved networks once you’re done and turn off your device’s Bluetooth and Wi-Fi when not in use.
- Device Lost Preparedness Test. Test to know if you are prepared to deal with physically losing a device, or with having it taken over by a bad actor for ransom or otherwise. How much money would you be willing to hand someone in cash right now to get your phone/computer back? If the answer is anything more than the depreciated value of the device (maybe 50 percent of list price) plus the value of your time spent dealing with the hassles of re-installing apps and the like, then you are not prepared. Use cloud-based services to keep your data device independent and back up periodically. You want your computer and phone to be as close to disposable as possible, with no data that can’t be recovered easily from the cloud.
There is a lot more you can do to secure your devices, such as using an antivirus and setting up auto-lock, and we hope you have already employed those basic safety measures. In case you’re a victim of ransomware, remember to first disconnect your device from the Internet and contact your IT department – or a very IT knowledgeable associate – for next steps.
A is for Awareness
And the final one. Data breaches cost companies an average of $3.9 million each year. For smaller companies, this can be a huge dent that can wipe them out.
Here’s the kicker – for about 46 percent of the cybersecurity incidents in the last year, careless / uninformed staff (including employees, vendors and contractors) have contributed to the attacks. This, in fact, is the second highest reason for security breaches, next to malware. Let that sink in for a minute – the second highest!
Top 5 things you should do on an organizational level –
- Go paperless. Many firms are switching to a coworking or “hot desk” culture, which brings efficiency along with new security risks. Leaving papers and notes on your desk or at the printer can have unintended consequences. Have a clean-desk policy. Remove unsecured remote printers from employees’ laptop settings. Shred sensitive documents especially ones with your signature.
- Policy for remote work. While the world is still catching up with best practices with cybersecurity, more and more employees are opting for remote work. This is still uncharted territory for most companies. Extend your cybersecurity policy to include acceptable data and tool usage during remote work. Have mandatory auto-lock for devices. Consider restricting access to systems with sensitive data. Build clear guidelines on the proper use of personal and employer-provided devices. Another good practice is to set up single sign-on (SSO) and remote-wipe options into the devices.
- Ensure employees know who to call. Many companies have training and policies in place to protect data and teach their employees good cyber practices. But these are usually handled by external vendors, consulting experts or the firm partners. Since they aren’t easily accessible, when a security incident occurs at any hour of the day from anywhere in the world, employees scramble to find solutions on their own, which can worsen the situation. An employee should feel comfortable reporting a lost or stolen device immediately. Communicate the details of the incident to your in-house designated Cybersecurity Officer (CSO). If required, create cards with CSO details for employees to carry in their wallets.
- Discuss policy with portfolio companies and vendors. As investment firms, most of our work runs on collaboration with external parties – law firms, finance contractors and our portfolio companies, to name a few. We share our systems and data with them thinking they have good security policies in place. But that might not be the case. And the risk is higher if you’re dealing with early stage startups. Have a detailed discussion about their systems and security policies. Another item to consider, which people tend to ignore, is how your data and access is managed when a relationship with an external vendor – an accountant, a contractor, etc. – ends.
- Simulate an attack. Good cybersecurity policy involves regular cybersecurity sessions. But most often, employees tend to sleep through these sessions. To inspire your team to adopt security policies, simulate a phishing, password or penetration test with your team. You can use free and paid online tools, Office 365 simulator or contract vendors to do this once a year. Everyone learns by experience better than theory.
And that’s it. Doing the above will help you keep ahead of 90 percent of the security issues that organizations face. It is easy to be oblivious to cyber threats and think that “this won’t happen to me” or “I don’t have time for this now” and that is exactly what got 4 billion records exposed as of September 2019. The good news is that there are a lot of tools, resources and people to help keep you safe. Cybersecurity is about firm and personal discipline, more than anything else. Building a great cybersecurity policy can take time but if you start today you will be a step ahead of the rest tomorrow.
By Rajiv Kolluru, Chief – Cyber Security, Capria Ventures