Return to search

Decoding cybersecurity

The WannaCry and NotPetya cyberattacks that struck earlier this year have some important lessons for private fund managers wanting to keep their firms safe.

Cyber-criminals have become increasingly sophisticated in their operations. A decade ago, it was a loose network of hackers, working in isolation or small cells; today, it a billion-dollar enterprise, with teams running large-scale global operations.

“It’s a business and everyone has a role. There is a customer service team, a payroll department, wannabe hackers can buy a malware package, and if it doesn’t have the expected impact they can ask for another. There is a high degree of professionalism now,” says Brian Hussey, vice president of cyber-threat detection and response at Trustwave.

With bigger and sleeker operations come more sophisticated and costly cyberattacks. The first generation of hackers, among other tactics, sought to make a quick buck encrypting credit card information then charging to reverse the damage, and there was little chance of being caught. Now the operations have become more complex.

“It’s difficult to catch malware, and attackers can stay on a system undetected for a long time. They can monitor emails, obtain confidential information and carry out activity akin to espionage. It’s very concerning,” Hussey says.

The latest reported attacks have been huge. About 143 million US customers of credit report giant Equifax may have had information compromised in a cybersecurity breach between May and July, the firm admitted in September. The hackers accessed its systems by exploiting a “website application vulnerability.”

May also saw the WannaCry cyberattack, whose victims included the UK National Health Service, Spanish telecoms company Telephonica and French car manufacturer Renault. Widespread and widely reported, this was heralded as a wake-up call for the business community that, for too long, had been complacent over their cybersecurity compliance. Just one month later, a second global cyberattack – NotPetya – struck, making it very clear that a serious cybercrime arms race has emerged.

Private fund firms are not immune to the threat of cyberattack, and have implemented cybersecurity policies with varying degrees of success. A recent sweep by the US Securities and Exchange Commission found that most of the examined firms had cybersecurity measures in place, an improvement on the previous examination when “significantly fewer” did. But it also found that shortcomings remain, with many firms deploying “cookie cutter” policies that don’t consider the specifics of their business.

Advice from regulators on how to build a successful cybersecurity program abounds, but the latest global attacks show that preventing cyberattack does not have to be complicated or expensive.

Invest in (and patch up) infrastructure
Ensuring operating systems are up to date is a simple but effective way a private fund firm can prevent cyberattack, Hussey says. Computers using Windows XP and Vista were more susceptible to the WannaCry attack than those using newer versions of the Microsoft operating system because the software-maker had stopped offering security support for the systems.

“Investing in security services and threat monitoring is a key way of protecting against cyberattack. Simple moves would have made people safe, but they didn’t happen,” Hussey says.

Eventually Microsoft did issue a patch to protect the operating systems from the malware after Shadow Brokers, the group that powered WannaCry, said it was going to release more tools for hackers. However, many systems had already come under siege.

Firms using supported operating systems also need to make sure they are running updates as and when they become available; many people are left vulnerable to attack because they don’t apply security patches on their release. “Microsoft eventually released a patch for Windows XP and Vista users, but some people did not apply it,” Hussey says.

Allan Liska, an intelligence architect at Recorded Future, an IT security firm, agrees that patching was important, saying that it’s essential patches are applied as soon as they become available. Biannual patch updates are no longer sufficient, he says, advising firms put a more regular patching program in place.

“It wouldn’t have cost anything to protect yourself from WannaCry or NotPetya. Patching is essential.”

Understand your software capabilities
Anti-virus has become the umbrella term for system protection software, but original anti-virus programs do not defend a machine from malware, Liska says.

Traditional anti-virus software tends to deal with older, more established threats like Trojans, viruses and worms, and protects users from lingering, predictable malware, while anti-malware programs typically update faster and focus on newer issues. The former of these is better at crushing malware that could be contracted from a traditional source like a USB or email attachment, while the latter is the best protection against malware you might discover while surfing the net. Check that your program covers you for both, but
remember that none will protect you from ransomware.

“There’s a hidden assumption that anti-malware software protects you from ransomware. It doesn’t. The bug doesn’t have to stay on the system for long, and it’s so easy to write ransomware code that there’s no need to reuse the same method of attack,” says Israel Barak, CISO at Cybereason, a cybersecurity company.

Programs used every day may also have security settings built in, however, which can help mitigate this risk.

“It’s possible to stop local administrators running controls externally. It might cause minor inconvenience for users temporarily, but it will keep the network safe, and still allows users to do what they need to do,” Liska
says.

Ensure insurance covers what you expect it to
Insurance can be a valid risk mitigation tool, but private fund firms must ensure terms and conditions meet expectations before they purchase a policy. Attention should be paid to both the excess – the amount paid by the firm in the case of a claim – and the level of loss that must be incurred before a policy pays out.

“Cybersecurity insurance is not beneficial in the case of a ransomware attack because many policies won’t pay out until costs to a firm reach $500,000. This is much more than the average ransom demanded from both small and large businesses that are victims of an attack,” Barak says.

Ransoms tend to range from $1,000-$10,000 for small businesses, while large businesses could have to pay around $100,000-$150,000, he adds.

There are also circumstances in which policies may be invalidated. Some include a provision that a firm cannot advertise it is insured against cyberattack, and there have been cases where an insurer has refused
to pay out because the policyholder has failed to maintain security measures it claimed to have in place in its application for coverage.

Test your plan, educate your users
It’s crucial to walk through your incident response plan, and keep it up to date, to ensure that it is practical and operable in the case of a cyberattack.

“You need to make sure your emergency contact is still valid, that you know how you will classify an attack and when it’s relevant to call the CEO. You should also consider whether you will pay a ransom in the case one is demanded. If the answer is yes, set up a Bitcoin purse. This isn’t something you want to be doing when the clock is ticking,” Hussey says.

The response plan should also take into account the different types of cyberattack the firm may be exposed to. If you’re the victim of a generic, widespread attack then the response will be more prescriptive than if you’re subject to a targeted attack.

Malware is generally distributed through other malware, so minimize exposure by not downloading free software, particularly from dubious sources, and make sure everyone understands the risks of phishing emails and opening attachments from unknown senders.

“There is an outdated view that it’s easy to spot a phishing email, that they have misspellings or are identifiable in some way. But they are now very similar to legitimate emails. Staff should be encouraged to forward anything that raises even a little suspicion to the IT team,” Liska says.

They should also be taught about the importance of restarting their computers to make sure security Crowe Horwath: Decoding cybersecuritypatches are up to date. Training can be provided in-house or outsourced to specialist providers, Liska adds.