Stopping Hackers in their Tracks: How You Can Stay Vigilant to Guard Against Cyber Threats
By Brent Rivard, Managing Director
How many of you have received an email request to take money from a foreign prince in the past 30 days? How about notifications that your password is about to expire or your account has been locked?
I receive dozens of attempted attacks through email each week. In today's world, companies utilize greater connectivity to run their businesses, manage increased volumes of data, and work remotely, which has made cybercrime a heightened risk for companies and an unfortunate consequence of our digitally connected world. When asked why he robbed banks, Willy Sutton quipped “because that’s where the money is.” Investment managers and other financial institutions are particularly desirable targets for cyberattacks because that’s where the money is, and hackers focus on stealing sensitive data to gain a financial advantage.
We have always taken cybersecurity seriously at Pathfinder, and robust policies and procedures to secure both our assets and our clients’ private data have always been a priority. As cyberattacks take various forms and become increasingly sophisticated, it is essential to remain vigilant and institute appropriate preventative controls and monitoring procedures. While we have had measures in place to guard against cybercrime for some time, we are continually improving our processes to keep up with cybercriminals as they become increasingly innovative. We thought we’d share some strategies we take to protect our (and steps you can take to protect your) data and assets.
Review and stress-test your cybersecurity protocols
Pathfinder recently enlisted a third-party cybersecurity firm specializing in private equity and real estate to conduct a complete cybersecurity audit. The audit assessed primary risk areas; data breaches, third-party vendors, and wire fraud and examined threats in those areas, including looking for data breaches by stress-testing our network to identify weaknesses and sending test phishing emails to our employees. We analyzed third-party service providers’ cybersecurity frameworks for continuity with Pathfinder's systems, as continuity creates a network that is far less vulnerable to attack and minimizes gaps and vulnerabilities in our collective systems. We also reviewed our protocols for capital calls and wire instructions to assess wire fraud risk and how we communicate with clients to prevent cybercrime in these areas.
The firm’s recommendations included biannual training for our employees, improved investor communications around our capital call procedures, and wiring instructions, including sharing what capital call or wire instructions from Pathfinder look like so clients don’t act on a fraudulent one. Our investors received an email from us detailing those procedures. We also established a cybersecurity action plan should a breach occur. Working with a third-party cybersecurity firm helped us establish a framework that reduces the potential for data breaches or cyberattacks and implemented a process to manage and mitigate a potential breach.
Know your weak spots or as we like to call it, “how they get you.”
Email is the most common way attackers infiltrate a company’s systems and access data. Most breaches involve a user unwittingly clicking on dangerous links or opening harmful attachments that install malicious software (known as malware), enabling the disclosure of confidential information and preventing legitimate users from accessing critical systems and data.
When it comes to cybersecurity, human error represents the greatest weakness, and criminals know this. That’s why education, training, monitoring, and communicating with our employees and investors about the latest in cybercrime is our best defense against these attacks. So how can you protect yourself and your data? Here are some tips for spotting a scam.
Email Fraud or Phishing. These methods are used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email or text message. These can include an email out of the blue requesting payment, an email from the boss asking you to purchase gift certificates, an encrypted email asking you to log in, and an email with an attachment or link (e.g., malicious code.) The best rule of thumb is that if you weren’t expecting that email or text, it’s probably a phishing attack. I always delete messages I wasn’t expecting. If somebody really needs me or there is a problem, they’ll call me.
Out-of-Date Software. Regular patching upgrades for out-of-date software are critical because they are about more than just getting the latest features for your device or computer. They have essential updates that keep you – and your device – safe from cyber threats. You can stay cyber-secure by ensuring your operating system is always up to date. This is not only important for businesses but also your home and personal computers and phones.
Credential Harvesting. These emails attempt to trick users into entering their credentials into a fraudulent website to steal their login information. After entering the credentials, the user is often redirected to a legitimate webpage. Credential harvesting can be prevented through multi-factor authentication (an example is a 6-digit code texted to your phone). Multi-factor authentication methods, via a text or email, thwart a single password from granting access to critical data and assets.
Spear Phishing. This is a type of phishing campaign directed to specific individuals or has official-looking logos from legitimate organizations and other identifying information taken directly from trusted websites. The concept is like phishing, except that instead of sending random emails to millions of potential targets, cyber attackers send targeted messages to a few select individuals. The cyber attackers research their intended targets by reading their LinkedIn or Facebook accounts and create a highly customized email that appears relevant to the targets. This way, the individuals are more likely to fall victim.
Staying a step ahead of cybercriminals’ ingenuity
No matter how robust a company’s preventative access controls, monitoring protocols, and data protections are, these measures are just the first line of defense for preventing and mitigating most cyber-attacks. Workplace procedures around cybersecurity and data breaches frequently change to keep up with cybercriminals’ ingenuity, and it is critical that companies and their employees stay on top of it. An evolving paradigm is “zero trust,” which is essentially a set of protocols that takes nothing for granted and brings additional security steps that significantly reduce the opportunities for human-error breaches.
When making investment decisions, investors should consider a manager’s cyber preparedness, which is key to fostering a healthy cybersecurity environment, being proactive about solutions and staying aware of best practices. There’s no underestimating the cunning of cybercriminals, especially in financial services, where there’s so much at stake. In this constantly evolving environment, Pathfinder tries to bring the best possible defenses to bear and continues to make meaningful investments to ensure we have robust cybersecurity protections and practices.
Brent Rivard is Managing Director, CFO and COO of Pathfinder Partners, LP. Prior to joining Pathfinder in 2008, Brent was the President of a national wealth management firm and CFO/COO of a one of southern California’s leading privately-held commercial real estate brokerage firms. He can be reached at firstname.lastname@example.org.
Share this Article