By: Mary Beth Hamilton, Vice President of Marketing, Eze Castle Integration
I just finished Season 1 of Showtime’s ‘Billions’ and can’t resist calling out the horrible IT security on a key character’s laptop. ‘Billions’ centers on a multi-billion dollar CT hedge fund and federal prosecutors looking to take them down for financial crimes. [Spoiler Alert] As season 1 nears an end, US Attorney Chuck Rhoades easily logs into the laptop of his wife, who is also the hedge fund’s in-house psychiatrist. On the laptop he finds the incriminating evidence necessary to potentially take down Mr. Billions (aka Bobby “Axe” Axelrod).
From an IT security perspective, there were so many things wrong with this scene, but I’ll highlight three that any hedge fund, regardless of AUM, should consider:
First up: password security.
In ‘Billions’ they broke the golden rule of NEVER sharing your password, but beyond that, multi-factor authentication should have been implemented. Multi-factor authentication is established by requiring at least two authentication factors that are knowledge based (password), possession based (something you have – token, mobile phone) and/or inherence based (something you are – fingerprint or eye scan).
Eze Castle Integration’s Eze Managed Cloud offering includes two-factor authentication.
Next, file encryption or password protection.
Not all files warrant file encryption or stand-alone password protection, but extremely sensitive or personal data may. In ‘Billions’, had the hedge fund encrypted files associated with their trusty in-house psychiatrist, the file would have been likely worthless when it was emailed to the US Attorney or any unauthorized person outside the firm.
We’re certainly not encouraging illegal activity, but this could easily have been a hacker looking to exploit high-value information for gain. File encryption technology, such as Sophos SafeGuard, allows for encryption of individual files, which then remain encrypted when transferred. Encryption can be an inconvenience for end-users, but it is something to consider for a firm’s most confidential information. Password protecting confidential files, while storing the passwords in a safe or manager, is an option as well.
Finally, creating a file audit trail.
Firms must have clearly defined, implemented and reviewed access control policies and procedures to control who has access to sensitive information. Beyond controlling access, firms should consider technology that allows for creating useable audit trails of email, permissions and file events. While an audit trail doesn’t stop a breach, it can provide deterrence and facilitate identification of data leaks.
Don’t Make Billions’ Mistakes
Security risks come from everywhere, so firms have to get the IT security basics right with a focus on protecting the most important information and systems. Also, don’t forget to train your employees – they can be a firm’s biggest unintentional weakness (as this scenario highlights).
Read our latest whitepaper on Cyber Security Tiers for Asset Managers to stay current on protections.