Practical analysis for investment professionals
22 June 2016

Cybersecurity: Don’t Become the Hacker’s Next Victim

Investment professionals need to focus on the threat poor cybersecurity poses to asset managers of all sizes.

Cybercrime and cyberespionage cost the US economy about $100 billion annually, and the worldwide toll is climbing toward $300 billion. These numbers are projected to rise even further as the severity and frequency of attacks increase.

Firms that fall victim to cybercrime potentially face a complete loss of client confidence. How much damage can result from weak cybersecurity? Just read the latest headlines about data breaches at large, sophisticated firms like Home Depot, JP Morgan Chase, and Experian.

Regulators have also taken a hard stance against asset managers with lax cybersecurity and have issued reprimands and fines to firms that are just at risk of a data breach.

Despite all the recent publicity about cybersecurity, many still question whether asset managers need training in it. After all, the thinking goes, why would hackers target the asset management industry? Why should busy investment professionals bother to learn about something so technical?

These Were Decent Questions . . . 10 Years Ago

Hackers prey on the mentally unprepared, and the greatest weapon they have in their arsenals is their targets’ apathy. Nothing sounds sweeter to a hacker than the words “It won’t happen to me.” Combine a general lack of interest in cybersecurity with the massive quantities of client wealth and confidential information stored online, and it is obvious why the asset management industry is a prime target for hackers.

Still, investment professionals’ apathy about cybersecurity is somewhat understandable. Much of the training is esoteric, intimidating, and boring. But it doesn’t have to be. Hacking is actually quite an interesting process. Consider this hypothetical attack:

Stage 1: Reconnaissance

Everyone leaves a digital trail online: traces of the sites they visited, the purchases they made, etc. Hackers have ways of tracking this information through a process known as footprinting, the most important and overlooked part of any cyberattack. Footprinting is free, legal, difficult to prevent, and nearly impossible to detect.

Suppose a cybercriminal wants to obtain confidential information about high-net-worth individuals (HNWIs) at Company X. To begin, the hacker searches Company X’s LinkedIn page to find members of the portfolio management team who would have access to the client database. In particular, the cybercriminal focuses on one individual, “Mr. Doe.” Because Mr. Doe is an avid social media user, the hacker is able to ascertain his personal email address, social circles, and internet browsing habits via his digital footprint.

Next, the attacker uses a port scanner and recent Twitter updates to find that Mr. Doe often conducts personal business on his company laptop during lunch breaks.

Stage 2: Infiltration

The hacker scours Mr. Doe’s social media postings and learns that he plans to attend a fundraiser for a nonprofit, “Volunteer Organization A.” The attacker discovers that Mr. Doe is a board member and longtime supporter of the group.

Based on this information, the cybercriminal composes a credible spear phishing email. To fool Mr. Doe, the hacker purchases a URL very similar to that of Volunteer Organization A and builds an email template to match its branding.

The hacker sends Mr. Doe a message from the fake Volunteer Organization A email address. The attacker knows how to entice Mr. Doe and phrases the message to sound like a confirmation for his seat at the upcoming fundraiser. The cybercriminal also times the message so that Mr. Doe will receive it during his lunch, which is when he tends to use his company computer for personal business. The unsuspecting Mr. Doe takes the bait and clicks the “Confirm” button contained in the email.

Stage 3: Escalation

The attacker has embedded a piece of malicious software known as a “remote access tool” in the fake “Confirm” link. Once Mr. Doe clicks on it, the hacker has complete access to his work laptop and can now use the computer to download thousands of confidential client files.

Stage 4: Exploitation

The cybercriminal uses the confidential client files to obtain illicit lines of credit and to forge identities that can be employed in future attacks. In addition, the hacker uploads the data to the dark web, where the information will be sold to other cybercriminals. Word of the successful attack is anonymously leaked to the media. Details of Company X’s cyberbreach are widely disseminated, severely damaging the company’s reputation.

The Post-Mortem

Before writing Mr. Doe off as another hapless victim, consider how common and simple his mistakes are. Indeed, many well-educated and informed professionals commit these same errors every day.

But avoiding such mistakes and preventing these attacks is not impossible. Here are a few tips to remember:

  • Be careful how much you share on social media. Hackers use public information to build credibility and perfect their attack methods. Frequent posts about your location, interests, coworkers, or hobbies generate a large pool of information for cybercriminals to exploit, allowing them to find a convincing pretext and identify gaps in your cybersecurity.
  • Avoid conducting personal business on sensitive machines like work-issued laptops. Segregating devices prevents hackers from exploiting personal accounts, which often have fewer security measures.
  • Be mindful of when you let your guard down. Hackers will take advantage if you are overly trusting and inclined to believe a good story. Skilled cybercriminals craft their attacks so that they seem to come from a credible source, such as a coworker, friend, or loved one. Inspect the email addresses and embedded URLs before clicking any link in a message.

Hopefully this all instills a healthy dose of what cybersecurity experts call “professional paranoia.” It is important to develop that voice in the back of your mind that cautions against oversharing on social media or using “password123” to lock a work computer.

Knowledge is power in the world of cybersecurity, and just a little insight into how hackers think and operate can better prepare you for the next potential attack and help turn the tide against cybercrime.

If you liked this post, don’t forget to subscribe to the Enterprising Investor.

All posts are the opinion of the author. As such, they should not be construed as investment advice, nor do the opinions expressed necessarily reflect the views of CFA Institute or the author’s employer.

Image Credit: ©

About the Author(s)
Alan Randell-Chen, CFA

Alan Randell-Chen, CFA, sits on the board of CFA Society Seattle. He also serves as a cybersecurity consultant and educator for the asset management industry, and specializes in the fields of social engineering, penetration testing, and open-source intelligence.

4 thoughts on “Cybersecurity: Don’t Become the Hacker’s Next Victim”

  1. Interesting article. Sometimes, it’s the simple things people forget. Secure your workspace, lock your terminals, protect your password and don’t let strangers follow you into secured parts of the work environment.

Leave a Reply

Your email address will not be published. Required fields are marked *

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.