4 cyber security keys for CTAs
: 19 Apr 2016
More than a buzzword, cyber security is core to how your systems are set up, what information passes through your business and how you plan to recover from a disaster. Here’s what you need to know.
Today, cyber security is a necessary worry and cost of doing business for everyone in the trading community, especially commodity trading advisors. The NFA’s new requirement that every member must have a cyber security plan in place is merely a formality for what a CTA should already have as part of its business set up. And today’s cyber security is not only a mechanism for dealing with viruses, phishing, and other forms of computer system intrusion. In reality, the concept of cyber security is something much broader; something that addresses how you ensure that your computing and information resources are protected from failure or compromise, and if that happens, how you plan to recover from that event.
One way to determine your exposure is to think of your computing and information systems in terms of the “surface area” they present to users and external entities. In a typical CTA, this would include email sending and receiving, web browsing, file transfers using FTP, user access to workstations and servers, remote backup providers, and cloud data and/or computing resource providers. Each of these must be both reliable and secure if a firm is to operate successfully.
Virtually all firms have anti-virus software installed on their workstations; you should since it comes for free with the Windows operating system. This may not be the case for all the servers within a firm as these generally require specific versions of the anti-virus software. Yet it is critical that they be protected as well because these systems are often the repository for files and data accessed by multiple workstations.
When it comes to cyber security, where organizations typically stumble is in other areas: intrusion detection and reporting, securing information “in transit,” securing information on mobile devices (laptops, tablets, cell phones), and access and recovery strategies when using cloud-based storage and computing platforms. Let’s look at each of these:
1) Intrusion detection and reporting are systems that monitor access to your computing resources and generate alarms when suspicious access is detected. For example, these could be triggered by a certain number of failed logon attempts, logon attempts using well know usernames, or access attempts from untrusted networks.
2) Securing information in transit involves either encrypting all files and messages sent via email and FTP or using end-to-end secure communication channels. In practice, encrypting the actual information sent is a more prudent solution as end-to-end encrypted email is rarely available and using encrypted versions of FTP still leaves the information at the destination in an unencrypted state.
3) Securing information on mobile devices (laptops, tablets, and cell phones) is more than simply having a password to access the device. The latest dust-up between the DOJ and Apple shows that it is possible to access a password-protected device without compromising the data. The information on the device also must be encrypted as losing physical control of a mobile device is possible. Also, as a “60 Minutes” investigation revealed recently, hacking into smart phone voice and data isn’t difficult, and that could be catastrophic for a CTA. (see transcript of that program: http://www.cbsnews.com/news/60-minutes-hacking-your-phone/)
4) Access and recovery strategies. Many organizations treat cloud-based storage and computing resources as if they are somehow immune from failure. While major vendors such as Amazon, Google, Rackspace, and Microsoft have impressive uptime statistics, their annual downtimes still are measured in hours. Virtual machines within these environments must be secured the same way as those on your premises, but access to these systems is limited by their uptime and your ability to access them (yours and their internet connections.)
When looking at recovery from a failure or other incident, the typical solution will be some type of disaster recovery (DR) system that replicates the systems required to operate the organization. These can be cost-effectively implemented in a cloud environment as there are billing models that only charge for the time the virtual machines are running. For a DR environment, that need only be the time it takes to snapshot data to the backup environment (typically a once-per-day event). For those whose primary environment is cloud-based, it’s a bad idea to have your DR in the same vendor’s cloud because your primary and backup would be exposed to downtime at the same time. Follow the industry adage and diversify to other vendors.
In addition to recovering from hard system or environment failures, the ability to quickly recover lost or otherwise corrupted files must be another aspect of a firm’s cyber security plan. While there is no substitute for a robust, daily backup strategy, using products that replicate and version files into the cloud (Dropbox, SecuriSync, and others) can provide rapid access to compromised files from non-compromised systems. (Note: The issue here is that files are replicated as they are changed, so if a file gets corrupted, such as with a virus, that corrupted file will be replicated. These services must keep track of versions so you can retrieve the pre-corrupted versions of the file.)
Effective cyber security is critical to the ongoing health and well-being of a CTA and should be approached with the same (or greater) vigor as any other aspect of a firm’s procedures. Get started with a thorough review of the surface area of your systems and follow up with protection and recovery plans for each potential failure.
________________________
Dana M. Comolli is president of DMAXX (dmaxx.com), a back office software design firm for alternative investment managers. TheBooks software is designed for the trader, and is built to do price, position and order management, reconciliation, trade accounting, performance reporting, risk and data management and act as a gateway to a wide variety of execution platforms. You can reach Dana at: dana@dmaxx.com