Work-From-Home Cybersecurity for Buy-Side Firms: Understanding the Threat Landscape

Redefining the workplace

The term “work from home” has become a convenient shorthand for all work done outside of the traditional office. But when we talk about WFH for financial businesses, this will almost certainly include work from hotels, airport lounges, and clients’ sites as well.

In the investment management industry, several key job roles spend time away from the office:

• C-suite workers travel frequently, and they also have high visibility and access to the firm’s most sensitive assets.

• Research and due diligence analysts are frequently on the road. Sales and marketing teams can also travel quite a bit depending on a firm’s business practices.
• Full-time remote workers are common in buy-side firms—in contrast to, say, large banks, where most work is now being done in the office again.

All of these roles and situations make tempting targets for bad actors. Given the threat landscape and the potentially catastrophic cost of cyber breaches, it’s critical that leadership emphasizes getting cybersecurity right, regardless of location.

Key questions for decision makers and compliance officers

In every business, decision-makers want to feel confident that their network, assets, and data are safe—and want definitive answers to important cybersecurity questions. But in the financial services industry, this isn’t just about peace of mind. It’s a fiduciary and regulatory requirement as well. Here is a sampling of some basic cybersecurity questions all investment businesses need to ask themselves:

A prime example of its application is the consumption of large sets of documentation.  LLMs can parse documents, identify specific details, and understand their contextual relevance to the issue at hand, saving time and resources. At Linedata, our generative AI use cases digest large repositories of documents on behalf of our clients and give them insights into how applicable that knowledge is to a particular business issue.

• How secure are the hotel Wi-Fi networks that our employees are working on? What about the airport public networks—or in-flight Wi-Fi on planes? Are our employees’ devices safe to use on such networks?
• If an employee’s mobile device is lost or stolen, is the data on that device secure, or will you have to notify your regulators and customers?
• If a remote employee had a malicious payload downloaded to their device—would they know it? How?
• Is “bring your own device” (BYOD) safe, or should all mobile devices be company-issued and directly managed by IT?
• Wall Street banks were fined over $500 million for using WhatsApp and other messaging apps. How are we dealing with mobile messaging? Are we compliant?
• Are we prepared for the possibility of an insider threat or a threat from a third-party contractor or vendor with access to our network?
• Are our WFH employees security conscious? Do they know how to recognize a social engineering attack in an age of ChatGPT, deep fakes, and AI voice cloning?
• Are our security controls and protocols appropriate to the needs of a modern distributed workforce—or are they out of date? If we don’t know the answer to that question, how do we begin to make an assessment?

These are just a few of the most important questions firms should be asking themselves—although there are many more that could be included in this list.

With such a wide array of potential unknowns, it can be difficult to know where to begin when assessing your business’s current state of cyber readiness. Perhaps the most sensible way to put some order to process is to look at the top classes of threat likely to have the greatest impact on investment businesses.

WFH threats and security concerns in buy-side finance

Social engineering

Social engineering is a catch-all term to describe cyberattacks that rely on tricking a person into doing something unsafe or giving up sensitive information. Unfortunately, the rise of deep fakes and AI voice cloning tools are making social engineering attacks harder to spot than ever before. In addition, generative AI tools like ChatGPT can be used to craft phishing emails that appear authentic. In a WFH context, social engineering attacks can be especially effective since targets are isolated and less able to consult IT personnel if they have a question.

SIM Swapping

SIM swapping, also known as SIM jacking, is when a bad actor convinces a telecom to reassign a telephone number to a SIM card that they control. The victim of a SIM-swapping attack will no longer receive their calls and texts—including their SMS-based two-factor authentication (2FA) codes. Hackers use SIM swapping to circumvent 2FA protections and compromise accounts.

Ransomware

Ransomware is malicious software that encrypts files and key data until a “ransom” is paid to the hackers. Ransomware is a threat in every industry, and WFH has made it harder to control what is being installed on employee’s devices. In addition, ransomware is especially dangerous to investment businesses, since they store large amounts of valuable, time-sensitive data—and since attackers know that they have deep pockets.

Network security

The security of the Wi-Fi networks used by remote employees is another key concern for WFH cybersecurity. It is never safe to assume that a public Wi-Fi network is secure because you simply don’t know who set up the network or what their security practices are. As such, it’s essential to ensure that your employees’ devices are equipped with proper security and adequate endpoint protection.

Security updates and patching

Vulnerable software is low-hanging fruit for malicious actors, and thus all operating systems and applications must be kept up-to-date for good security. However, this is not always easy to guarantee in a WFH milieu—especially if companies allow employees to use their personal devices for work.

Insider threat is when an employee accidentally or intentionally causes a security breach. In a worst-case scenario, a malicious employee will abuse the company’s trust to exfiltrate sensitive data or grant network access to a bad actor. Insider threat is difficult enough to guard against in a traditional office environment and can be even harder to stop when employees are frequently on the road or working from home.

All told, asset managers, hedge funds, private equity firms, and other buy-side businesses face a daunting set of cyberthreats. In our next post, we’ll look at how you can protect yourself, regardless of where you are working.

About the author, Don Duclos

Don Duclos has 20 years of Information Security experience at leading financial institutions and technology services providers. Prior to joining Linedata, he led teams in all three lines of defense (within the business line, Information Security, and Internal Audit) at regulated firms, where he frequently engaged with regulators and examiners from the SEC, OCC, FDIC, and FRB. He is the Chief Information Security Officer at Linedata Technology Services.