By John Landy, Intralinks – The discovery of the Heartbleed bug serves as a wake-up call to hedge funds and alternative investment managers. A single line of buggy code has put millions of web servers and users at risk of having their secure information stolen. If you think your business hasn’t been affected, it will be soon.
While Heartbleed is noteworthy in its near universal impact, such risks and vulnerabilities are simply part of the modern, Internet-connected business world. Few hedge funds and alternative investment funds run an entirely self-contained, on-premise data center.
Most are using some form of cloud services, whether it’s Infrastructure- (IaaS), Platform- (PaaS), or Software-as-a-Service (SaaS), like Intralinks™. Your IT infrastructure is no longer sitting in your data center; it’s now spread all over the Internet. And there are sound business reasons for taking this approach: It’s less expensive, more flexible, and offers more functionality.
But one side effect of this is that the security of your IT infrastructure is now dependent on the technology and business practices of an entire ecosystem of service providers.
Even if you deal with only one outside provider, that provider might depend on a many others. Your security is only as strong as the weakest link in the long chain of companies supporting you. You could have the best practices in the world surrounding security, and you’d still be vulnerable to Heartbleed.
The question is, what are you going to do about it once it becomes known? Do you have the procedures in place? Are your vendors prepared to respond in a timely manner? A quick response can reduce risk.
Crises like Heartbleed separate the organisations that invest in security and policy from those who don’t. We take these issues seriously at Intralinks, just as our clients do, so we have a security operations center where we manage all of the software we support.
The Heartbleed bug will have long-term implications for Internet security. Here are five steps that hedge fund and alternative investment managers can take now to reduce their risk for the future:
- Understand your IT vendors’ procedures for handling security incidents. Know their people and their operational procedures.
- Ensure that your vendors have a Service Organisation Control (SOC) 2 that’s been certified. SOC 2 lays out how service providers should define and implement a security policy.
- Select mature vendors with a track record.
- Call a meeting with your IT providers and ask to meet with their security teams.
- Finally, understand the full extent of your IT ecosystem. Ask your provider for help in understanding the security policies for any third-party technology or services.
Security vulnerabilities like Heartbleed are inevitable – people are people, and they will always make mistakes. The question is, how do you respond to problems when they arise? Putting the policies and procedures in place today, and working with service providers that take security and confidentiality seriously, can reduce risk longterm.