From the June 2008 issue of Investment Advisor • Subscribe!

June 1, 2008

Security in a New Age

How to protect your firm from 21st century online criminals

As Americans have moved online over the last decade, many people have experienced some kind of online criminal activity. Online criminals are now highly organized, specialized, professional, and very well financed. Many operate beyond the reach of the law in countries around the world. If your data and systems are connected to the Internet, you are exposed to break-in attempts and online fraud. The good news is that there are steps you can take that will greatly improve your chances of thwarting online attacks.

Chances are you already know that online security is a crucial component of your business, and you've no doubt installed recommended security solutions--firewalls, antivirus software, and the like--to keep your systems secure. But this is a good time to revisit your security strategy to make sure that you are keeping pace with the latest online threats and the potential for data breaches. It is within the grasp of your firm to take steps to protect your most private and sensitive company and client information.

With that in mind, here's a look at why online security has become a mission-critical issue for advisors--and how you can combat the still-evolving threat.

Staying Out of the Drift Net

When independent investment advisory firms were a cottage industry, you were off the radar screens of online criminals, who focused their efforts on targets that promised either prestige or significant financial gain. The overall opinion of advisors was the all-too-common view that "it won't happen to me." Today, the criminals have cast a drift net that aims to compromise the computers of grandmothers, students, and investment advisors alike. From compromised computers (known as "botnets"), they harvest stolen passwords, identity information, and even the computers' processing power itself. They take these ill-gotten valuables and trade them in a surprisingly organized and complex criminal marketplace comprising spammers, identity thieves, and a host of other unsavory--but talented--characters. The glory-driven lone hacker of yesterday has morphed into a coordinated syndicate encompassing creative and innovative individuals who are driven simply by the ability to make money--and lots of it. There is a profit motive to cyber crime that hasn't existed in the past.

The Storm Is Already Here

The profit motive means that today's cyber thieves operate in fundamentally different--and more dangerous--ways than did yesterday's hackers. Whereas an old-school hacker might have been content to penetrate a large company's information infrastructure--and gain some underground notoriety in the process--cyber criminals' goal now is to go completely undetected once they gain access to a system. Stealth is now an essential part of their strategy, making detection simultaneously more difficult and more critical.

Consider the Storm botnet, perhaps the most well known example of the evolved threat you and your clients face. Storm is a family of malicious software programs--known as malware--which has infected millions of computers since emerging in January 2007. Storm usually propagates via e-mails that encourage victims to click on a link to (for example) an e-greeting card or to a Web site that promises to display the latest sports scores and schedules. Once you click, the information you expect will appear: you'll actually see the card or the football scores. But you'll also deliver your computer into the hands of the Storm operators in the process, with no obvious sign that you've done so.

The result is that your computer--completely unbeknownst to you or anyone at your firm--is now under the control of someone else, who can access all of the data on your computer (clients' Social Security numbers, confidential and "protected" password information, and addresses, not to mention your every single keyboard press and mouse click) and access any information that your computer has the right to access (even protected resources such as intranets, extranets, and virtual private networks).

We know that attacks by technologies such as Storm have resulted in numerous "pump and dump" schemes, in which thieves use hijacked clients' computers to send vast amounts of spam exhorting recipients to buy specific thinly traded stocks, bidding up the prices. The fraudsters later sell shares of these stocks that they already owned, producing tidy profits.

Keep in mind that the cost of just one such occurrence for your firm and the associated loss of reputation for your business would likely exceed what a criminal could reasonably expect to steal in a pump and dump campaign.

In addition to the cost of meeting your notification obligations and damage to your reputation, you would incur significant financial and productivity-related costs trying to fix the problem and ensure it never reoccurs (see sidebar, "Malicious Software That Won't Go Away").

How to Protect Yourself and Your Firm

Clearly the threat is real and growing. Now for the good news: There are ways that you can greatly increase your chances of evading an online attack.

Technology alone is never going to be sufficient to eliminate online risk. But it is a good starting point for ensuring that your systems and data have basic protection. One first step is to perform a gap analysis, comparing your present risk management approach to your desired security state. For many advisors, it's best to retain the services of a professional IT security consultant to perform this analysis. Barring that, at least arm your firm with the basics such as firewalls, antivirus, anti-spam, and anti-spyware software, as well as security-aware Web browsers. Use encryption technologies on your laptops and other mobile devices. Keep your tools and systems updated by regularly checking with your vendors for the latest security patches or by setting your systems to update automatically.

Also consider using emerging technologies that create additional layers of protection. One example: two-factor authentication, enabled by tokens or cards displaying a sequence of numbers that change periodically and must be entered along with the user name, password, and a PIN number to log into a system. A data thief not in possession of the token will find it much harder to hack into a computer, even if critical passwords have already been compromised. Schwab Institutional provides authentication cards free of charge to advisors, and other custodians have similar programs. While these cards do necessitate an extra step in your employees' processes, they can greatly reduce the chances that a fraudster will steal login credentials and leave you in the difficult position of having to explain to a client that their personal information has been compromised. One option to consider would be to order authentication cards for your first line of defense--your traders--and then roll them out to the rest of your firm at a later date.

Risks and Policies

Even if you employ these extra measures, you also need to implement security-related procedures and policies throughout your firm that enable business while keeping a handle on risk. Those policies should include best practices such as:

Controlling access. Every person in your office with a password to your system is a potential exposure point for a security breach. Therefore, instead of providing general access to every employee, limit access based on their roles and needs. For example, trading authority should only be given to those staff members who need it. Likewise, when an employee quits or leaves the firm, have a procedure in place to disable his or her access credentials. Periodically audit the list of employees with access credentials, making changes and deletions as needed. Unused and inappropriate credentials represent a point of risk for your firm.

Manage passwords. Require complex passwords with a combination of letters and numbers instead of using easily guessed passwords (such as those based on birthdays or children's names). Then change those passwords every 90 days.

Manage remote access. It may be convenient to get work done at your corner coffeehouse, but it's also potentially dangerous. That's why the same security tools you have on your office computers need to be installed on all company laptops, PDAs, and other remote devices, as well as on any home computers that might be used for business.

Additionally, ensure that strong encryption is used without exception by anyone at the firm logging in using unsecured networks while traveling, and prohibit conducting business on public computers at hotels, Internet cafes, and wireless hot spots--or on any computer that has questionable security protection.

Appoint a security overseer. A security "point person" within your firm can serve as the central point of contact for managing issues regarding data security, and ensuring that policies are enforced. This person should be responsible for tasks such as allocating access to your network and to the protected Web sites of your various custodians and broker/dealers, managing and updating passwords, and ensuring that log-in credentials are deleted when an employee leaves. The point person doesn't need to be tech-savvy, but does need to be a highly trusted and well-organized employee or partner.

Revisit regularly your security measures. Online data thieves' techniques are still evolving rapidly--which means that you can't simply set and forget your firm's security software program or policy. All security-related technologies and business practices must be revisited and reviewed on a systematic basis to ensure that nothing is falling between the cracks. In that way, security is no different from any other business process at your firm.

Cultivate your common sense. As members of the Internet community, we all have a thing or two to learn about vigilance, and our online posture must evolve along with the threats (see "Don't Do It" sidebar).

There's no question that keeping up with the evolving online threat is difficult. You have to take greater responsibility for how your firm leverages the Internet, and you have to make an effort to learn how to operate in such a way that the criminals' tricks will usually fail against you.

In case this seems too hard, be reassured: the lock on your front door doesn't compare to the guns, guards, and gates protecting Fort Knox. But the basic steps you take to protect your home and your family are almost always good enough for the bad guys to look elsewhere for victims.

Most important, do the best you can and seek opportunities to keep informed. By implementing best practices and technologies that continually improve your level of protection, you'll be able to help minimize risk and protect the business you've worked so hard to build.


Will Irace is security solutions architect for IBM Internet Security Systems. Mukesh Mehta is senior VP of technology for Schwab Institutional. He can be reached at mukesh.mehta@schwab.com.
Reprints Discuss this story
This is where the comments go.