When the SWIFT global banking network was hacked earlier this year, it was yet another wake-up call for all businesses to bring cybersystems up to secure standards. The hackers found the weak link of the SWIFT system, targeting the Bangladesh central bank and implanting malware that would go into action when the right events occurred. They did and the thieves got away with $81 million.
Experts estimate that at least $450 billion globally will be lost to cybercrime and hackers this year alone. Though monetary loses are bad, cyberthieves also are on the hunt for personal information, such as Social Security numbers, passwords, intellectual property and identities, and ultimately inroads for other attacks. RIAs are especially vulnerable as target rich environments.
Mike Brice calls cybercrime the “hidden epidemic.” Although warnings to fortify cybersecurity systems are getting shriller, some companies still haven’t seen the benefit. Brice’s consulting firm, BW Cyber Services, understands the issues that cause companies to flinch when told the cost of protection. Yet in a business built on protecting assets and risk management, it seems financial advisory firms would see the light right away, he said.
Two main perpetrators of cyberattacks on financial managers, especially those in the under $2 billion AUM zone, are organized hackers and “script kiddies.” The latter is just people hacking into systems using public code for bragging rights. The main threat is from organized crime, which has built a multi-billion dollar business on implementing various malware, ransomware and social engineering techniques.
Simply put, ransomware infects a company network and “cryptolocks” it out until a ransom is paid (typically in bitcoin). Two dangers beyond the obvious regulation and reputation damage it can cause are that ransomware can remain in the system even after action has been taken to mitigate it, and second, managers often don’t report the breach. The Securities and Exchange Commission is less patient with this later action, Brice said, and has now fined firms – which include even large companies - for not admitting a breach.
(Click here for tips from Dan Skiles on what to do before paying a ransom to hackers.)
Social engineering uses social media against users to spoof targets, Brice said. A 2016 Symantec study says small businesses of under 250 employees are most likely today to be targets of these attacks – especially spear phishing - up to 43% in 2015 from 18% in 2011.
Brice told a story of a firm that hired a new CFO who put his new position on LinkedIn, which was flagged by organized crime. The bandits got the CEO’s email from Facebook and on a late Friday afternoon sent the new CFO a note from the “CEO” stating the need to transfer funds immediately. The CFO “eager to please and not yet familiar with all the controls” wired the money and let the CEO know Monday morning he had taken care of the transfer. When they called the FBI to report the attack, the agency said if it was a loss of less than $1 million, they didn’t have resources to follow up. “It just shows how prevalent and successful organized crime is in leveraging various cyber techniques,” Brice said.
RIAs Are on Hackers’ Radar
He and other cyber experts say a major problem with financial firms, especially RIAs, is they believe they are below the radar. “Not only is that a dangerous assumption, but is more a reputational threat than regulatory one,” Brice said. Further, to believe that a strong custodian system will prevent any cyber breach is wrong, as personal information can be accessed other ways at the advisor level and be used to thwart strong controls upstream.
Human beings are the weakest link in most organizations, said Carlos Collazo of DuKlaw Ventures, a global cyber risk firm. “We’re our own worst enemy,” he said, and the problems aren’t always due to employees, but head managers who “are listening to the warnings but not doing much about it. It’s the path of least resistance.” A 2015 IBM study found that 60% of all cyberattacks were done by insiders, many for malicious intent (44.5%) and inadvertent actors (15.5%).
He added that email phishing is just the “tip of the iceberg,” and named additional risks such as non-malicious actions by employees who are managing the database, backing up networks, making patches to the operating system and reinforcing firewalls, or third party vendors that companies assume are vetted but may not be up to speed.
Collazo’s firm builds some of the largest trading platforms for world banks, and it has seen companies that don’t go far enough to protect themselves. For example, one firm had high-speed data payloads coming in; it was one of these outside vendors that inadvertently planted malware. “They assumed legacy connections with credible, well-established trading partners were safe, and didn’t realize the interconnected data and technology could hurt them from vendors outside,” he said.
Once a breach has been detected, firms need to immediately mitigate what happened by containing it, and wiping and replacing back up data. Brice of BW Cyber Services said it could be something that simple, or taking the additional step of implementing compromise assessments that will detect and correct weaknesses, and may include a continual follow up in the case of ransomware that may still reside on the system.
--- Read Cybercrime 2016: The New Frontier on the ThinkAdvisor TechCenter.