As Americans have moved online over the last decade, many people have experienced some kind of online criminal activity. Online criminals are now highly organized, specialized, professional, and very well financed. Many operate beyond the reach of the law in countries around the world. If your data and systems are connected to the Internet, you are exposed to break-in attempts and online fraud. The good news is that there are steps you can take that will greatly improve your chances of thwarting online attacks.
Chances are you already know that online security is a crucial component of your business, and you’ve no doubt installed recommended security solutions–firewalls, antivirus software, and the like–to keep your systems secure. But this is a good time to revisit your security strategy to make sure that you are keeping pace with the latest online threats and the potential for data breaches. It is within the grasp of your firm to take steps to protect your most private and sensitive company and client information.
With that in mind, here’s a look at why online security has become a mission-critical issue for advisors–and how you can combat the still-evolving threat.
Staying Out of the Drift Net
When independent investment advisory firms were a cottage industry, you were off the radar screens of online criminals, who focused their efforts on targets that promised either prestige or significant financial gain. The overall opinion of advisors was the all-too-common view that “it won’t happen to me.” Today, the criminals have cast a drift net that aims to compromise the computers of grandmothers, students, and investment advisors alike. From compromised computers (known as “botnets”), they harvest stolen passwords, identity information, and even the computers’ processing power itself. They take these ill-gotten valuables and trade them in a surprisingly organized and complex criminal marketplace comprising spammers, identity thieves, and a host of other unsavory–but talented–characters. The glory-driven lone hacker of yesterday has morphed into a coordinated syndicate encompassing creative and innovative individuals who are driven simply by the ability to make money–and lots of it. There is a profit motive to cyber crime that hasn’t existed in the past.
The Storm Is Already Here
The profit motive means that today’s cyber thieves operate in fundamentally different–and more dangerous–ways than did yesterday’s hackers. Whereas an old-school hacker might have been content to penetrate a large company’s information infrastructure–and gain some underground notoriety in the process–cyber criminals’ goal now is to go completely undetected once they gain access to a system. Stealth is now an essential part of their strategy, making detection simultaneously more difficult and more critical.
Consider the Storm botnet, perhaps the most well known example of the evolved threat you and your clients face. Storm is a family of malicious software programs–known as malware–which has infected millions of computers since emerging in January 2007. Storm usually propagates via e-mails that encourage victims to click on a link to (for example) an e-greeting card or to a Web site that promises to display the latest sports scores and schedules. Once you click, the information you expect will appear: you’ll actually see the card or the football scores. But you’ll also deliver your computer into the hands of the Storm operators in the process, with no obvious sign that you’ve done so.
The result is that your computer–completely unbeknownst to you or anyone at your firm–is now under the control of someone else, who can access all of the data on your computer (clients’ Social Security numbers, confidential and “protected” password information, and addresses, not to mention your every single keyboard press and mouse click) and access any information that your computer has the right to access (even protected resources such as intranets, extranets, and virtual private networks).
We know that attacks by technologies such as Storm have resulted in numerous “pump and dump” schemes, in which thieves use hijacked clients’ computers to send vast amounts of spam exhorting recipients to buy specific thinly traded stocks, bidding up the prices. The fraudsters later sell shares of these stocks that they already owned, producing tidy profits.
Keep in mind that the cost of just one such occurrence for your firm and the associated loss of reputation for your business would likely exceed what a criminal could reasonably expect to steal in a pump and dump campaign.
In addition to the cost of meeting your notification obligations and damage to your reputation, you would incur significant financial and productivity-related costs trying to fix the problem and ensure it never reoccurs (see sidebar, “Malicious Software That Won’t Go Away”).
How to Protect Yourself and Your Firm
Clearly the threat is real and growing. Now for the good news: There are ways that you can greatly increase your chances of evading an online attack.