Close Close
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards

Retirement Planning > Social Security

Small Firms at Greater Risk From Cyberthreats

Your article was successfully shared with the contacts you provided.

While cybercrime is a risk for firms of all sizes, small firms may find themselves particularly vulnerable, according to a white paper issued by First Clearing in May.

In “Getting Serious About Cyber Crime,” First Clearing noted that as transactions are increasingly conducted online, the incentives for criminals to exploit that trend also grows. “Our computers often contain the tools to access client accounts with the click of a mouse, and smaller financial firms make an attractive target for fraudsters hunting an easy mark,” according to the paper.

In January 2012, the FBI teamed with the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center to issue a guide on preventing fraudulent wire transfers. The guide noted that as of December 2011, the attempted fraudulent requests totaled approximately $23 million and actual losses were about $6 million.

Hackers are looking for a quick, easy payout, so it doesn’t matter how big your firm is—if you leave yourself vulnerable to attack, you could be a victim. However, smaller firms are inherently easier to attack, according to the paper.

Employees at financial firms have direct access to client data and assets, according to the paper, and many have tools to initiate transfers on their personal computers. Even if a hacker gains access to only one or two computers, that’s often enough.

Small firms also lack extensive physical security, which the paper noted can be taken as a “’tell’ into the organization’s overall security discipline.”

Without the resources of larger firms, some smaller firms have less complicated technology security. Again, the physical size of a firm is an indicator of a potential target to a hacker, as the size of a network often correlates with the complexity, according to the paper.

Human vulnerabilities, which could endanger firms of any size, could be a problem at smaller firms if they don’t train employees on information security and how to recognize a threat.

Regardless of whether these vulnerabilities actually exist at a small firm, the paper noted that if hackers believe they do, they could attempt to breach the firm’s security.

Sometimes it’s not the money hackers are after, but personally identifiable information (PII), the sensitive client data you work so hard to protect (and that the SEC expects you to protect).

The paper referred to a calculator created by Information Shield, an information security firm, that measures the impact a security breach has on a firm. The calculator takes into account several factors, including the time it takes to determine an attack has occurred, to identify and notify affected clients, and the cost of managing the fallout when the attack becomes public. A breach affecting 500 clients could end up costing more than $4 million, according to the calculator.

In fact, that reputational cost may be unlimited, according to the paper. A separate report from Willis Group, a global risk advisor, insurance and reinsurance broker, released Monday found loss of reputation was the second biggest overall cyber risk among Fortune 500 firms (followed by loss of confidential information).

The white paper suggested that the best way for firms to protect themselves is not with a single technological tool, but with a series of barriers that incorporate technological tools and security policies and procedures. “Encountering the first obstacle, the attacker may dismount; at the next, they may shed some of their supplies. Each barrier slows the attack and increases your opportunities to detect them before they reach your perimeter,” according to the paper.

Contracting with a third party to assess where hackers could find opportunity to steal data or assets is another solution. A third-party risk assessment will show which parts of the business are vulnerable to attack. Firms should also review their security programs at least annually, including technological solutions and policies and procedures.


© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.