“I have my own sins to confess,” Blane Warrene solemnly intoned. “I used the same password on multiple sites until I was compromised.”
Like long-term care insurance and straight-through processing capabilities, people too often don’t realize the need for strict cybersecurity measures until they’re personally affected. Sure, lip service is routinely paid, but it too often takes a catastrophic situation to get someone’s attention.
Warrene, a technology and cybersecurity expert and co-founder of consulting firm QuonWarrene, did his best to scare attendees of the TechLeaders Conference in Dallas on Tuesday into proactive measures to secure themselves, their businesses and—perhaps most importantly—their clients.
His presentation, tilted “Science or Art? Cybersecurity and Financial Services,” touched on certain risks and their appropriate responses in three key areas; behavior, procedures and auditing.
Calling the attempt to change dangerous cybersecurity behavior the “Achilles heel of hardware and software,” Warrene noted major areas of concern:
- The aforementioned use of one password for multiple accounts
- Free Wi-Fi over unsecured networks
- Sharing devices on a network
- Being “too social” on social media
- Broadcasting data
“Simple things, like using a password manager, go a long way,” he explained. “Wi-Fi encryption, also known as a personal VPN, is also a basic step to take. Lastly, it is strongly recommended that you use two-factor authentication to secure online accounts.”
For those not in the know, a password manager saves user credentials after logging into a secure site. It then automatically fills in those credentials when the user returns to the site. It also periodically offers to change passwords, often including what seem like Egyptian hieroglyphics to prevent an easy compromise from hackers.
Wi-Fi encryption is just as it sounds; it encrypts communication and data during transmission. It also prevents unauthorized “leeches” from making use of a network.
Two-factor authentication requires the user to provide two means of identification from separate credentials, one being physical like a keycard and the other from memory like a password.
While many steps might seem simple and obvious, Warrene claims adoption at the enterprise level into a formal procedure is not as ubiquitous as one might think.
“The broker-dealer industry has to start to have more transparency around security issues,” he argued. “It’s a hard conversation to have because firms might not be doing all they should and don’t want to reveal that fact, but vendors, especially, need to start thinking about how they certify that each other are secure, properly integrated and protect against leaks.”
No matter how secure, sophisticated or far along someone is in their career, Warrene noted that today it still “boils down to being at a Starbucks trying to get some work done.”
We’re our own worst enemies, he added, and human nature dictates that we too often take the path of least resistance and do it as simply as possible, which includes logging on to a computer. For this reason, broker-dealers must be constantly on guard.
“What’s really important for the BD industry specifically is testing,” he concluded. “Auditing of the security measures should be consistent but not predictable. Think of it like the military, where they practice the same drills for weeks and then change it up to see how they’ll respond in the wild. That should happen with BDs; they should be absolutely sick of testing because they do it so much.”
Related on ThinkAdvisor: