If it looks like cybersecurity experts are making things up as they go, that’s at least partly true, Theresa Payton said in her session at TD Ameritrade’s National LINC 2016 conference.
“We do know what we’re doing, but attacks are changing daily. The hackers are changing and the technology [being introduced] at work and at home is changing,” the former White House chief information officer and founder and CEO of Fortalice said during a keynote on Wednesday, and security strategies are forced to be nimble to keep up.
In fact, a new deviant of malware is discovered every 90 seconds, she noted. “Bad guys have tools. They know you’re using antivirus and anti-malware software, so they change one or two lines of code” to get around the software.
Protecting their firms from hackers is not a spending problem for advisors, Payton said, it’s a thinking problem. “Security doesn’t always require opening a checkbook.” but it does require advisors to think differently and creatively about where they are vulnerable, she said.
One huge vulnerability is the clients themselves because cybersecurity protections aren’t “designed for the human psyche.” She said 95% of breaches over the past two years have been a result of human error, and of those, 78% were because the user was tricked.
Emails from Nigerian princes promising untold riches are easy to spot as a scam, but advisors have to be aware of the ways hackers use social engineering to breach their firm’s cybersecurity. Hackers can mine employees’ or clients’ social media accounts for geotags, names of loved ones and their interests to the extent that they can “trick a coworker or loved one into thinking [they’re] in the trusted circle.”
“You have to be on social media — your clients are on social media, you have to have a presence — but what you want to think about is, ‘is there a way for someone to socially engineer our company, get in the door” and trick us into giving up valuable assets, Payton said.
She urged advisors to identify their top two most valuable assets:
“If a breach is inevitable,” she suggested — and it is — and you can’t protect everything, what’s most important? “That’s one of the challenges I see at companies. They want to protect everything, but that Dilbert joke in an an email and merger and acquisition information in an email, do they deserve the same level of protection?” She predicted reports of ransomware will increase in the year ahead. In 2014, she said, her clients would call once or twice a quarter to report important parts of the business had been locked up by hackers demanding money. In 2015, those calls increased to three or four times a month.
In cases where the firm didn’t have backups of the affected files, sometimes the decision was made to pay the ransom. “I don’t like the bad guys to win,” she said, but at that point, “it’s a business continuity issue.”
Payton referred to a study by Bloomberg of banks, utilities and phone carriers about their cybersecurity spending and found they felt they would need to spend an average nine times more than they currently were to adequately protect themselves.
“We can’t spend our way out of this,” she said, but thinking differently about what needs to be protected and “creating a design for the human psyche is going to help.”
Payton suggested firms run cyber-disaster drills once a quarter to address issues like ransomware and social engineering, and to include members of the firm’s client-facing team, whether they’re in marketing, PR or customer service.
“Who do you pay them to focus on? The customer. When a breach happens, who do you want to make sure doesn’t leave you? The customer.”
— Read Don’t Pay the Hacker’s Ransom on ThinkAdvisor.