The odds of a person eventually suffering a cyberattack are “pretty much 100% at this point,” according to Bill Slattery, a former FBI special agent in the cyber division who now investigates cybercrime for Facebook.
Slattery spoke on an information security panel at the eMoney Advisor Summit Thursday, along with Michael Rappe of TD Ameritrade’s Fraud Group and Bill French from the Fidelity Customer Protection and Financial Intelligence Group.
Among the biggest cyber risks financial firms face are email communications with clients that aren’t actually from clients, Rappe said. “The days of [making] financial transfers out of client accounts by email just need to end,” he said.
Fraudulent requests used to be easy to spot, but hackers have learned how to do “like title” requests, or ask for ACH transfers instead of wires, Rappe warned.
Attackers are going after email for good reason, French said: those accounts have “a tremendous amount of information” regarding finances, as well as personal information like electronic documents and communications with friends and family that allow hackers to create social engineering hacks.
Even a birthday greeting can be useful to a hacker, Slattery added, because that information is frequently used to verify accounts.
“People often don’t realize there are lots and lots of little pieces of information about each and every one of us out there on the Internet that can be put together like a puzzle that can be used to exploit you,” he said. “Simple things that look harmless by themselves, when put together en masse can be very harmful.”
“Should we just stop using email?” Jason Novak, eMoney’s chief security officer and moderator of the panel, asked.
“There are definitely other technologies out there that offer more security,” French said, but that doesn’t mean people will use them. An encrypted client portal is probably safer, but if there we too many barriers to access, they won’t use it.
An attractive enough target—like a HNW client—will keep hackers’ attention until they get what they want, Slattery said.
Rappe of TD is turning the social engineering techniques on employees by building behavioral analyses to identify deviations as potential attacks. He recommended using very granular access controls to give employees access to only the information they need to do their jobs.
He urged firms to develop an incident response plan and to test it at least annually, but ideally semi-annually. It should include guidance on individuals’ roles and responsibilities; a log book actions taken; a step-by-step action guide based on what kind of attack it is; and a communication plan to implement with clients.
Slattery added that firms should identify outside providers who need to be contacted in the event of an attack and the role they’ll play. Law enforcement, for example, might investigate and arrest a hacker, but they won’t be involved in the firm’s response.
“Make sure you identify professionals at all levels that might be able help you get through that really tough time,” he said.
Rappe stressed employee education needs to be consistent and regular.
Third- and even fourth-party vendor management is important because, as Rappe said, the result of a hack is the same regardless of where it happens: loss of reputation and financial risk.
“It’s onerous, and vendors may not like it. They may kick and scream a little, but it has to be done.”
Slattery said anyone who has access to your data needs to have access controls. “If they’re susceptible, you, as a consumer of their services, can’t really help that.”
Every communication method has its vulnerabilities, he said. Novak added that even faxes and overnight mail can be intercepted.
Firms should look at their “depth of defense” to see where the vulnerabilities are, Novak said. For example, encrypted data sent by email should never have the password included in the email.
Rappe said ethics training for employees isn’t nearly as important as instilling a culture of integrity and “ethics as rewarding.”
—Related on ThinkAdvisor: