The great paradox of cybercrime is that financial firms’ biggest vulnerability isn’t their technology, it’s the people who use it.
“It’s low-tech. It’s human error; people sending PII or SII. Folks are not breaking into the 256-bit encryption. They’re counting on human beings to not be aware [of risks] and to make mistakes,” according to Tom Embrogno, chief information security officer at Docupace.
That means simple steps can be very effective against cyberattacks. Encrypting the devices employees use, and encouraging clients to do the same, is advisors’ first step to secure their firm.
“Encryption works. It’s why people do the low-tech hacking, because no one’s figured out how to break into the Bank of Americas and the rest of them,” Embrogno told ThinkAdvisor on Tuesday.
Advisors should also take inventory of the devices in their office, as well as the networks they’re connected to.
“Technology providers want to meet you where you live. They want to work on your mobile device because that’s where you’re at,” Embrogno said, but a bring-your-own-device policy can expose firms to unnecessary risk. A hardware inventory should show all the devices used by employees, encryption status, and patches and updates that have been installed. Regulators are “going to want to see what is the point of entry,” he said.
Encrypting Wi-Fi networks, adding a firewall and implementing a strong password policy are other simple steps firms can take to protect their data. Most passwords are “far too simple,” Embrogno said. “It’s not just eight characters. You should go to 10, 15; use some type of a pass phrase.”
(Related: Six imperatives for cybersecurity a Trump administration should take action on.)
Backing up data regularly is another important part of a cybersecurity plan. A September public service announcement from the FBI stated that “in the first several months of 2016, global ransomware infections were at an all-time high. “ A July report by Symantec found that crypto-ransomware, malware that encrypts a network’s files until a ransom is paid, is the most common type of ransomware. Symantec discovered 100 new ransomware variants in 2015, and cybersecurity provider Proofpoint found in its Q3 report that variants have multiplied almost 10 times since 2015.
Embrogno suggested storing backed-up data offsite to “make it geographically difficult” for hackers to access.
Even if firms don’t have the budget to hire a full-time cybersecurity officer, someone should be designated as a point of contact to handle these issues or communicate with third parties. A third party can do penetration testing and vulnerability mapping to identify firms’ weak points and show them how to remediate those issues.
For example, “one common thing is you might bring your kid to work with you one day,” Embrogno said. “You’re letting your kid play on the computer and he’s playing one of those games that to play the game, he has to open up a port on your router. If you have a third party that’s occasionally testing, they can say, ‘Here’s a port that’s open.’”
Phishing testing is another popular service, Embrogno said, where a third party or someone within the firm sends emails to trick employees into clicking suspicious links. “When the employee clicks in the fake email, guess what that kicks off? Training.”
Embrogno estimates phishing probably accounts for about half of hacking attempts. “They wouldn’t keep doing these ad nauseam if they weren’t getting results,” he said.