The great paradox of cybercrime is that financial firms’ biggest vulnerability isn’t their technology, it’s the people who use it.
“It’s low-tech. It’s human error; people sending PII or SII. Folks are not breaking into the 256-bit encryption. They’re counting on human beings to not be aware [of risks] and to make mistakes,” according to Tom Embrogno, chief information security officer at Docupace.
That means simple steps can be very effective against cyberattacks. Encrypting the devices employees use, and encouraging clients to do the same, is advisors’ first step to secure their firm.
“Encryption works. It’s why people do the low-tech hacking, because no one’s figured out how to break into the Bank of Americas and the rest of them,” Embrogno told ThinkAdvisor on Tuesday.
Advisors should also take inventory of the devices in their office, as well as the networks they’re connected to.
“Technology providers want to meet you where you live. They want to work on your mobile device because that’s where you’re at,” Embrogno said, but a bring-your-own-device policy can expose firms to unnecessary risk. A hardware inventory should show all the devices used by employees, encryption status, and patches and updates that have been installed. Regulators are “going to want to see what is the point of entry,” he said.
Encrypting Wi-Fi networks, adding a firewall and implementing a strong password policy are other simple steps firms can take to protect their data. Most passwords are “far too simple,” Embrogno said. “It’s not just eight characters. You should go to 10, 15; use some type of a pass phrase.”
(Related: Six imperatives for cybersecurity a Trump administration should take action on.)
Backing up data regularly is another important part of a cybersecurity plan. A September public service announcement from the FBI stated that “in the first several months of 2016, global ransomware infections were at an all-time high. “ A July report by Symantec found that crypto-ransomware, malware that encrypts a network’s files until a ransom is paid, is the most common type of ransomware. Symantec discovered 100 new ransomware variants in 2015, and cybersecurity provider Proofpoint found in its Q3 report that variants have multiplied almost 10 times since 2015.
Embrogno suggested storing backed-up data offsite to “make it geographically difficult” for hackers to access.
Even if firms don’t have the budget to hire a full-time cybersecurity officer, someone should be designated as a point of contact to handle these issues or communicate with third parties. A third party can do penetration testing and vulnerability mapping to identify firms’ weak points and show them how to remediate those issues.
For example, “one common thing is you might bring your kid to work with you one day,” Embrogno said. “You’re letting your kid play on the computer and he’s playing one of those games that to play the game, he has to open up a port on your router. If you have a third party that’s occasionally testing, they can say, ‘Here’s a port that’s open.’”
Phishing testing is another popular service, Embrogno said, where a third party or someone within the firm sends emails to trick employees into clicking suspicious links. “When the employee clicks in the fake email, guess what that kicks off? Training.”
Embrogno estimates phishing probably accounts for about half of hacking attempts. “They wouldn’t keep doing these ad nauseam if they weren’t getting results,” he said.
Network monitoring services are another tool, especially for smaller firms as they’re “not too expensive nowadays. It’s almost getting commoditized.” These services will look for outdated patches and software on a firm’s network. “Most malware viruses take advantage of patches to infect a system,” Embrogno said.
“The bad guys invent stuff every day,” he noted. “They’re what we call an ‘advanced and persistent threat,’ so you have to be persistent in your protection.”
Don’t Forget About Paper
Another low-tech security measure to have in place is a disposal policy for paper documents and hard drives with sensitive information stored on them.
“If you get rid of a copy machine, are you getting that hard drive electronically shredded?” Embrogno said. “You can have 200,000 or 300,000 private client files on the hard drive of that copy machine.”
It’s not too big of an investment for would-be identity thieves to spend a few hundred dollars on a copy machine if they can make millions of dollars off the information they find on it, Embrogno said.
There isn’t currently a regulatory standard for integrating different technologies, but ”both the SEC and FINRA cybersecurity frameworks are based on common standards,” like the National Institute of Standards and Technology and the SANS 20 guidelines developed by the SANS Institute, that many firms already have in their DNA, Embrogno said. “The good news is that the standards that are out there are good for people, it’s good for protecting folks and it’s reasonable.”
Embrogno expects firms will move toward digitizing their document management not just for efficiency but because regulators will demand it.
“You can’t be secure in a paper world,” Embrogno said. Auditors “can hold electronic documents to a much higher standard than you can paper. Paper sitting in a filing cabinet that has had 20 people look at it, [but] I don’t know which 20 people looked at it. With an electronic document, I have an audit log. I know who looked at it and what they did to it.”
As a vendor to financial services providers, Embrogno said Docupace has had regulators reach out to them directly to confirm financial professionals’ cybersecurity processes.
“We’re seeing the regulators go right through the broker-dealers and talking to their vendors,” Embrogno said.
Anytime a financial firm puts data on another provider’s system, regulators are looking for proof that the firm vetted the provider to make sure its cybersecurity standards are strong enough, Embrogno said.
“Financial services has the most stringent set of masters it serves because of all the different types of information that are stored in these systems.”
— Read We Will All Be Cyberattacked, Ex-FBI Cybercrime Agent Says on ThinkAdvisor.