Protecting against cyberattacks requires both high-tech and low-tech efforts by financial firms, according to presentations at the 2018 FINRA Cybersecurity conference in New York on Thursday.
First advisory firms need to answer four key questions, according to retired FBI agent Jeff Lanza, who was the keynote speaker:
- Where are your assets?
- What at your firm is subject to attack?
- Can you detect an attack in real time?
- Is cybersecurity a focus for your firm at the board level?
“If you can’t answer all four questions you’re not doing enough to fight hackers,” said Lanza, a former computer systems analyst before he was recruited by the FBI.
He described the key types of attacks against financial firms — bank account takeovers through malware, CEO fraud involving unauthorized wire transfers, and ransomware, which has become epidemic — and offered tips to thwart such attacks.
Takeovers Through Malware
Before opening any email that doesn’t look familiar, check the name of the sender and hover over the sender’s email address to reveal the location, said Lanza, noting that an email with the suffix .ir indicates Iran; one ending in .ua indicates Ukraine.
Closely read any links within an email. It may look familiar and legit — he showed a link that looked almost exactly like the JPMorgan Chase site, with the same picture and some other similarities — but the login didn’t just ask for user name and password but the email of the reader, even though it was a link in an email sent to the reader.
Educate employees, require two-factor authentication to log into accounts as well as dual controls before money is transferred and don’t decline bank protocols, advised Lanza.
CEO Fraud & Unauthorized Wire Transfers
These cyberattacks have resulted in 7,000 victims in 79 U.S. cities in 50 states losing $2.3 billion since 2013, said Lanza. “Pick up the phone before any wire transfer,” said Lanza. He added that firms should not expect that losses will be covered by their business insurance. It usually doesn’t cover business fraud via email, said Lanza. “Read the fine print.”
“Don’t pay it,” said Lanza. That just encourages more bad behavior, isn’t easy — hackers can’t always be found quickly — and doesn’t necessarily mean you’ll get back access to your computer after the payment. He described one incident where ransom was paid but the hacker returned 900 different keys to reopen access.
Create layers of security, including antivirus software; train employees to be skeptical of emails and careful where they click; and have backup of your data, said Lanza.
“You want backup that’s air gap protected,” said Lanza, meaning physically isolated from unprotected networks, because hackers often attack the backup system first. For Michael Lynton, former CEO of Sony Entertainment, which suffered a hack of confidential emails, that meant email kept on a hard drive and locked away from his computer, said Lanza.
Importance of Training
Training was stressed by other morning panels at the FINRA conference — training for employees, contractors and vendors — along with background checks.
“Many cyberattacks are due to human error,” said Steven Polansky, senior director of FINRAs Office of Regulatory Operations/Shared Services.
Hardeep Walia, founder and CEO of Motif, which creates baskets of stocks and ETFs based on investment themes, said the training of his firm’s employees starts when they are first onboarded; they are shown examples of phishing to keep them aware of cyber risks.
— Related on ThinkAdvisor:
- Advisors ‘Lagging’ in Proper Insurance Against Cyberattacks
- SEC Exam Priorities Said to Focus on Cybersecurity, Seniors in 2018