We had just started the new year when news hit of the Spectre and Meltdown vulnerabilities, which impact almost all computers manufactured during the last 20 years. Given the magnitude of this security fracture, and the frequency of newly identified cybersecurity issues, this requires another “gut check” evaluation of how your firm prepares for and responds to cybersecurity threats.
Regardless of your firm’s size, however you measure it, it can be overwhelming and confusing to stay informed about the latest cybersecurity vulnerabilities. You should know if your operating system, virus software and other programs are up to date with the latest security patches.
However, several of the early patches for Spectre and Meltdown didn’t work as expected — and some were even retracted after they were released — so now it requires even more work to determine whether you have the latest patches installed.
Bottom line: You need to know how you are handling the patch process in response to the Spectre and Meltdown threats. Are you really staying on top of it? If you aren’t sure of the answer, it’s probably “no.” Somebody, whether it is an in-house staff member, an outside IT firm or a combination of both, needs to have this responsibility as part of their regular to-do list.
The days of having a part-time tech-savvy friend “occasionally” work on your IT systems are long gone.
Your systems could be more vulnerable to an attack while you wait for them to stop-by your office to install the latest security updates. Instead, advisors should consider working with experienced IT services companies to help with this important task. Many of these firms offer a variety of support solutions depending on the specific needs of your firm.
Perhaps the most challenging aspect of all these new cybersecurity vulnerabilities is that it generally requires everyone to take action to address the issue. Your firm could be very diligent in doing everything possible to protect your systems, but often that is not enough.
Cybersecurity attacks could start via one of your business partners, or a technology provider, or other contacts, and of course it could begin with your clients as well. Given this situation, it is imperative that you think of everyone involved in the “information transmission food chain,” especially with every request that involves moving client funds.
As most advisors have experienced, for years fraudsters have focused on impersonating your client to try to convince your firm to send money to an account not related to the client, essentially stealing the client’s money. Now, verbal confirmation with the client is the standard protocol before sending any money on their behalf.
However, fraud artists understand that there could be other parties involved in the money transfer process that they can potentially exploit. For example, your client may be in the process of purchasing a home and may receive an email from their real estate agent with the wire instructions for the escrow company.
What you and the client may not know, however, is that the real estate agent’s email box could be hacked and therefore that could be the starting point for the fraudster’s attack. Your client may then give wrong directions to your firm, and even sign documents with the bad wire details and dollar amount.
Of course, the client will verbally confirm this wire request, but the more important step is to verbally confirm the exact wire instructions and account numbers with the escrow company, too. The lesson here is to make sure that your firm is constantly evaluating the full lifecycle of every money transfer request, especially paying close attention to how the instructions are protected from being tampered.
A result of the overall volume of compromised-cybersecurity headlines is that we become used to this “news,” and maybe even become exhausted in keeping up and trying to maintain a strong defense. This is what the fraudsters hope for, so don’t allow your firm to become an easy target.