The most significant finding of the research is “generally how passive people are about the subject,” says Lou Harvey, president and CEO of Dalbar, a Boston-based independent financial-services market research firm.
“The more we’ve examined, the bigger the shock it is as [cybercrime] keeps growing. Look at the number of incidents,” he explained in an interview. “Think about the last day you didn’t see a news item about cybertheft. I imagined everyone would be up in arms with [cybersecurity], but they were not, and that certainly caught my attention.”
The survey of broker-dealers, sponsored by ThinkAdvisor, Dalbar and 15 financial-service firms, aimed to identify the greatest deficiencies in cybersecurity authentication and to “create a roadmap to improving protection,” Harvey says.
The research revealed that 74% of firms have the same practices they’ve had for the past five years, and only a “paltry” 4% are planning to adopt new practices, Harvey says, adding that he did not anticipate these results.
“No one wants to make a big ado about the threat,” he explained. “When something goes wrong or issues arise [it’s] outside of the financial-services [industry], so it doesn’t grab the attention it should.”
“Unless it happens to a firm or an advisor, it happens in the outside world. There’s a huge difference with someone who has come face-to-face with cybertheft, as opposed to a vast majority who have not,” Harvey explained. “Those who have had accounts opened or money withdrawn are passionate about the issue, but that has not translated to a general concern.”
Most firms have run across the phishing of their accounts, but nothing in a big way, like 10,000 accounts being affected. “Until someone like Julian Assange gets out of playing with the government and starts playing with money,” firms likely will not move to make changes, Harvey says.
More Key Findings
The most widely used authentication practices within the industry are procedures for failed logins (66.1%), while the termination of sessions after a period of inactivity is used by 60.4%, according to the study.
In addition, 57.3% of firms have the ability to cancel, replace and communicate about a password if an account has been compromised.
The best-fortified businesses are retirement service providers, which take advantage of 30.1% of authentication practices, followed by investment providers (29.7%) and life & annuity providers (28.7%).
Key points of access by bad actors include websites (at 34.3%), followed by mobile devices (28.7%), interactive voice response (22.9%), phone centers (21.6%) and electric statements (24.7%).