Hackers tend to thrive when there is a lot of confusion and distraction amid a crisis like the current coronavirus pandemic, as many firms’ general counsels and executives are focused on safety and other emergency measures, so law firm Eversheds Sutherland has provided some pointers, in a legal alert at its website, on how advisors and others can remain on guard to avoid cybersecurity disasters.
First, as always, you should “be wary of clicking on links embedded in emails and entering in credentials,” the firm noted. “There is no doubt we will see an uptick in phishing emails appearing to come from the Centers for Disease Control, the World Health Organization, other health-related organizations, or even from companies’ own HR departments,” it said. Therefore, employees “should be advised to look carefully at the sender’s email address (especially after the @ symbol), and to hover cursors over links to see where they really resolve,” the firm pointed out.
Also crucial: You should “ensure proper remote access,” the firm said, explaining: “Accessing company servers remotely without using a secure connection, such as a virtual private network, exposes those servers to hackers. If employees are working from home because of the virus and have not enabled security features on their home WiFi, and are not logging in via a secure connection, the individual and the company are more vulnerable to cyber attacks.”
Of course, supervisors, IT experts and others can talk until they are blue in the face, and there will always be somebody at a company who will always click on a link they should be avoiding or access internal networks inappropriately. However, all is not lost because “it is how the wider team reacts and responds to attacks that makes all the difference,” the firm said.
The firm went on to list five fast and “inexpensive — but absolutely critical” — steps to help ensure your firm is ready to respond to attacks:
- Make certain your response plan does not reside only on your firm’s servers because, in a cyberattack, accessing documents electronically may not be an option. Print out your response plan.
- Make sure your response team has copies of the plan at home.
- Confirm the call roster for your firm’s key response team members, internally and externally, includes work, mobile and other contact numbers.
- Make certain you have a good sense of your firm’s regulatory and contractual notification obligations in case there is a breach. There is no guarantee that regulators will grant leniency for failing to know or meet notification deadlines due to coronavirus-related distraction. The same thing applies to any counterparties, many of whom need to be notified of cyber incidents within 24 or 48 hours.
- Check to see when you have last reviewed your firm’s cyber insurance, making sure it is current and covers what you want it to cover. With attacks and “attack vectors” changing so quickly, it is imperative that you are covered for the newest threats and kinds of attacks. On a similar note, make certain you pre-clear your preferred external advisors and consultants with your firm’s insurance company if they are not already on the insurance company’s panel.
Some of the same issues were cited Wednesday by GJ King, president of RIA in a Box, during the webinar ”How RIA Firms can Prepare for the Coronavirus,” which also included tips of special interest to advisors. He, too, warned that, during turbulent times, firms are at an increased risk of cyberattacks and systems being compromised.
In a blog post on its website, RIA in a Box also pointed out that employees not accustomed to remote work need to be trained on the proper cybersecurity best practices and precautions that include being extra cautious when it comes to targeted email phishing or fraudulent wire requests.
— Check out Edward Jones Suspends Travel; Raymond James Limits Client Visits on ThinkAdvisor.