In the COVID-19 era, incorporating zero-trust into cybersecurity strategies is more important than ever for wealth management firms, with so many financial advisors and firm employees using a broader range of tools and working from more varied, remote locations.
In this new era, the vulnerabilities for cybercriminals to exploit has grown exponentially, with two key areas that should be of particular concern to wealth management firms:
First, just like any company, they must maintain the integrity of their own corporate networks, adapting to the new security environment in a holistic way that keeps data secure without compromising system performance.
Second, a huge cross-section of the users that access a firm’s data are not within the network perimeters, nor do firms own those users’ devices and networks. In normal times, this is a decentralized, varied landscape to protect. In today’s environment, with more numerous and diverse threats to counteract, the need for robust defenses has increased in urgency.
Firms must establish dual strategies to protect corporate networks while safeguarding a broader, more diffuse, but equally important constituency: Their financial advisors.
Home Office and Corporate Networks
Prior to the pandemic, firm employees and executives predominantly worked in offices, a relatively straightforward setting for cybersecurity experts to protect. Now, these workers are using the same applications as before, but from multiple residential locations.
To maintain a zero-trust approach under these circumstances, while also maintaining system stability and performance, firms should rethink their network architecture and the deployment of their cyber defenses to more closely align with how workers are accessing data.
For example, one might think that a way to keep data safe is to use virtual private networking. By requiring all remote users to use VPN when performing any work-related tasks, firms are routing all data traffic back to its own servers.
This keeps data securely within the firm’s own network. But directing all that data back to the firm’s central network risks overwhelming and compromising overall system performance. The corporate network now has to accommodate all ordinary-course work activities, plus the needs of bandwidth-consuming video platforms such as Zoom and Microsoft Teams.
One solution is to split traffic between the critical data that must be accessed via the wealth management firm’s own networks and protected by its zero-trust defenses, and the less sensitive data flow to and from third-party applications, many of which are cloud-based and would be protected by those providers’ cybersecurity measures.
This approach remains zero-trust with respect to sensitive data, but it adapts to the reality of the current moment in a way that is less likely to compromise overall network performance.
Protecting the information networks of individual financial advisors from cyber attacks has technological and communication components that require a mix of persuasion and top-down direction.
Some firms prior to the pandemic had already invested in the tools, solutions and platforms to implement a comprehensive zero-trust approach to cybersecurity.
They had tools in place to monitor and collect data on the users accessing their networks, and to analyze that data to build a holistic picture of each user’s cybersecurity posture.
Armed with those insights on potential gaps in defenses, they could implement risk mitigation approaches, some of which may involve denying access to users whose online behavior or device and system configurations were deemed too risky.
In the COVID-19 era, cyber attacks may not have changed in sophistication, but they have definitely surged in volume. This dynamic speaks to the need for more communication and education for financial advisors on the importance of keeping up to date with cyber defenses and how to leverage them most effectively.
As a tool to influence behavior, zero-trust is effective, but firms that take a softer approach, at least initially, may find an easier path to compliance. It starts with communications and education through webinars, newsletters and other channels, followed by more targeted, proactive campaigns that are more consultative in tone than confrontational and punitive.
A Fine Balance: Security vs. Performance
In a near-100% remote environment, t firms must be vigilant on two cybersecurity fronts, the home office and with their financial advisors, and zero-trust should be an integral part of both efforts.
Deployed smartly, with an eye towards collaboration, firms can devise holistic strategies that protect data without harming network performance and overall productivity.
Jason Lish is Chief Information Security Officer of Advisor Group ),a network of independent wealth management firms. Sid Yenamandra is CEO of Entreda, a cybersecurity solutions provider to the wealth management space, and a subsidiary of Smarsh.