Cybersecurity is like a virus that keeps evolving. Just when you think you’ve built a defense against one form of attack, cybercriminals evolve to invade your system from another point of entry. Now, with a human virus forcing financial advisors and their firms to work increasingly remote, the risk of cybercrime rises exponentially.
“As financial advisors, you’re not just suffering from the pandemic,” cybersecurity expert John Sileo recently told the audience at the Schwab IMPACT 2020 conference. The pandemic “has completely shifted the cyberthreat landscape both inside your practice and in the lives of your clients.”
Financial advisory firms are a “clearinghouse of everything cybercriminals want,” Sileo says. Today’s cybercriminals aren’t just breaking in and making off with your data, the old “smash and grab,” they’re breaking in to become full-time occupants.
Cybercriminals typically stick around for more than 200 days before you even realize they’re there, according to Sileo, which is what allows them to fortify their position by using your own technology against you.
“The newest wave of cybercriminals, like stealthy ninjas, use your technology against you to remain undetected,” he says. “They commandeer your threat detection software to keep them safe.”
Meanwhile, they’re following the tunnels through your organization to gain access to your vendors and customers. Your firm may be just a stepping stone to far bigger targets.
At IMPACT 2020, Sileo asked attendees to define their “crown jewels,” or the most important objects in their lives: The thing in your life you protect the most, the one income-earning asset you could not afford to lose and the data you handle on your job that you can’t afford to have exposed.
Sileo says defining these crown jewels builds the foundation for a cybersecurity system but is also the step many firms skip. It’s hard to build a defense until you know what you’re defending, Sileo says.
With the top concerns in mind, here are the top cybersecurity strategies for financial advisors and firms:
— Back up and update.
— Require remote security protocols.
The primary way cybercriminals gain access to your organization is through your people, not your technology.
“We’ve witnessed a huge uptick in phishing scams amid the pandemic as scammers prey on people’s heartstrings,” says Tiffany Garcia, national cybersecurity practice leader for CBIZ. “For example, a scammer may take advantage of someone’s generosity by requesting a charitable donation via email.”
The best way to prevent phishing attacks is by educating your employees and clients. Teach them to be skeptical and use the hover technique: Hover over a link before clicking to see the destination URL. Is it taking you where you think you’re going?
“Training and awareness should include all members of the organization, as ‘whaling’ has increased the targeting of execs in a company who may not have typically been required to take training,” says Nick Harness, chief information officer at Kestra Financial. He also suggests advisors use an email threat detection tool, such as Mimecast or Barracuda, as a second line of defense.
“All it takes is one uninformed employee to click on a scam link and put your entire organization in jeopardy,” Garcia says.
Don’t forget to educate your clients, too. You can turn cybersecurity education into a competitive advantage by hosting cybersecurity wellness events, Sileo says. Teach clients how to protect themselves by using password manager software to create stronger passwords, enabling two-step factor authentication, using a secure Wi-Fi or VPN connection and/or enabling account alerts.
Back Up and Update
Ransomware attacks, where cybercriminals steal your data and then demand a ransom for its return, are expected to be on the rise in 2021, Garcia says.
“Ransomware attacks, which are entirely financially motivated, are becoming increasingly sophisticated and strategic,” she says. “Advisory firms are especially susceptible to these attacks as hackers target high-net-worth companies and individuals.”
The best way to protect against such an attack is by regularly backing up your computer and other systems. If you have no backup of your data when a ransom comes, you have no choice but to pay to get the data back, Sileo says.
You should also keep operating systems updated. If you have a system older than Windows 10 or macOS Sierra, it’s not being patched, or mended to repair any holes or bugs that may pose security vulnerabilities, properly, Sileo says. Enable automatic updates on all systems, software and phone apps to prevent irregular patching from opening your backdoor to cybercriminals.
Require Remote Security Protocols
“Remote work presents certain cybersecurity risks, such as employees downloading malware, connecting to unsecured Wi-Fi, data loss (and) losing devices,” Garcia says.
To combat remote cybersecurity risks, she says “advisory firms should require the use of a virtual private network (VPN), implement firewalls, enable multifactor authentication, install antivirus software and urge employees to use strong passwords.”
She recommends having employees sign a remote work agreement “that clearly outlines what they should and should not do from a cybersecurity perspective.”
You should also require heightened security from third-party vendors. “Data breaches are increasingly stemming from third parties that do not have adequate cybersecurity protocols in place,” Garcia says.
Ensure any third-party partners have clearly defined security policies. You can also consider “incorporating contract provisions that require vendors to obtain periodic security assessments or certifications, such as a SOC 2 report, ISO 27001 or (Payment Card Industry standards), as well as ensuring vendors’ access to company systems and data is limited to reduce risk and liability,” Garcia says.
“Over-communication is key for effective cybersecurity management,” Garcia says. Always confirm before approving payment or email transactions. If you’re unsure about something or if a message seems out of the ordinary, she says to trust your gut.
“Advisors should keep clients in the loop about everything,” Garcia says. “Before sending a DocuSign attachment, for example, notify your client via email or phone that it’s coming and what the contents will include.”
Garcia tells advisors to follow their own advice and don’t put everything in one basket. “Separate information over multiple communication channels,” she says. “Not everything should be in one email.”
More from U.S. News
Top Cybersecurity Strategies for Financial Advisors in 2021 originally appeared on usnews.com