Hackers are becoming increasingly pervasive and sophisticated. Here are some steps you can take to minimize your vulnerability to cyberattacks and to keep your sensitive client data safe
If the largest bank in the u.s. is vulnerable to cyberattack, how safe is your client data?
Last June, hackers stole digital information that affected 76 million households and seven million businesses from JPMorgan Chase & Co. (JP Morgan) of New York, according to news reports and filings made to the U.S. Securities and Exchange Commission. And the criminals did it by walking in right through JP Morgan’s electronic front door, exploiting a flaw in one of the firm’s websites.
As a financial advisor, you do not have information on as many clients as a major bank does, but you still can be a prime target for cybercrime. Cybercriminals are pervasive and increasingly sophisticated, but there are steps you can take to minimize your exposure – and that of your clients – to cybercrime.
Various types of financial professionals will face a range of challenges, says Robbert McIntosh, director of broker services with the Toronto-based Financial Advisors Association of Canada (a.k.a. Advocis). Advisors who work as employees of firms or dealers must quiz their employers about cybersecurity.
“An advisor who is connected with a larger company,” McIntosh says, “needs to go to that company and ask, ‘What guidance and policies are you putting in place?'”
You should ask what technology support mechanisms your company is employing, McIntosh says, to protect your infrastructure and data.
If you are an independent advisor, much of the responsibility rests upon you. If you are not technologically knowledgeable enough to know where to start, McIntosh says, seek out an independent security or information-technology (IT) consultant. An independent consultant can analyze the level of cybersecurity you already have, checking into everything from the equipment and software you are using to your data backup procedures.
Anway Visram, founder of Visram Security in Vancouver, provides IT consulting services to high net-worth individuals. In advising his clients, Visram divides cybersecurity into three elements: awareness, technology and behaviour.
– Know the risks
The first step toward cybersecurity is becoming aware of the risks and how to minimize them. Knowing about the threats that surround you and your practice will guide you in adopting the behaviours and acquiring the technologies that will reduce the risk of you (and your clients) becoming a victim of cybercrime.
Awareness must be an ongoing process. The threats and vulnerabilities are changing quickly, and next year’s exploits will be different from this year’s. So, keeping up to date regarding cybersecurity risks should be as much a part of your job as keeping up with investment regulations.
– Assess your technology
People generally haven’t explored all of the technologies available that can improve their security, according to Visram.
“Start with your existing technology,” he says, “and your existing antivirus solution.”
Those regular antivirus updates that you download onto your computer, tablet and smartphone won’t be enough on their own, according to Visram. This type of software protection is not guaranteed to catch every electronic toxin that makes it into your computer systems. It’s a good first step, though, especially given that many advisors use their devices for more than just work.
A properly configured firewall and perhaps even a security appliance to scan for malicious downloads would be a good investment to protect your office computers further from attack.
Typical entry-level firewalls serve as shields for your network, closing off many of the digital “doors” into your network so that attackers can’t enter through them. Basic firewalls are available from retail stores, often embedded into a small office network router. These firewalls are relatively easy to configure; if you are not tech-savvy, a consultant can do it for you.
Security appliances take matters further. These appliances offer more functions integrated into a single box, and they also are designed to be easy for users to configure. Functions can include everything from scanning email for malware to looking for suspicious activity on your network. If you are considering these systems, look for unified threat management (UTM) appliances, which you can buy through a specialist reseller. If you opt for UTM, you would be well advised to pay for a couple of hours’ service to ensure your equipment is configured properly.
– Working off-site
What happens when devices are taken off the premises? You probably take your laptop and mobile devices off-site for meetings and to work from home. But when you use your computer at home, you may not have the same level of technical protection as you have at the office. And bugs you pick up at home can infect your office’s system.
“I worked with a lawyer whose personal machine was infected,” Visram says. “He brought it in to work and it affected his clients to the extent that this was a huge professional problem.”
Some systems have been specifically tailored to cope with this risk. BlackBerry Ltd. of Waterloo, Ont., is still a world-class security vendor with some solid technology. BlackBerry Balance is software that ships with the BlackBerry 10 smartphone operating system. Balance includes dual file systems to separate work and personal applications, so that their data don’t get muddied. Compare that with the iPhone, say, on which personal and professional data all sit in the same data-storage system.
Stacy Crook, mobile enterprise research director with International Data Corp. in Boston, says BlackBerry has a superior security model for its mobile devices because the company provides both the smartphones and the back-end management software to secure them.
“[BlackBerry is] creating that end-to-end feedback loop, in which the device and operating system are BlackBerry-developed,” Crook says. “And [the device] is talking with a BlackBerry server, so there is a much tighter integration.”
As for your laptop, there are many measures that you can take to protect it. Start by setting proper account permissions.
Accessing your computer via a “user” account, without administrative privileges, can make it more difficult for malicious software to compromise your data; the account will restrict what the malware can do.
How and where computers are used also is an important consideration. When you travel to a meeting or a conference and use whatever Wi-Fi network is available – in a hotel, convention centre or café – you may be vulnerable to snooping.
Wi-Fi networks are often “open,” meaning computers exchange information with them without the Wi-Fi network encrypting the data. This practice often enables other people in the vicinity to “listen in” on your Wi-Fi communications by using free hacking tools on their computers.
This can lead to “session hijacking,” in which attackers snoop on authentication messages sent between your computer and a website, then log into your user account on that site.
While many popular websites have fixed this hole by encrypting the authentication data, many haven’t – especially those of smaller businesses, Visram says. As many as one in five small-business websites that he visits do not encrypt the log-in details sent by users.
One protective measure that you can take is to use a virtual private network (VPN) to access the Internet – and your own office-based data – from the road. Your VPN encrypts the link between your laptop or smartphone and a computer at the office, so that no one can snoop on the connection. From there, you can use your mobile device to surf the Internet more safely.
A VPN typically takes the form of hardware or software running on a computer, either of which your tech expert will have to install and configure. The type of VPN you have installed will dictate how you access it from your laptop or another mobile device. An IPSEC VPN, for example, will require a separate piece of software running on your mobile device, whereas an SSL VPN can be accessed without additional software, thanks to software features that already exist inside a laptop, tablet or smartphone operating system.
– When clients are attacked
Do all of the above, and you may find that your client data still is at risk because you are not the only element in the equation. Information leakage can happen anywhere along the chain of communication.
“It is not only the advisor who is at risk,” Visram says. “It is also the client.”
Visram recalls one case in the past two years in which a cybercriminal infected the computer of an advisor’s client with malware. That attack enabled the cyberthief to gain access to the client’s email account, and then monitor email communications between the client and the advisor.
“We don’t know when the person got themselves infected,” Visram says. “Was it through a website or via email? We do know that [communications] were monitored for a lengthy period.”
The cyberthief took note of everything, including the writing style in the client’s emails to the advisor and the kind of instructions that typically would be relayed.
“The criminal realized that the advisor would diligently follow instructions within a certain financial threshold,” Visram says.
The cybercriminal, to take advantage of the information he had gained, set up a shell company in the U.S. Then, impersonating the affected client, the criminal sent an email to the advisor with instructions to cash out $135,000 worth of investments and send it to the shell firm.
“The advisor basically looked at it, did a little due diligence -but not a whole lot – and transferred the money,” Visram says. “All the while, the criminal was monitoring the communications and hid the traces.”
During the next client/advisor review, the advisor asked the client how the U.S. investment was going.
“The response was very simple,” Visram says. “It was silence.”
You cannot control your clients’ insecure computer systems, but you can be extra-vigilant in the way you deal with your clients. In fact, you should be diligent in dealing with everyone – even loved ones. Attackers can map out their targets in unexpected ways.
For example, a high net-worth individual’s advisor could be targeted indirectly, Visram says. Attackers may use digital reconnaissance tools to map out a target’s “attack surface,” finding out which of his or her contacts may be both close to you and electronically vulnerable.
Perhaps your client’s teenage son is a soccer fan who frequently posts on social media using his smartphone. Befriending the son and sending him a soccer video through social media could enable the attacker to infect the son’s smartphone. Once the son’s smartphone is infected, Visram says, the hacker can use it to gather intelligence. At some point, the attacker then may use that phone to send a text message with an infected link to the son’s parent, thus infecting the parent’s device and gaining access to your files.
– Securing your storage
Sniffing data out of the air is only one form of technical attack. The simplest way to steal data is the physical theft of your smartphone, tablet or laptop. If you take a bathroom break in the coffee shop while your laptop is unprotected or if you leave the device in a restaurant or a taxicab, then the data on it could be vulnerable.
Proper encryption of the data stored on your device is crucial for its protection, and the latest operating systems have these encryption capabilities built in.
Both Apple and Windows operating systems now have features to encrypt all of the data on your hard drive. This protects you against cybercriminals who would remove the hard drives from stolen computers and use data-recovery tools to scan them directly. Those tools now won’t help a cyberthief because the data will be scrambled unless he or she has your password.
That is all very well – but, as McIntosh points out, you often can be let down by inadequate or non-existent password protection.
Encrypted operating systems decrypt the information on the disk for an authorized user. If authentication isn’t a significant challenge, your encryption is worthless.
“The biggest risk for advisors is not having password protection on your laptop, smartphone and tablet,” McIntosh says.
Ideally, your password should be a random sequence of characters that you teach yourself to remember via muscle memory, so that your fingers type out the nonsensical sequence automatically.
The less sense that your password makes, the more secure your data will be.
© 2015 Investment Executive. All rights reserved.