Cybersecurity: How to prevent 'insider accidents'
As cyberattacks have become a serious threat to the wealth management industry, many financial advisory firms have developed strong policies to prevent client data from being hacked.
However, some firms haven’t exerted the same amount of effort into training their employees or vendors to make sure these policies are correctly implemented. As a result, money spent goes down the drain, said H2L Solutions CEO Jonathan Hard during an exclusive Financial Planning webinar on cybersecurity.
According to an OCIE survey of broker-dealers and advisers, 88% of BDs and 74% of advisers have experienced cyber-related incidents, the majority of which are related to malware and fraudulent emails. Also, 25% of the BDs who suffered loss blame it on employees not following policies, which led to security compromises.
It's important to note that not all cybersecurity breaches are external. An “insider accident” could compromise a firm's security, Hard said. “If your employees are not properly trained — no matter what technical solution you have in place to eliminate that risk, no matter how much money you spend — you’ll still be compromised,” Hard said.
In fact, over 90% of hacks come from an unintentional inside job, said Justin Kapahi, vice president of solutions and security at External IT, a technology services provider for advisory firms. “All employees have the keys to the security you built up. If they hand the keys to random strangers on the street, that’s not secure," he said.
The majority of cyber-related incidents are accidents caused by trusted employees, Hard said. Fraudulent emails remain a top risk to cybersecurity.
“Email campaigns such as, ‘You won a million dollars, click on this link to redeem your ticket,’ still work, believe it or not,” Hard said. He also noted hackers have created more sophisticated email scams.
He suggested BDs should maintain company-wide security awareness programs, ensuring all employees are following required identity authentication procedures.
Firms also need to prevent employees from misplacing sensitive data including financial and client information to prevent unauthorized people from accessing it, Hard advised.
In addition to making sure company communications are secure by utilizing encrypted emails and secure file sharing, it's equally important to train employees to implement these tools, Kapahi said.
Besides training employees, BDs should also make sure vendors are taking the same precautions.
“You want to know 100% how vendors are managing your clients’ information. You want them to have the right cybersecurity technology in place to make sure your firm is not being compromised just by using those vendors,” Hard said.
When outsourcing work to vendors, firms should reference OCIE cybersecurity standards and ensure the vendors have a plan in place. Hard suggests firms follow the NIST Special Publication 800-171 to vet vendors’ cybersecurity systems.