In the eyes of your partner, your kids, or your parents you are special and unique. That’s the good, warm fuzzy news.
Now for the harsh reality: Cybercriminals don’t care who you are. They aren’t concerned about the registered investment advisors you employ, the size of your firm, who your clients are, or how much money you made last year. Threat actors don’t sit around doing research and development on a target and then repeatedly attack until they succeed.
When criminals change tactics, it’s because wide-spread IT solutions are crushing their efforts at every turn. Hackers aren’t focused on the minutia – and they certainly aren’t sitting around tracking only your firm. Pouring that amount of resources into one entity wouldn’t be profitable for them.
You’ve Been Lulled Into a False Sense of Security By the Traditional ‘Hacker Narrative’
Blame it on Hollywood. When you think of a cybercriminal you probably picture a guy in a hoodie. He’s sitting in his mom’s basement, eating cold pizza, repeatedly trying to access a single organization to cause chaos. The image makes a better plotline than reality. It also gives you a false sense of security.
Cybercrime is a business
Again, cybercriminals don’t think you’re special. You’re targeted in sweeping attacks, not targeted ones. Malicious actors send out 100,000 phishing emails (or more) at a time. They know around 100 will get clicked on. If someone at your firm falls for the scam, it wasn’t because a hacker went after you. Your credentials were simply in their database.
Assuming you don’t need to worry because you’re small or don’t have anything valuable is just ridiculous.
$1,000 a day
If these guys can convince you to send a 1K money order or gift cards, it’s a good day’s work. Whatever country they’re from, a thousand dollars is a lot more than they’d earn on any average day. They can earn in a day what someone could earn in a year and a half.
Stop thinking “I’m too small, no one cares.” Start thinking about what you owe your clients and how you should be protecting their data and investments.
It Only Takes One Person
You know phishing is prevalent and tell your employees not to click on suspicious links. You think you’re doing enough. You aren’t. Cybercriminals only need to trick one of your employees to cause irreversible damage. One malicious link can encrypt your data. One well-crafted email can convince someone to wire money to a hacker’s bank account.
Mobile is making it harder to spot phishing emails
When we run phishing simulation tests for our RIA clients, a disproportionate number of people who click do so from their mobile devices. It’s harder to spot a suspicious email on your phone. You can’t easily spot the signs – like unusual email addresses or slightly misspelled names. It isn’t possible to hover your mouse over a link to see the real URL before clicking. You’re more likely to be distracted by whatever is going on around you.
Quick tip to stop phishing emails
If you ever have any doubt about an email you see on your mobile device, wait and look at it on your computer. Or, take the phone that’s in your hand and call whoever sent it (dial them directly – don’t click a phone number link in the email). Verify they actually sent the email or made a specific request. If they have no idea what you’re talking about, someone is impersonating them, and you know to report and ignore the email.
Firewall and Antivirus are Your Foundation
In the cybersecurity world, there’s been a lot of talk in recent years about how firewalls and antivirus aren’t enough. Unfortunately, this is getting translated as “Don’t invest in firewall or antivirus.” You do need both security measures. They form a foundation you’ll use to protect your firm.
Why you need multiple lines of defense
A wall and moat are great defenses for a castle. Until someone manages to use a trojan horse to bypass both. Today’s cybercriminals know how to hurdle over walls and skip over your moat. But that doesn’t mean you make it easier for them by getting rid of either. Both are still deterrents and will keep some hackers out of your system. But the determined ones will find ways in.
Cybercriminals will lurk in your systems if you let them
Today’s hackers are hanging around in your systems for months, copying data and stealing credentials. After they have everything they want, they’ll make you aware of their presence. Your files might be encrypted. Your client financial data will be stolen. They’ll try to hold you ransom. If you don’t pay, they publicize the attack and put your and your client’s information on the Dark Web.
Root out criminals with endpoint detection and response
Endpoint detection response (EDR) adds another layer of defense and looks for patterns of behavior used by criminals. The tool knows the techniques hackers use and looks for similar activity in your systems. When they get a match, the tool shuts it down.
Don’t Forget to Update Your Documentation
Many business owners only need to think about how they’ll update their tools and thinking to meet modern threats. RIAs have a second layer to consider: updating their compliance procedures for OCIE. As you adopt new strategies, add the tools and processes to your documentation.
It’s an important step too many firms forgot in 2020. They switched to remote and didn’t change their documentation. Others will fall into the trap of reverting to their 2019 processes when they return to the office. This won’t accurately reflect the new software they use – like Teams. If their firm is hybrid, with some people in the office and others working remotely, the 2019 policy is obsolete.
Having the Right IT Solutions is Just the Beginning
The tools and strategies you need to stop criminals from selling your client data on the Dark Web will continually evolve. This means your documentation will constantly change too. If you’re managing this by yourself, you’ll be responsible for finding the most effective methods for fighting cybercrime, implementing the system, and updating your policies.
Some of the tools you’ll use, like EDR, generate a lot of information. Not all of it is actionable. You’ll have to evaluate each alert carefully to determine the best course of action. The alerts will come in at any hour of the day.
Do you really want to be deciphering a message about a potentially suspicious log-in at 3 a.m.?
Of course, you don’t. You want to be asleep. You have to wake up in the morning, run your firm, and exceed client expectations. Don’t add the burden of cybersecurity to your hourly responsibilities. Our cybersecurity services help keep RIAs secure and compliant. When you work with us, you can be confident you’re gaining a partner with particular, relevant financial industry and security expertise. Let’s talk. You deserve to be asleep at 3 a.m.