Journal of Financial Planning: July 2015
Bill Winterberg, CFP®, is founder of FP Pad, a technology publication and news resource for financial advisers. He hosts FP Pad Bits and Bytes, a weekly video recap of news for advisers.
In late April, the Securities and Exchange Commission issued IM Guidance Update No. 2015-02 on cybersecurity of investment advisers. In its brief, three-page update, the Investment Management Division recommends that investment advisers consider methods to periodically assess cybersecurity risks within their organization, identify how advisers will detect and respond to attacks, and implement a cybersecurity strategy by establishing written policies and procedures and providing training to staff.
It is commendable that the Commission continues to emphasize just how important the issue of cybersecurity is, but I feel the updates fall well short of addressing the pertinent, day-to-day challenges you face every day as you manage your business. Here are several strategies and resources on cybersecurity I feel can reduce the chances that your business will succumb to today’s increasingly sophisticated attacks.
Key to the Kingdom
The username and password is the key to your businesses’ technology kingdom. Everything from your computer, laptop, and mobile device to your online CRM, Internet banking, and social media accounts is protected by some kind of account credential. The downside to the ubiquity of account passwords is that we, as human beings, get password fatigue. We have a tendency to create short passwords that are easy to remember because we are required to use them repeatedly throughout the day.
Weak passwords represent the lowest hanging fruit for any attacker seeking to gain access to your business assets and information. Therefore, your business needs to enforce a practice of identifying and using strong passwords wherever they are required.
Better yet, consider implementing an enterprise password manager like LastPass, 1Password, Meldium and others. Not only can such tools automatically generate long, complex, and strong passwords, the programs also enforce permissions and user access to specific accounts without revealing the username and password to your staff.
Online account security can also be enhanced by using multi-factor authentication. By combining two of the three authentication factors—something you know, something you have, and something you are—you increase the difficulty of compromising an account in the event a password is stolen. The website, twofactor auth.org, identifies hundreds of online services that offer multi-factor authentication to increase account protection.
Strong passwords are also important to protect your mobile devices, but long and complicated passwords are inconvenient to use. This is one reason why the fingerprint-based Touch ID feature on the Apple iPhone is so appealing. Today, only a few Android phones support fingerprint authentication, such as the Samsung Galaxy S5.
Avoid PDF Passwords
While on the subject of passwords, I want to discourage you from protecting PDF documents you exchange with clients using passwords. Like online account logins, password-protected PDF files also represent low-hanging fruit for attackers.
Elcomsoft is a company that sells a utility called Advanced PDF Password Recovery for as little as $49. The program uses several techniques to unlock a password-protected PDF file, including a brute force attack, mask attack, dictionary search, encryption key search, and “rainbow attack.” The password you create in your head and share with clients doesn’t stand a chance against powerful tools that are inexpensive and widely available. Don’t even think about using any combination of a client’s Social Security number, zip code, or phone number as a PDF password.
Avoid Sensitive Data in Email
The simple truth is that email is not an appropriate tool to use for sensitive information.
If any of your clients use web-based email services such as Gmail, Outlook.com, Yahoo! Mail and others, emails sent to trash stay around in the application for up to 30 days. That gives plenty of time for an attacker to compromise an email account password, gain access, and search through email history (including a month of deleted emails) to use such information for nefarious purposes.
Many of us don’t spend too much time thinking about security while using the Internet. Much of the security mechanisms operate behind the scenes and are largely transparent throughout the web-browsing process. But the times when we let our guard down is when we become vulnerable to attacks.
Most websites that process sensitive information use https:// connections or secure connections using SSL or TLS protocols. But if an attacker disabled a website’s security, would you know it? One tool you can add to your web browser is HTTPS Everywhere from the Electronic Frontier Foundation. This extension for Chrome, Firefox, and Opera automatically encrypts your connection with major websites, increasing the security of your information online.
Always, always, always keep operating systems, apps, and programs up to date. But hackers know you want to update and will find ways to issue alerts that can trick you. Read on for more.
Techniques such as long passwords, enterprise password managers, and complex encryption are formidable barriers for attackers. It simply takes too much time and effort to compromise these defenses. Therefore, attackers are focusing their efforts on weak links, and the weak links continue to be people like you and me.
Together, we’re far too trusting of others, we’re fallible, and many of us are not informed on evolving cyber attack techniques. After all, we have busy jobs to do!
Earlier this year, attackers were able to trick a phone company to forward calls made to Tesla Motors to an illegitimate phone number. With call forwarding in place (a technique called “spoofing”), attackers were then able to impersonate Tesla employees to contact the Internet domain company managing the Tesla website. They added a bogus email address to the Internet domain account and then used the address to perform a password reset. Once access to the domain registrar dashboard was gained, attackers redirected the Tesla website to a spoofed website, and they were able to compromise Twitter accounts of Tesla and the company’s CEO Elon Musk. Read more about the Tesla attack in an article from SecurityWeek (http://j.mp/teslaattack).
At the risk of oversimplifying the attack, all it took was knowledge of Tesla’s phone provider and a very convincing story to implement call forwarding, and it went downhill from there.
Information that may seem innocuous on its own can actually lead to events that, at a minimum, are embarrassing, or worse, lead to financial loss for your company and/or your clients.
According to the 2015 Data Breach Investigations Report from Verizon (http://j.mp/VZbreach), the biggest threat to the private information you manage may actually be yourself and the people in your organization. The report identified a disturbing trend that more people are opening and clicking links in phishing email messages, not less. One reason is because phishing techniques have matured far beyond emails from a Nigerian prince riddled with typos and bad grammar. The bar for phishing emails is considerably higher today.
Target and Train
According to security provider Proofpoint, the business roles most susceptible to attacks are sales, finance, and procurement (www.proofpoint.com/threat-insight). Employees in these roles click potentially malicious links 50 to 80 percent more than colleagues in other business roles. This makes sense due to the nature of their business as they consistently work with new prospects and relationships and are under time pressure to quickly get through large volumes of correspondence each day.
You can train everyone in your organization in all business roles how to identify potential attacks and malicious links, and then test how effective that training is through a simulated attack.
Vendors such as ThreatSim, TraceSecurity, and Wombat Security Technologies offer a variety of solutions to actually validate the efficacy of your security policies. Assessment tools like CyberStrength, PhishGuru, SmishGuru, and USBGuru (I am not making these names up) test everyone in your business to identify weak links and poor behavior so you can take action to correct potential liabilities.
Planning for Attacks
This column just scratches the surface on the tools and resources available to help you combat cybersecurity attacks. It’s not a matter of if, but rather when your business will face an attack if it hasn’t happened already. Before your next brush with an attacker, be sure you:
- Identify the go-to individual in your business to report cybersecurity issues
- Periodically perform risk assessments
- Provide training and awareness of new attacks and techniques to employees
- Identify and implement insurance to protect against loss
- Determine how you will monitor and control access to your systems by employees and third parties
One false move inside your business can lead to real financial losses, a disruption of your operations, and the loss of client trust. It is your responsibility to do what you can today to prepare yourself for cybersecurity attacks rather than wait for ambiguous and inadequate guidance from the industry’s regulators.
An important note: This column uses shortened hyperlinks from Bitly to direct you to websites for convenience. However, shortened hyperlinks can be created for any Internet address, including pages that contain malware and phishing schemes. Use caution when using shortened hyperlinks of any kind. In many cases, a web search for a company name or software program will safely navigate you to what you need.