In May 2016, Forbes reported that the Financial Services sector was number three on the list of most cyber-attacked industries and all indications were that cyber-crime would continue to rise. In this fast paced landscape, where increased opportunities for data access are met with an increasing set of vulnerabilities, clients are entrusting you with more and more of their data; it is important to earn that trust by thoroughly understanding your specific environment and threats and how to address them.
Wealth management firms have anticipated additional rules and scrutiny around cybersecurity and have witnessed the increasing awareness of this topic in general. In 2013, the SEC distributed a sweep letter that portended what those new rules would be (click here for the final summary). In addition, we are well aware of Regulation S-P on the FINRA side of the business. But, other than the obvious requirement for written policies and procedures, how do you ensure you have an environment that protects against the main threats facing your data?
First, start with a well thought out framework like the NIST Cybersecurity Framework. It is a starting place to easily understand the main functions of an effective cybersecurity policy. The framework is simply a list of functions, categories and subcategories along with a lot of references and guidance. Whether documenting policies and procedures for the first time or updating them for new threats, working through each functional area separately allows you to fully understand all aspects of your policy, from identifying the highest threats to coordinating a response after a breach.
As you work through the framework, areas for improvement will come to light. A good recommendation is to use a spreadsheet to track progress on each category and leave a place to take notes on follow-up actions.
With the framework in hand, you now have a road map for documenting policies and procedures as well as the various tasks that must be performed to maintain a secure environment.
One of the more interesting parts of working through the framework is the identification of top threats. Many threats will quickly come to mind when thinking about data security. Work with a cross-departmental group to make sure all threats are included in the list before beginning the ranking process. Ranking will help to focus the team on the most probable threats (or the most potentially impactful threat, depending on the ranking criteria). Write a mitigation plan alongside each threat – capturing this now will give you at least a basic starting place in the heat of a breach. Ultimately, they should be flushed out into actionable plans.
The first risk that usually comes to mind is the mysterious hacker. I love to use the stock photo of a hoodie-wearing teen hunched over a laptop. Have you thought about threats that don’t try as hard as that guy? People that log into your network daily with your permission – your employees and vendors. They pose perhaps the most threat to your data.
The threats list should be specific to your environment. An organization that uses mostly cloud-based solutions and has little on-premises hardware or software will have different threats than one with a mini-data center in their back closet. Here are a few common threats, in no particular order:
- Employee Malfeasance – shortly after being fired, an irate employee steals the master client list and goes to work for the competition
- Employee Negligence – employee clicks an unsafe link and downloads a virus
- 3rd Party Vendor – the IT managed services provider logs in after hours and accidentally deletes all files
- Viruses – failed definition update causes a recently introduced variation of the CryptoLocker virus to make it onto the network, now all files are unusable
- Email Spoofing & Phishing – (see previous blog post with Email security considerations) – administrator receives email ostensibly from a client’s personal email account and executes a money transfer without confirming with the client by calling them at the number of record to confirm
- Hackers – using a VPN connection to an unknown host server, the hacker scans firewall ports and identifies a way in and continues to steal data for several months undetected
Back to Basics
Chances are that if you are using any technology at all, you have done some basic network hardening by enabling or installing a firewall, by installing virus protection and by using a strong password policy. Vendor due diligence reviews should include an analysis of how each vendor protects your data when it’s on their hardware or network or in transit.
It is also good practice to have a separate Acceptable Use Policy signed by everyone who has access to the company’s systems and data. This policy should clearly outline how your technology and equipment should be used in a responsible manner. It should include a message about which applications or websites are not to be accessed from the network. This policy alone, if followed, can help prevent a lot of bad things from happening as a result of assuming some app or site is safe.
A theme in technology is balancing convenience with security. Allowing people to connect to your network with their personal devices can be very convenient. However, these devices pose a threat to your environment. If the convenience of these devices is important to organizational processes (and for many, a smart phone is an important part of their daily work routine) address the increased threat with restrictions of use. For instance, make a policy that cell phones containing any client personally identifiable information must have encryption software installed, a pin protected home screen and cannot access the Internet via a public WiFi. Mobile Device Monitoring (MDM) software, like Good Mobile Manager, provides user policy management that governs employees ability to download files, run apps, etc. on their mobile devices.
Most likely, WiFi is offered to your clients when they visit the office. Be sure to set up separate guest access points (SSIDs) so you can limit them to only the Internet and not your internal network. And hide all SSIDs – don’t make it easy for threats to find you. For both employee and guest WiFi access points, change the security code frequently and definitely after each employee termination.
Monitoring & Testing
Having thought through the threats and how to prevent and mitigate them, most likely two themes have emerged – monitoring systems to detect breaches and testing security policies and procedures to ensure they are working.
According to this article from Business Insider, only 20% of the companies surveyed said they had a breach. Most likely, some of the other 80% were breached but don’t yet know it. Detecting breaches requires logs of activity, preferably including specific user ids and IP addresses that can be traced back to an individual user or device. Systems like firewalls, WiFi routers, and servers all have logging capabilities but it is difficult to filter through all the information and identify a breach or attempted breach. There are solutions available, however, for making sense of these logs and setting up rules to flag exceptional behavior or specific IP addresses. Carefully evaluate the vendor’s own cybersecurity and privacy policies as they will have access to the logging data too.
The monitoring logs also become a great forensic tool after a breach. Also, if a threat is not specific, it is difficult to detect. But, if research is required based on a tip or suspicious activity, the logs can be combed for useful information.
Having aggressive firewall rules and detailed policies and procedures documentation doesn’t mean everything has been done to secure your data. Periodic testing of your configurations and procedures is required to identify vulnerabilities and ultimately address them. The following tests will not only help secure your environment, the artifacts they produce are strong evidence of how seriously your organization takes security.
In order to provide a baseline of current systems configurations, qualified consultants can scan the environment very quickly and provide an overview of everything on the network. If someone is hiding an old Windows XP machine in a closet, it will show up on this assessment. It also identifies devices that:
- Require operating system updates
- Are behind on virus updates
- Have open ports that may be exploited
- Have a browser extension installed that is unsafe
Periodic scans provide an update of the networked environment and list items to address from a security stand point. How often you run these scans depends on your budget. It is important to perform the assessment at least yearly but more often if the environment is changing (adding new equipment, etc.). If you have major gaps reported in your initial scan, you’ll of course what to plug them and then re-scan soon thereafter.
Even after patching all the items from the vulnerability scan report, cyber-crime exposure may still exist. A penetration test, despite its unfortunately name, is a good thing! For this test, a qualified vendor uses actual hacking techniques to try to break through the defenses set up so far, sometimes called white hat or ethical hackers. If they are successful, work with the IT department or managed services vendor to address the newly discovered vulnerabilities.
It may be surprising to find that ethical hackers will use social engineering tricks to gain access to your network. A quick call to your Director of First Impressions along with access to an employee’s Facebook page may be all that is needed to exploit human psychology.
It is usually a good idea to use a trusted 3rd party vendor not affiliated with the IT department or managed service provider to ensure the team delivering the bad news about their hacking success isn’t afraid to do so.
As with any disaster plan, it’s prudent to test procedures before an actual breach occurs. A response team should be created with representation from across the organization, including those who will need to communicate the breach (PR), those recovering the data, and the person(s) responsible for understanding the impact to clients, etc.
Periodically gather the response team and work through a test of your procedures. Even the most basic, high level run-through of a scenario (say, CEO’s email was hacked – what do we do now?) can elicit gaps in the plan. If you have identified the specific threat in your list, you should already have a mitigation plan that hopefully has enough detail to provide guidance when needed.
More and more organizations are realizing the role they play in protecting their clients’ data as it passes through their systems. This recently published article by CNBC presents the option of adding cyber-insurance as a rider on E&O coverage. And, consistent with the example above on spoofing, they emphasis ensuring wire transfers.
According to this SecurityIntelligence.com article, the cost per person for a breach is $158. Insurance is worth pricing when the average cost of a breach is $4 million. When shopping for cyber-insurance products understand they are relatively new and prices vary significantly as the market tries to understand the true costs involved in a breach.
Unlike some other topics, training employees on cybersecurity best practices can be an interesting exercise. The tips provided are useful in the office and at home. Topics like how to detect suspicious emails, steps to perform if a device becomes infected, who to contact if something seems suspicious, etc. can be central themes in periodic training. Be sure to have training available to new hires as well as ongoing refresher sessions for everyone.
There should be a clear route for communicating potential or actual breaches. Make sure every employees knows this policy and understands the importance of identifying issues early.
Any business that uses data is under attack. As our systems improve and continue to interconnect in more and more ways, security has to be at the foundation of any networked environment. You will need policies regarding paper-based processes (shredding, etc) but the real treasure trove for someone trying to exploit vulnerabilities is in the digital realm. Millions of records can be exported in minutes or less. Once the breach occurs, the impact to your reputation can be tremendous, not to mention the financial impact if, for instance, credit protection needs to be purchased for clients who trusted you to keep their data safe.