Cyberattack should prompt advisers to ask their IT professionals hard questions

Last week's ransomware attack reveals system vulnerabilities

May 15, 2017 @ 2:25 pm

By Liz Skinner

Advisory firm owners should be asking their information technology experts two important questions to protect their businesses from the "WannaCry" ransomware attack that hit more than 200,000 computers in 150 countries in recent days and from future cyberstrikes.

First, ask whether the firm has a patch management system for making updates to software on a regularly scheduled basis, as well as a method to implement quick fixes when necessary, said Jason Graf, security analyst and ransomware expert for Sword & Shield Enterprise Security Inc.

Microsoft issued a patch it labeled critical in March that firms should have immediately downloaded for all their computers, instead of waiting for their regular updating cycle of every 60 to 90 days, he said. That patch was released for current systems.

(More: Passwords to become passé, as more firms back biometrics)

The second question to ask is whether the firm uses any unsupported systems, meaning those where the vendors of those tools no longer provide updates and security patches to those versions. Microsoft took the unusual step over the weekend of saying it was providing a patch for older versions of Windows, including Windows XP and Windows Server 2003, which gave those firms that didn't have updated systems an option they would not ordinarily receive.

"Business leaders need to ask their IT people the hard questions," Mr. Graf said. "Do not assume that you don't have these outdated systems in your environment."

The ransomware attack that was unleashed late last week was especially damaging because it had a mechanism to spread through the network, looking to infect other computers that hadn't been updated to stop the worm.

The malware used a technique purportedly stolen from the U.S. National Security Agency. It affected the U.K.'s National Health Service, Russia's Ministry of Interior, China government agencies, Deutsche Bahn, automakers Nissan Motor Co. and Renault, PetroChina, logistics giant FedEx Corp., and other company and hospital computer systems in countries from Eastern Europe to the U.S. and Asia.

The hackers used the tool to encrypt files within affected computers, making them inaccessible, and demanded ransom — typically $300 in bitcoin.

Victims have paid about $50,000 in ransom so far, with the total expected to rise, said Tom Robinson, chief operating officer and co-founder of Elliptic Enterprises Ltd., a ransomware consultant that works with banks and companies in the U.K., U.S. and Europe.

Mr. Robinson, in an interview by email, said he calculated the total based on payments tracked to bitcoin addresses specified in the ransom demands.

Advisory firm RS Crum has been proactive in the last few years to secure its data, and it hasn't had any breaches.

"We have learned that you cannot be perfect in your defense, but with some diligence, you can remove the low hanging fruit that will hopefully lead to the 'bad guys' looking elsewhere for an easier target," said Ashley Bleckner, a financial adviser at RS Crum.

(More: Is cyberinsurance worth the cost?)

Her firm, which has eight people and manages about $400 million in client assets, has an outside agency perform a security audit of its safeguarding practices and systems several times a year.

After checking with her firm's IT consultants, she confirmed RS Crum has a regular patch management program and does not have any unsupported systems.

RS Crum also verifies all wire transfer requests with a phone call and changes its passwords every 90 days.

"In the past five years, this has become a top priority for our firm because data is so valuable, and once it's gone, it's gone," she said.

Bloomberg News contributed reporting to this story.

0
Comments

What do you think?

View comments

Recommended for you

Upcoming Event

Oct 23

Conference

Women Adviser Summit - San Francisco

The InvestmentNews Women Adviser Summit, a one-day workshop now held in four cities due to popular demand, is uniquely designed for the sophisticated female adviser who wants to take her personal and professional self to the next level.... Learn more

Featured video

Events

InvestmentNews celebrates diversity & inclusion in the financial advice business

Highlights of the Excellence in D&I Awards, showcasing the achievements of 26 individuals and firms that are moving the needle when it comes to diversity and inclusion.

Latest news & opinion

SEC commissioner Stein suggests Congress address differing broker, adviser standards

She said lawmakers may have to change 'solely incidental' language that lets brokers give advice.

Social Security and the fear of missing out

How to lower expectations when clients think they're owed a bigger Social Security benefit.

7 things advisers should do today to boost diversity and inclusion

Creating diversity and inclusion within financial advice firms is challenging, but these InvestmentNews Excellence in Diversity & Inclusion award winners have suggestions that firms can put into practice today

The midterm elections: What's at stake for financial advisers

A shift in control of the House could change the course of important issues, including the SEC advice rule, tax reform and retirement policies.

What to tell your clients after they've won the lottery

The current combined Mega Millions and Powerball jackpots are more than $850 million. What should you tell your clients if they have a winning ticket?

X

Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print