Ninety-five percent of breaches stem from human error; low-tech vigilance goes a long way.
Fending off cyberfraud is often portrayed as a battle with hackers employing sophisticated technology, but the weakest link at most firms is typically low-tech: their employees and clients.
Installing anti-virus software and firewalls only takes you so far when you consider roughly 95% of breaches stem from human error, such as sending personal data over unsecure Wi-Fi networks or wiring money to a "client" based on emailed instructions, according to a 2014 study by IBM Security Services.
The best defense, then, is some old-school vigilance.
The first thing to accept is that cyberfraud is pervasive. While custodians and advisers are getting better at detecting and fending off fraud, not a day goes by when we don't learn of some attempt. Never assume it won't happen to you.
The biggest cyberthreat for RIAs is fraud losses stemming from hacked email accounts, which hold a treasure trove of personal information and yet are often poorly protected with weak passwords. Bad guys gain access to years of correspondence, including conversations with an adviser, and then pose as the client. Cybercrooks typically will then demand urgent cash transfers and hope the adviser will act without further enquiry, taking advantage of the RIA's desire to provide excellent service.
If you take action based on email instruction alone, please stop. Pick up the telephone and call the client to ensure they requested a payment. Double-checking is not poor service, it's a roadblock against bad guys. You'd be amazed how often fraud attempts are stopped with a phone call.
The good news is that heightened awareness helps reduce the risk, but the threat isn't going away.
My colleague TD Ameritrade Chief Technology Officer Lou Steinberg at a conference last year told RIAs that there are myriad threats to your personal data. For example, question how programmers make money from a free mobile app; the answer usually involves your personal information. Does a smartphone flashlight really need access to all your contacts and browsing history?
The internet-of-things trend, meanwhile, means more devices are getting connected to your home networks. Hackers, true to form, are developing ways to steal your data through new gateways. In 2014, law enforcement detected the first virus written specifically for web-enabled refrigerators.
Choose wireless networks carefully, because your coffee shop's free Wi-Fi can be really expensive if you become a fraud victim. Take the “evil twin” strategy, where a hacker provides a fake Wi-Fi network with a name similar to the legitimate network. If you choose the hacker's network, they can intercept your data.
Smartphones and tablets, sophisticated mini computers that go out into the big bad world, are another weak spot. Unprotected phones can contract a virus and then infect your home's computer network, not unlike a toddler coming home from pre-school with the latest cold.
Cybersecurity has become a top concern of regulators. The Securities and Exchange Commission is scrutinizing advisers to make sure they have a documented plan for preventing fraud and how they would respond if fraud occurs. The SEC last year found that 83% of advisers reported having a cybersecurity plan, but among those advisers only 51% had a recovery plan and just 57% regularly tested these plans.
One firm that suffered a cyberattack, though it did very well in terms of their actual response, was the first subject of an SEC cybersecurity enforcement action because it lacked an adequate cybersecurity plan, a documented response plan and didn't perform regular assessments of its cyberpreparedness.
If you haven't already, assess the threats to your firm, identify vulnerabilities, establish procedures and then communicate these to your staff. You yourself don't have to be an MIT graduate: Hire technology and data-security experts, and designate a chief information officer to be responsible for data security.
Ultimately, good security is about good practices. Encourage employees to log out when leaving their desks and never leave computer equipment unattended when out of the office. Back up your data. Train employees regularly, because it's human nature to resume bad habits.
A simple oversight could result in an enforcement action and fine. Cyberfraud can also lead to a loss of trust. Investors are reading the same headlines about data breaches and they want to know you're doing all you can to safeguard their information and money.
So be prepared and be proactive, because when it comes to cyberfraud, it's not a case of if but when.
Bryan Baas is managing director of risk oversight and control at TD Ameritrade Institutional.
