As financial professionals, every day your computer, your network, and your employees enter the cyber battlefield against an ever-growing and more sophisticated army of cybercriminals. Their goal is ultimately to make a quick buck. And, those bucks can easily become six figures in a matter of just a few clicks. If they can’t get your money easily, they’ll gladly take your personally identifiable information (PII) and then find a way to monetize that data. Here are a few methods for staying vigilant and ensuring you’re not the next victim of a cyberattack.
Evaluate the Current Environment
What threats are you and your team most prone to? Right now, the abrupt shift to a remote workforce due to the pandemic has also shifted the focus of cybercriminals to remote workers as home networks lack some of the inherent protections of a large enterprise. In fact, a recent study found that 47% of individuals fall for a phishing scam while working from home – which can cost an organization on average as much as $137,000. [1]
In April of 2021, Federal Reserve Chairman Jerome Powell stated, “the world evolves… and the risks change,” and further warned that cyber-attacks are the top threat to the financial sector and the economy. The risk of a cyber incident, Powell said, is something he is far more concerned about than encountering another financial crisis, much like the one in 2008.
While the financial sector has generally thought to be ahead of other sectors when it comes to cybersecurity, a report from November warned that the financial sector is still not keeping pace with the risks[2] cybercriminals pose to the global system. And as this continues to be top priority, be aware of federal regulations that are on the horizon pertaining to cybersecurity.
How do Cybercriminals Get What They Want?
Cybercriminals will seek out the weakest cyber link in your company. One of the quickest methods is through phishing emails. Phishing attacks attempt to get recipients to download a malicious attachment, click on a malicious link, or provide a password. Additionally, attackers often utilize email spoofing attacks which is a technique used to trick the recipient into thinking a message came from a person or entity they know or can trust by forging the email headers so that the email appears to be from someone legitimate. These emails typically appear to be from an employee in a position of influence, and the message always seems to contain a sense of urgency to take action.
Cyberattacks are rarely due to hardware vulnerabilities or outright physical theft. Your hardware can be hardened, and your software can be updated – but that isn’t enough when 88% of cyber breaches occur from human error.[3]
How You Can Protect Yourself and Your Firm
Training is critical, but the only way to know if your training has been effective is to put your team to the test. As a Registered Investment Advisor, if you haven’t put your advisors and staff through a phishing test, you should. The results may surprise you! Private Advisor Group offers access to ongoing phishing and security awareness training for our community of advisors. If you’re not currently affiliated with us, your respective company may offer a similar program or training.
Testing will complement your education and training to help build muscle memory. In addition to understanding the first lines of defense, such as hovering over an email address to verify it follows the ruleset of the company’s domain, it reinforces and identifies instincts and the key signs that should make you suspicious. For example – Why has the sender addressed me as Michael when they always use Mike? Why does their signature look different? Where is the company disclosure that is normally part of their email? This message is out of character for the sender; why the urgency to take action?
If you think you have received a phishing email, report it to your technology provider and delete the message without clicking any links or downloading attachments. If you’ve been targeted by an attacker, chances are that your coworkers have been as well. By reporting suspicious emails, you can help keep your firm safe.
Furthermore, best practices such as multi-factor authentication, encryption, and password hygiene are great measures to keep on your team’s radar. Not changing passwords frequently or reusing the same password across platforms can be an even bigger win for cybercriminals looking for access to your entire network. Password managers are a great alternative to trying to remember hundreds of unique passwords or writing them all down in an unsecure notepad.
When fighting on the cyber battlefield, pause and think before you click. Take the time to verify that you’re handling your data properly; your clients will appreciate it.
For more information and tips on how you can protect yourself, visit ready.gov/cybersecurity.
[1] https://www.tessian.com/blog/why-we-click-on-phishing-scams/
[2] https://www.cyberscoop.com/financial-cybersecurity-carnegie-endowment-report/
[3] https://www.influencive.com/human-error-is-still-the-number-one-cause-of-most-data-breaches-in-2021/