Financial Professional Cybersecurity Part Two

By Harry J. Lew

Once you have a cyber risk plan in place, what’s next? Execute the best practices available for keeping your firm and clients safe. Although there are entire college courses and shelves of books devoted to this topic, here are 11 of the key things you should do, according to leading experts.

1. One of the most important best practices is to use multiple defenses to make it more difficult for hackers to break into your network. This is often referred to as having a layered cybersecurity program. Three of the most common layers suggested are making sure your passwords are robust, using multifactor authentication, and training staff to be security aware at all times. The next three items will explore each of these in greater detail.
2. According to Nick Graff, consulting director of Information Security for CNA Risk Control, the problem is people have difficulty remembering all their passwords. So they tend to use the same ones for many different sites. Hackers love this because once they figure out one password, they’re able to use it to break into multiple sites. Solution? Writing in Property Casualty 360, Graff recommends agents use a password manager in which one password provides access to the application, which automatically generates strong passwords for all your different websites and business accounts.
3. Multi-factor authentication refers to using multiple information types to authenticate a user’s identity. According to Graff, typically firms use two out of three types to harden access to their IT systems: something you know (e.g.: a password), something you have, often a multi-digit code sent to you by a firm, which you enter, along with your user ID and password when trying to secure access, and something you are (e.g.: your finger for unlocking your smart phones fingerprint reader. By using at least two of these methods, you make your computer an order of magnitude harder for hackers to break into.
4. Security awareness is crucial, Graff says, because hackers are becoming increasingly sophisticated in their attacks. They send phishing emails that are almost impossible to tell from the real thing. They’re even stealing staff information from their LinkedIn accounts and then using it to get access to their work computer accounts. Finally, even though they may be based in remote countries around the world, they know how to time their attempts with U.S. cultural/political events such as holidays and tax-payment deadlines. Bottom line: in order to keep your company safe, you have to harden your employees against such attacks, which are fundamentally low-tech, yet are highly effective because human employees continue to make silly mistakes even in this day and age.
5. According to Former Homeland Security Secretary Michael Chertoff, using software patches as soon as they’re sent is crucial. What’s more, firms need to have written protocols to make sure this doesn’t get overlooked.
6. Encryption is another core cybersecurity technique. According to Symantec Corporation, a leading security vendor, encryption is defined as the process of protecting your data by applying a secret code to scramble it. Only people who have the code key are able to read it. One way to benefit from encryption is to only deal with websites that use a so-called Secure Sockets Layer, which is a form of encryption applied when data enters or leaves a website. A green padlock icon in the URL bar and an “s” at the end of a URL’s “http” is your assurance that you’re sending and receiving information in a secure fashion online. Encrypting your business e-mail correspondence is another key technique. Here you can either purchase your own encryption application or use your FMO’s, RIA’s, or BD’s secure client-access portal. In either case, it’s always wise to send as little sensitive information via e-mail as possible.
7. Hardening your network and individual PCs against breaches is another essential technique, says the Agents Council for Technology, a unit of Independent Insurance Agents & Brokers of America. It starts by installing a hardware-based firewall at the network level, which should include anti-virus, anti-spyware, and anti-spam measures. It should also include content filtering and intrusion prevention, detection, and real-time reporting. At the individual PC level, each computer should be updated from a central source and have anti-virus, anti-spyware, and anti-spam capabilities installed on their hard drives. They should also be configured to automatically update their operating systems and applications in order to utilize the latest security patches.
8. ACT also suggests agents and advisors also check with their bank to make sure their online banking system provides multiple layers of security (such as token-based authentication) so that every transaction they do with the bank is reasonably well protected.
9. For those that don’t use a password manager, it becomes even more important to use strong passwords. According to the Federal Communication Commission’s Cybersecurity Planning Guide, that means they should be random, complex, at least 10 characters long, and changed frequently.
10. According to a paper generated by the Small Business Trends online community and Microsoft, financial professionals should consider using a separate computer for their financial transactions. By not commingling banking and bill-paying activities with other tasks such as social media posts, emailing, and web browsing, you minimize the chance that an intruder entering through those activities is able to identify and penetrate your financial accounts and data.

According to ACT, taking preventive measures against data breaches is crucial. But so is testing those defenses periodically to see whether they can withstand a hacking attempt. Two recommended techniques in this regard are penetration testing and vulnerability assessment. The former consists of annual testing of a computer system, network, or web applications to find weaknesses a hacker might exploit. A vulnerability assessment is a biannual process that assesses a company’s security holes without actually attempting to gain entry. Both are useful exercises for making sure that cybersecurity plans and best practices will stand firm in the real world of criminal hackers and sloppy employees.