Aware of the potential threats, financial advisers are increasingly utilizing security awareness training for employees, as well as better technological controls, to protect their data.
Indeed, security awareness training ramped up in recent years among FSIs large and small, as a means to prevent cyber-intrusion — particularly as many struggle with infrequent customers access and hold very critical financial data. For this final piece in a three-part series examining the threats and challenges facing financial advisers, SC Media looked at such tactics as a means to improve the state of play.
“Financial advisers should receive security awareness training to teach them to spot business email compromise threats as well as other social engineering attacks,” said John LaCour, principal strategist with Hep Systems. “All accounts, both those used by the client and custodian accounts used by the adviser, must have two-factor authentication on them.
“And advisers should never transfer money or make investments based on instructions received over email – they must be voice verified,” LaCour added.
As a former cybersecurity auditor, now running a security awareness training company, Santora says this issue presents a huge concern. “[We need to] show them what can happen,” he said, adding that as with other financial segments, it is important that advisers run simulated phishing tests against them to train themselves. “But above all else, don’t lose faith in the fact that security is part of a business and mistakes will happen. It’s how we learn from those mistakes and make process changes that drive us forward.”
Nick Santora, CEO of cybersecurity training firm Curricula, points out that his company uses phishing simulations to train, educate, and make employees aware of “all the diverse problems they may face in real life."
"But we continue to make our employees upset with the way we push phishing tests on them," he continued. "Then they end up resenting security instead of embracing it.”
Sameer Ansari, managing director and leader of U.S. cyber and strategic risk services for the investment sector, said that tefforts afoot for “financial advisers to move security controls for data further down the stack so they data itself is protected" in addition to the applications that use them.
"Financial advisers are looking at things like data encryption, tokenization and masking as key components of their layered cybersecurity approach to protect their data assets in cloud, hybrid and on-prem environments in a manner consistent across the enterprise,” ,” he added.
Another complication: Financial advisers are also often given access to an FSI’s overall backend financial systems, according to Shalom Carmel, chief information officer at GlobalDots. “The biggest risks financial advisers have is therefore the exposure of customer data and of customer access credentials to third parties. The fact is that computing devices belonging to financial advisers are at least as likely to be attacked and compromised as devices belonging to other professionals.”
To this end, Carmel recommended that financial advisers large and small should “encrypt the customer data at rest, use secure channels of communications, use strong authentication methods, have malware detection measures, and separate work environments from home usage,” especially recently with so many more employees working from home.
Carmel recommends that financial advisers have a “dedicated work computer,” to which no one else in their family has access, an encrypted hard disk, a commercial antivirus protection system, strong password and secondary authentications, and the use of a VPN. “Having said that, the most important effect will be by regulation,” says Carmel. “Until the regulatory bodies catch up with the 21st century, too many independent financial advisers will continue to ignore the most basic security measures.”
This is part three in a three-part series that examines the specific security challenges facing financial advisers, and the approaches they can take to protect networks and data amid unusual times. Read part one and part two for full coverage.