With cybercrime on the rise and no intention of hackers stopping their efforts, you would think companies would be taking obsessive and excessive precaution when it comes to their cyber security. Yet, here we go again…almost. On February 28 the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, reported to its members that they had been the newest victim of a cyber phishing attack. How is it that the unthinkable could happen to such an organization you may ask? As in most cases, it seems to have come down to human error.
The FS-ISAC states that one of their employees “clicked on a phishing email, compromising that employee’s login credentials. Using the credentials, a threat actor created an email with a PDF that had a link to a credential harvesting site and was then sent from the employee’s email account to select members, affiliates and employees.” Thankfully for them, the secondary attack was limited and contained due to those who received the email reporting the suspicious activity. But Imagine the nightmare the FS-ISAC would have had to face if the secondary attack had been successful and a data breach had occurred….
According to the latest report from Accenture, “ With cyberattacks on the rise, successful breaches per company each year has risen more than 27 percent, from an average of 102 to 130.” This means companies need to make a diligent effort when dealing with and preventing cyber crimes from happening. FS-ISAC President and CEO Bill Nelson stated, “I would classify this as a typical, routine, non-targeted account harvesting and phishing…To say I’m disappointed this got through is an understatement… We need to accelerate 2FA (dual-factor authentication) extremely quickly for all of our assets.” Although the FS-ISAC has 2FA in place, not all employees have utilized the application, which in the long run equates to not having 2FA at all. This, along with a lack of training all employees in their onboarding process about cyber security, makes for an extremely bad situation that could have been made worse had the breach been successful.
What RIAs Can Do To Prevent Phishing Attacks
So, if such large companies, whom you would assume would have their cyber security completely dialed in, are being affected, then how can smaller RIAs even compete with preventing such occurrences from happening to them? To prevent breaches from inside, we would recommend that RIAs do the following:
- Discuss security threats with employees
- Carefully monitor employee activity on the Internet
- Implement firm policies to deter potential data theft
- Implement Dual-Factor Authentication
But above all else, the answer to this problem is: consistency! Companies must always have a proactive and consistent cybersecurity program in place and arm their employees with the proper (and necessary) cybersecurity training, so they know how to better detect and report suspicious activity. To have a successful cyber security program, ALL employees must be trained during their onboarding process and then tested and trained consistently over time.
At FPA, we are cyber security fanatics. Even our non-technical staff are trained in how to detect when social engineering tactics are being used and the steps to take once that threat is detected. Our Managed Security Services program is designed to help our clients build their security posture, implement the needed policies and procedures, prevent security events, monitor and detect intrusions and hacks, and help respond should an event occur. Our MSS portfolio includes services like:
- Managed Authentication
- Managed Dark Web ID Monitoring
- Managed Encryption
- Managed Firewall
- Managed Intrusion Detection & Intrusion Prevention Services (IDS/IPS)
- Managed Malware
- Managed Security Assessment
- Managed Security Information & Event Management (SIEM)
- Managed User Security Awareness Training
While some of these are certainly not meant to address a phishing attempt, it does go to the breadth of services a firm needs to reduce their risk as much as possible.
Having a proactive and comprehensive cyber security program in place is a MUST these days and the need for firms to address this is becoming more of a must have than a nice to have. At the same time, having these different security measures in place means nothing if staff are not trained in the proper action to take in the event that one of these cyber security controls fails. Human error is always a concern. So, it follows that firms need to take training their staff seriously and give them the tools to be a help, not a hindrance.
Is your firm currently leveraging all the tools it needs to help aid in protecting your technical assets? What are you doing to protect your systems and invaluable information? Please share your thoughts and insights in the Comment box below or shoot me an email if you'd like to chat about this in more detail.