How RIAs Use Vulnerability Testing to Protect Their Assets

Author: Craig Pollack Date: Mar 12, 2015 Topics: _Investment Advisor Blogs, Cybersecurity

How LA Investment Advisors Use Vulnerability Testing to Protect Their AssetsThe threat landscape has transformed in recent years, and the trusted old combination of a firewall and anti-virus software is no longer adequate protection against more sophisticated attacks we’re seeing these days.

A “belt and suspenders” approach with more layers of defense are needed: web security solutions, intrusion prevention services, anti-spam, and more.

To determine which protective layers meet an investment advisory firm’s needs, we’re seeing more and more managers turning to security assessments with network vulnerability testing at its core.

Vulnerability testing, also known as vulnerability analysis or assessment, is a procedure that identifies and categorizes the externally facing security flaws in a company’s IT infrastructure.

Running vulnerability tests can determine how effective proposed countermeasures will be and even evaluate how well they performed after they were implemented (rather than dealing with them in response to a crisis).

Vulnerability analysis consists of several steps:

Defining and Classifying Infrastructure Resources

Every resource on the system or network that could be a potential target for a cyber attack is defined and classified. This includes onsite servers, desktop PCs, laptops, tablets, smartphones, switches, routers, and firewalls.

Cataloguing resources that are used to deliver online services and contain confidential firm data makes it easier to pinpoint the source of a DOS (Denial of Service) attack, hack attempt, or malware opportunity.

Assigning Relative Levels of Importance to Every Resource

There are many potential points of failure when evaluating possible vulnerability exposure. Which components are the most vulnerable? Which resources are instrumental in maintaining business continuity and/or contain sensitive files? All machines and devices need an importance level assigned to them so that corrective measures can be taken on the basis of how urgent the problem is.

In the case of a multi-target attack, web servers would take priority over smartphones. For “data leakage” smartphones and USB drives would be a high priority.  With malware prevention, GPOs (Windows Group Policy Objects) might hold a high ROI for review and prevention adjustment.

Identifying Potential Threats

This stage is occasionally performed using techniques known as ‘ethical hacking’. Internet security experts or specially designed software packages intentionally probe a system or network to locate weaknesses. The results are used to develop defenses to genuine hack attempts.

Putting Together a Plan to Deal with More Serious Problems First

Once security holes have been pinpointed and plugged, a remediation plan must be formulated to deal with and address issues so that they don’t become future crises. Senior managers need to:

  • Document the steps for making major decisions, such as quarantining any areas of the network that have been infiltrated
  • Identify the personnel who are integral to incident response and business continuity
  • Ensure that response plans are available to all employees in the firm, and that everyone knows what they need to do in the event of a security breach

Defining and Implementing Ways to Minimize Attack Consequences

As they say in the security industry, “it’s not a matter of if – it’s a matter of when”. No matter how sophisticated a firm’s security is, it will be attacked sooner or later. Backing up data routinely, distributing the disaster recovery plan, and ensuring that systems are in place to keep operations going will minimize the consequences of a security breach. The following steps are also recommended to ensure data integrity:

  • Encrypt all sensitive data so it becomes harder for attackers to steal
  • Provide employees with access only to the files and applications they need to do their jobs
  • Implement a two-factor authentication process: do not rely on passwords alone


Bottom Line

The financial services industry has a more advanced level of duty to its clients. Safeguarding client information as well as your reputation is critical to your success as an investment advisor. If a vulnerability analysis detects security holes, act quickly. There are many ways to address your new found vulnerabilities - between business continuity software packages and security assessment and remediation services.  But, the first and most important point is to do something.


Has your investment firm used vulnerability testing on its network and systems? And does it do it on a recurring basis? Let us know your thoughts in the Comments box below.


And to follow-through on the tips introduced in this short article, be sure to download your free guide, Investing in High Net Worth Clients: The LA Investment Advisor's Guide to Using Technology to Manage and Grow Your Firm.


New Call-to-action


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.