Last week, I attended a cybersecurity roundtable discussion organized by the North American Securities Administrators Association (NASAA). The Federal Bureau of Investigation (FBI), Securities and Exchange Commission (SEC), Treasury Department and the security teams of small and large corporations were all there to discuss the current state of cyber threats and how financial advisors can protect their own businesses as well as their clients from attacks and data thefts. It was interesting to hear about all the ways in which cyber attacks can happen to normal people (not just fortune 500 companies) and so I wanted to share some of the key takeaways.
Security is something we at North Financial take very seriously. We use encrypted cloud based software and strong, unique passwords with two factor authentication where it’s available. I hope that you can use these tips to see how well you’re doing and adopt a few of these suggestions to improve your existing efforts. It’s especially important to pay attention as it relates to your financial accounts as well as personally identifiable information you have online.
Here are some common ways hackers work according the FBI:
- Sketchy websites and third party games run through web apps or popups within another program (like Facebook) have very few security frameworks or checks. Don’t assume they’re endorsed by the company that linked to them. Hackers can use these to run adware and scripts that run in the background and steal data/information/passwords. Pay attention to the URL before you click unknown links on websites or emails to verify if it’s a legitimate website.
- Impersonating emails (phishing attacks) that pose as a service you use by copying the logo, verbiage and tone of emails you normally receive. Any links you click may look similar to the website mentioned in the email, but if you enter your credentials your data may be stolen or hacked. You have to pay special attention to the sender’s email address to see whether it’s valid and examine the email carefully. If you receive an email that seems fishy — don’t open it. Instead login the mentioned account directly via the web to check for any messages or information.
- Spear phishing: very similar to phishing attacks above, but the hackers do significant research on an individual (using hacked emails and social media) to be able to further impersonate them in attempt to steal more information or trick users into providing signature authority on invoices or other money-stealing techniques.
- Ransomware: Hackers use means listed above to hack your system, lock and encrypt your hard drive or cloud drives and refuse to give it back unless you send money. If you send money, they request more money and don’t give back the data. Best bet is to ignore and restore a backup. Of course, this requires you to have a backup in the first place. A physical backup versus cloud backup is safest.
Here are the top 5 ways you can protect yourself as a consumer according to the experts:
- Strong passwords: Set a unique and long password for every single site you’re on. But pay special attention to the passwords you use for financial accounts, social media and email and those you use as “keys” to other sites. Don’t overlap any of the passwords you use for these types of accounts. Make each one unique. If you use the same password for multiple accounts you’re putting yourself at risk as a simple gateway to one of the attacks listed above. Use a password vault to track and create long passwords (16+ characters) for all your websites. Do not make this a file on your desktop called passwords! The use of passphrases is another safe option – the longer the password, the better. Length and not necessarily complexity is the best way to deter hackers.
- Two-factor authentication: Enable two-factor authentication where it’s available. Many sites have varying levels of authentication that you can choose from. At a minimum you should be notified when there’s a new login to a site you use. Here’s a guide to two factor authentication.
- Practice email safety: Assume anything you send through email is public. Never send personal identifying data in email, messaging apps, or social media (such as social security, passport info, driver’s license, etc.). Assume all emails you send at work are viewable by your boss. See these additional tips for avoiding identity theft.
- Use ad blockers: Download and run an ad block program, and control your browser settings to prohibit scripts or popups running in the background without you knowing. Keep your browser up-to-date (see #5 below). Many high-rated ad and popup blockers are downloadable plugins for your browser. The Brave browser is one option. It comes with ad blocking installed and it also has a mobile app with the same protections.
- Patches/updates: Always download the latest security patches and bug fixes for your hardware and software including computer, tablet, phone, browsers and antivirus software. These patches will ensure the most recent breaches/problems are fixed for your machines. If you have a computer that’s too old to run the newest security patches consider upgrading.
If you’re a business owner consider the following additional steps and weigh the pros/cons/costs carefully:
- Map out your “assets.” Where do you have data? Who has access to data on the web and physically through company computers? Which of these are most vulnerable in terms of client data? Do you have old computers with sensitive data in your home/office? Making a list of all the websites and cloud services you use and pay special attention to any data linkages (i.e. your google address/login also logs you in to twitter). A password vault like KeePass, LastPass, or Dashlane can do double duty as an asset inventory. Having an inventory makes it easier, in the event of a hack, to figure out how bad the damage is and how to go about fixing the problem(s).
- Use a cloud backup in addition to a physical hard drive backup. If your cloud storage is ever hacked or compromised you’ll have a physical backup (see ransomware comments above). Make sure the drive is password encrypted. Furthermore, make sure your own computer’s hard drive is encrypted (see how for PC or Mac).
- Use a virtual private network (VPN) to prevent lurkers from stealing data when you’re on shared networks.
- Consider cyber insurance either as an add on to another business liability policy or something stand-alone. Pay special attention to requirements of the policy. For instance, what systems and protections do they require you to have before your claim is valid? Also ask whether your policy covers just you and your business or you customers too. Find out what the claims process looks like and how the benefits work (deductibles/limits) if a claim is accepted. What are the exclusions? Is an investigation by a regulator covered? Are legal defense costs covered?
- Contact the authorities as soon as possible if your business has been hacked. Time is of the essence to recover lost data or prevent further hacks.
- Review the National Institute of Standards and Technology – NIST cyber framework or at a minimum the cyber framework FAQ. Depending on your industry, your primary regulatory agency or professional association may have additional or streamlined security guidelines.
- If you have several offices or IT systems think about doing a vulnerability scan every so often. Companies such as Qualys have free or low cost version of the software and there are consultancies that specialize in finding vulnerabilities.
The bottom line is you should educate yourself on the latest ways hackers are getting data and take steps to address vulnerabilities. There is no shortage of hacks in the news right now (see here, here and here just in the last few months). Many of theses approaches I mention are somewhat tedious to set up, like two factor authentication or adopting a password vault system, but after you take these proactive measures, maintenance of your cyber protections becomes much easier. If you do the above, you’re going to deter hackers and make yourself a less attractive mark.