Be Better Prepared For Cyber Threats

Online threats are more of a reality than they ever have been. That is why TD Ameritrade brought in several speakers to their national conference in Orlando, Fla., called LINC to advise financial advisors on what to do.

Here is advice from three different speakers:

1. Be prepared for cybercrime.

“The breach is inevitable,” stated Theresa Payton, former White House CIO, cybersecurity authority, and expert on identity theft and the internet of things. She added, “When security breaches happen, they are so disastrous.” Her advice was to know what is the most critical of all the data a business has. Focus on the top two areas and create different protection levels. “Firewall it off,” she advised.

She recommended doing a “walk around” like she did for the thirteen branches under the President of the United States. Sometimes associates know the policies, but actually do other things with information, like take pictures of it, print it out or put in on a thumbnail drive.

The bad guys are out there, and they are changing little bits of code constantly which makes it super hard for the anti-virus companies to keep up. Payton said to picture the famous I Love Lucy scene when they cannot keep up with the candy on the conveyor belt in the factory. Every 90 seconds a new malware is created, she added.

Still, three quarters of breaches are due to the user being tricked. She joked that we have figured out it is not really a Nigerian prince that is leaving you money, but now they are getting smarter.

Payton predicts that ransomware will go up. There are even some cases where it makes sense to pay the bad guys. Explosionware is also an increasing risk. She told a story where hackers stole the executive team’s emails and threatened to dump them on the Internet. She advised asking if cybersecurity insurance will cover ransomware. Geofencing is another concern as the bad guys can gain a lot of data on a person and know their habits and location.

Your employees are going to mess up, so Payton recommended taking proper precautions, training your team and getting prepared for a breach because everything is hackable.

2. Know what to do before a Cyber attack.

Craig Moreshead, director of compliance at Regulatory Compliance, advised creating a strategy from industry best practices. Using the Division of Investment Management Guidance Update 2015-02, he advised doing a period assessment. This includes knowing the nature, sensitivity and location of information. It is important to know that external and internal threats exist. He suggested hiring a company to send fake emails to associates to see how many will click on them. Likely many will make mistakes, so it becomes a good training exercise. Also, set up security controls and processes, know the potential impact of a breach and determine the effectiveness of the governance structure.

Next, Moreshead recommended creating a strategy to prevent, detect and respond to threats. Answer these questions: Do you control access to systems and data? Do you use data encryption? Are you protected against a loss? Is your data backed up and retrievable? Do you have an incident response plan? For example, who investigates the problem? How will it be contained? Who brings in IT, legal counsel and a consultant firm?

To implement the strategy, he said to have written policies and procedures, staff training, company monitory and even client education. “Yes, the SEC mentioned client education,” said Moreshead. That is because there is some benefit in the form of breach prevention. Plus, it will be surprising how well the clients will positively respond to the education.

3. Make the hackers’ attempts less likely to succeed.

Brian Edelman, CEO of Financial Computer, is glad now that being prepared for cybersecurity is a requirement and function of the compliance team. The SEC has made the chief compliance officer responsible for this.

When designing an integrated cybersecurity plan, it does not have to be complicated, it just has to be in place, advised Edelman.

He recommended some best practices that include two-factor authentication; encryption on private information, especially related to client emails; managed antivirus/anti spyware; IT support; a firewall; educating staff and clients; and not connecting to an open Wi-FI. “Every phone has a built in hotspot. Use it,” instructed Edelman.

The regulators are looking to see that you made an attempt to protect information, as they know it might be impossible to protect everything.

“There are a whole series of things you can do,” said Edelman. Combining things makes it harder for the hackers.” He believes that at the end of this year the industry will be more secure than it ever has, but cybersecurity will always be evolving.

Mike Byrnes is a national speaker and owner of Byrnes Consulting, LLC. His firm provides consulting services to help advisors become even more successful. Read more at ByrnesConsulting.com and follow @ByrnesConsultin.