Advisors Risk All If They Don't Wise Up To Cyber Risks

In this age of cybercrime, an advisory firm’s greatest vulnerability lies not in the wires and waves that carry information between computers and the internet—but in the advisors and support personnel staffing those computers.

Some of the most serious hacks in history occurred not because of a failure of technology, but old-fashioned human weakness, John Sileo of The Sileo Group, a cybersecurity consultant who has himself been in a victim of identity theft, said during a presentation to advisors at the Investments and Wealth Institutes’ 2019 Annual Conference Experience on Monday in Las Vegas.

“I have learned through experience what brain scientists have learned over and over again: that knowledge alone, our awareness of these threats, does not create the change,” said Sileo. “Only our emotions do. Our personal connection to how this is relevant to the most important pieces of our lives.”

Sileo became a cybersecurity consultant because he was a victim of cybercriminals himself. As a young parent, he shifted from a career in consulting to running his family’s business—a computer company his parents had founded as a television repair shop. He hired a hard-working good friend, Doug, who was a “coding genius.”

The pair transitioned the business from computers to software development, creating web-based accounting software. Sileo felt he could trust Doug with the business, and in turn was able to spend more time with his family.

In Sileo’s case, he was his own vulnerability. He threw out copies of mortgage documents without shredding them, and they were found by dumpster-diving identity thieves.

“In my case, a woman purchased my stolen identity off the internet and used it to buy her first home in Boca Raton, Fla.,” said Sileo.

The woman eventually defaulted on the loan, drained Sileo’s bank accounts and declared bankruptcy using his identity, draining his life savings. “I was escorted out of the bank by security for crimes [she] committed in my name.”

A few years later, an FBI agent unit knocked on Sileo’s door. Sileo’s instant assumption was that they had captured his identity thief and he was going to get his life back.

Instead, the agent handed him a subpoena and explained that he was going to jail for embezzling $298,000 from his customers. He was facing 10 years of imprisonment.

“Fast forward two years through my criminal trial—my $2 million software company is gone, the family business is gone, the tea parties with (my daughters) were stolen from me,” said Sileo. “This time it was not technology that had two faces. It was Doug—a man that I loved and trusted like a brother stole and used my banking login credentials to steal from our clients. He exploited my trust to fund some really sick habits, then he cut the rope and let me fall.”

Rock bottom came two years later, while Sileo was still poring over documents and working late into his evenings to help mount his defense. He found that he had no time to spend with his young daughters. That was when the emotional devastation of identity theft and cybercrime was laid bare for him.

Sileo’s story is an example of a widespread problem, he said. If statistical averages held true, 54 percent of the advisors in attendance should have experienced a breach within the last 12 months, he said. Most breaches, 80 percent, target small or medium sized businesses. The average recovery from loss of assets due to cybercrime is a mere $280.

Today’s hackers aren’t just cracking passwords with technology and diving into dumpsters for scraps of personal and financial information, he said. They’re exploiting human trust and weaknesses through social engineering, said Sileo. They’re posing as bank employees and IRS agents on the phone to attempt to trick victims into giving up personal information voluntarily. The same kind of criminals also look for vulnerabilities in the staff at financial firms.

“You need a reflex and a response,” said Sileo. “What we’re building first and foremost is a reflex that happens when anybody requests information.” This reflex should ultimately lead to staff instantly hanging up the phone on suspicious callers. Staff should be trained to be skeptical of calls, slow down, and think through their responses firs, he said.

E-mail phishing scams—perhaps someone notifying staff of expired software licenses or a bitcoin windfall—are another area where identity thieves attempt to exploit human weaknesses within financial firms.

“You’re reflex should already be ‘baloney, B.S., hogwash,” said Sileo. “You’re never getting something for nothing. You’re just downloading malware onto your systems. The reflex has got to be automatic.”

There’s a related flavor of cybercrime known as “spearphishing,” where a criminal has already accessed a little bit of a victim’s personal information and uses that knowledge to draw more information out or to convince an advisory firm employee to click on a link to a malicious site.

Now spearphishing is AI-enabled. Criminals are using AI to mine social media profiles before contacting a victim to make their scam more believable.

There’s also ‘whaling,’ where cybercriminals are targeting executives instead of the rank and file in hopes of a bigger payday.

Another potential weakness relevant to the conference attendees? Leaving laptops and mobile devices unattended in a hotel room during the day or somewhere on the conference floor.

Before his general session, Sileo claimed to have walked around the conference exhibit hall to test the awareness of attendees.

“It’s easy to walk amongst this crowd with nobody seeing you,” he said. “Did anyone catch me touching your devices before the session? I touched more than 30 devices with nobody seeing me in the room. People here trust automatically—we set our devices down and go get coffee. Someone like me, who is malicious, can just walk along and you’re still logged on. You have to have encryption and passwords on your laptops.”

Also, beware of smart phones, said Sileo.

“Your smart phone is both a massive productivity tool and also a back door into your network and your clients’ entire wealth if not secured properly,” Sileo said while demonstrating how to hack into an attendee's iPhone in a few short, easy steps. “The key is to respect both faces of technology. ... Build data defense into every aspect of your information offense—the good way you use information—and then to control everything you can about them. I never want you to get into the narrative that security is beyond your control."

Sileo emphasized that he was not alone in having his identity breached and stolen, claiming that 90 percent of the conference audience already had an illicit personal profile on the dark web being traded and pored over by cybercriminals.

“That doesn’t mean it’s too late. It means it’s time to do something about it,” said Sileo.