“So many companies focus on perimeter security,” Holm says, “but firms can tend to neglect internal security. If someone actually gets into your network by compromising an employee’s computer, what is actually in your file folder structure? What’s on your network? What would they have access to?”
Such analyses should prompt you to ask what you can get rid of—perhaps old documents and screen captures. That prompts further questions: Does your firm have a data retention/destruction policy? Should some employees lose access to drives or applications they aren’t using?
Karen Novak, the COO at Pershing Advisor Solutions, and Nina Weiss, the chief compliance officer at the firm, say they have managed to kill bad transfers in the cradle and save the advisors by freezing funds at the bank. Often, fraudsters have taken over client e-mails and signatures, and then pose as the clients trying to get someone at an advisory to wire them money. “In our role of custodian, we are recipients of those requests,” says Novak.
She says the fraudsters try to make false transfers sound urgent, and the weak link is the ever-helpful staffer who just wants to please customers and approve the transfer.
“For an inexperienced organization,” Novak says, “or one firm that may not be properly staffed or properly trained, it’s very easy to get somewhat blindsided or err on the side of client service rather than maybe take a step back and take that extra step to ensure they are validating that the client is in fact their client.”
Rick Brooks, the CIO at Blankinship & Foster in Solana Beach, Calif., which manages half a billion or so and has 12 people on staff, says that smaller firms do have options and that many tests are cheaper than you think.
The firm this year began contracting with a pen testing firm through its IT consultant that costs $50 a quarter. “They give us a report that shows there are no server ports open, there’s nobody on the network accessing the network that we don’t recognize.” It’s not a white hat hack attack, but it does let the firm know who might be testing it.
“I think most firms our size sort of assume that we’ll fly under the radar [of hackers],” Brooks says. “The biggest concern for us is that clients’ e-mail gets hacked or spoofed and we wire a half million dollars to Nigeria by accident.” So the firm has policies and procedures in place when a client asks for money, during a phone call, for instance. “But it’s always in our minds that we are one phone call away or one click away from a serious disaster.”