When Building Your Cybersecurity Defenses, Protecting Just Parts Of Your System Significantly Endangers Its Entirety

They say that a chain is only as strong as its weakest link. That is an especially apt analogy when it comes to cybersecurity in the independent wealth management industry.

If you're an RIA or independent broker-dealer, you know this challenge well. Securing client data is an ever more complex challenge, and one vulnerability is all it takes for a savvy cybercriminal to gain access to it.

This problem, in part, is born of our industry’s tendency to narrowly focus on one facet of cybersecurity while ignoring virtually all others. Indeed, you can invest millions in shoring up one defense, and it will mean little if bad actors find a back door somewhere else.

That's why it's imperative to have comprehensive, end-to-end risk-assessment policies in place, along with procedures that provide enhanced protections for your entire network. That includes all connected computers, devices and peripherals, as well as every user and outside provider with access.

By doing a whole-network risk assessment that quantifies and ranks every vulnerability, firms will be able not only to identify vulnerabilities but to prioritize which weaknesses create the most immediate business risks and should be addressed first.

A risk-based approach is critical because it enables the most efficient, expedient deployment of time and resources towards closing your business’ cybersecurity gaps.

Network Infrastructure, Including Connected Peripherals

Servers and other IT infrastructure demand protection. That's a given. But it's equally important to assess the potential vulnerabilities across the broader network, including any networked peripherals such as cameras, printers and smart speakers like Amazon Echo or Google Home.

A good starting point is to take a complete inventory of all hardware components, which should reveal if there are any unauthorized devices on your network. From there, review each one using a risk-based assessment. The essential question every firm should ask themselves in these situations is whether providing access to a device/tool provides enough of a benefit to offset the potential risks.

Computers And Devices

Think of the way most financial services professionals use computers, phones and tablets. Many are not tethered to a desk in an office, instead working from multiple locations, often on the go. As a result, they tend to bounce from one network to another.

Beyond that, their devices also link up with all sorts of peripherals and other equipment via USB, Wi-Fi and Bluetooth, to say nothing of cloud-based file-sharing platforms like Dropbox that have become increasingly common. All this activity increases a firm's risk of encountering a cyberattack and, therefore, speaks to the need for robust endpoint protection for all devices connected to your network.

Users

Firms need to identify which users who, thanks to their role, are particularly susceptible to attack. For example, some users, for whatever reason, don’t use enough caution when opening email attachments or clicking links from unfamiliar senders. This is often the case with firm leaders, who are more likely to send and receive most of their communications via a smartphone, which can make it difficult to spot suspicious activity.

And, unfortunately, some users could have malicious intentions. According to McAfee, employees, contractors and third-party suppliers acting deliberately account for 22% of the actors in data breaches.

There are a range of measures—technological and otherwise—that firms can take to mitigate the risk of so-called insider threats, including:

• Establish firm-wide cybersecurity policies, making sure to train and re-train employees each year, including senior executives, who should be leading by example;

• Ensuring that users' level of access to data, software, hardware and infrastructure align with their roles and responsibilities;

• Data loss prevention measures that control the transfer of sensitive data via email, upload or download.

Vendors

Third-party vendors that cannot adequately protect highly sensitive data put firms at enormous risk. Since many broker-dealers and RIAs rely on outside partners to store personally identifiable client information, that places a premium on having rigorous due-diligence processes that can evaluate their vulnerabilities.

This includes doing risk assessments of all vendors that review the nature of any personally identifiable information each vendor stores. Then, based on the risk assessments, firms should only grant access to their systems to vendors whose cybersecurity measures—including how they monitor their own networks, computers and devices and users—are sufficiently robust.

The bottom line is this: Focusing too narrowly on one aspect of your cybersecurity defense system is a recipe for disaster. You never know what angle cybercriminals will come from. To fend them off, develop a holistic picture of your entire organization’s approach to cybersecurity, focusing squarely on where you are most vulnerable to attack and how to take immediate action to close the gaps.

Sid Yenamandra is the co-founder and CEO of Entreda, the leading provider of comprehensive cybersecurity solutions for independent retail financial advice firms and their affiliated advisors.