Think of the way most financial services professionals use computers, phones and tablets. Many are not tethered to a desk in an office, instead working from multiple locations, often on the go. As a result, they tend to bounce from one network to another.
Beyond that, their devices also link up with all sorts of peripherals and other equipment via USB, Wi-Fi and Bluetooth, to say nothing of cloud-based file-sharing platforms like Dropbox that have become increasingly common. All this activity increases a firm's risk of encountering a cyberattack and, therefore, speaks to the need for robust endpoint protection for all devices connected to your network.
Users
Firms need to identify which users who, thanks to their role, are particularly susceptible to attack. For example, some users, for whatever reason, don’t use enough caution when opening email attachments or clicking links from unfamiliar senders. This is often the case with firm leaders, who are more likely to send and receive most of their communications via a smartphone, which can make it difficult to spot suspicious activity.
And, unfortunately, some users could have malicious intentions. According to McAfee, employees, contractors and third-party suppliers acting deliberately account for 22% of the actors in data breaches.
There are a range of measures—technological and otherwise—that firms can take to mitigate the risk of so-called insider threats, including:
• Establish firm-wide cybersecurity policies, making sure to train and re-train employees each year, including senior executives, who should be leading by example;
• Ensuring that users' level of access to data, software, hardware and infrastructure align with their roles and responsibilities;
• Data loss prevention measures that control the transfer of sensitive data via email, upload or download.
Vendors
Third-party vendors that cannot adequately protect highly sensitive data put firms at enormous risk. Since many broker-dealers and RIAs rely on outside partners to store personally identifiable client information, that places a premium on having rigorous due-diligence processes that can evaluate their vulnerabilities.