The global ransomware attack known as WannaCry has affected consumers and businesses in more than 150 countries this month and has captured the collective consciousness for the moment. As such, it presents an opportune time for the wealth management community and the fintech platforms they rely on to reflect on the current state of cybersecurity. The current state of cybersecurity represents an escalating arms race for both hackers and their targets, with the arsenal of tactics and countermeasures employed evolving at a dizzying pace in a 21st Century Cold War where détente is likely the best outcome that is currently possible.
The WannaCry attack is simply the latest manifestation of a sobering state of affairs that has been unfolding for some time for financial institutions, fintech platforms, and financial advisors. According to the 2017 SonicWall Annual Threat Report which was released in February 2017, the rate of ransomware attacks in 2016 had increased 167 times over 2015. This explosive growth can in large part be attributed to the aggressive growth of the device-oriented Internet of Things during the same period, which provides hackers with many more attack targets. In addition, the availability of bitcoin provides a ready means for attackers to monetize their endeavors in an untraceable manner via ransoms paid in bitcoin. The SonicWall Annual Threat Report indicates that of the 638 million ransomware attacks attempted in 2016, 13% were directed against the financial services industry.
Ransomware is but one form of cyberattack, but as with many types of crime, hackers generally want to follow the easy money and maximize their return for the least possible effort and risk of detection. As a result, a core set of best practices can be followed by fintech platforms and wealth managers alike to become less susceptible targets. The following list of best practices can help:
- Establish an Information Security Policy: A thorough information security policy sets the standard for an organization to follow with respect to security practices and compliance. It should reflect relevant industry guidelines, such as those provided by FINRA.
- Build Cybersecurity Awareness: Security policies are only effective if they are understood and put into practice. Conduct annual cybersecurity awareness training that is mandatory for all personnel in order to train them regarding how to identify and respond to common cybersecurity threats (ie. never open links or attachments in emails from unknown sources, etc.)
- Proactively Manage Patches: Establish a patch management policy for all company computers and devices. All operating system patches that address severe risks should be evaluated and installed right away. Inertia is the hacker’s ally; a patch for the operating system exploit used by the WannaCry attack had been available since March 2017 and yet had not been applied to a large number of computers around the world when the attacks began in May.
- Be Mindful of Device Management: In addition to a patch management strategy, all company devices should have the latest antivirus protections, standard configurations, and well-defined administrative controls. Consider how to remotely wipe a device if it should be lost, rather than risking it becoming an asset for an attacker to use.
- Encrypt Devices and Sensitive Data: Sensitive data should be encrypted both in transit over networks as well as at rest on servers. All laptops and desktops should have full disk encryption to protect sensitive data should the device be lost, which is common for laptops.
- Protect Information Wherever It Resides: Information need not be in a digital format to be compromised. Enforce clean desk policies. Never write down passwords, and store them only in a secure place.
- Make Sure Passwords are Not as Easy as 1-2-3: Strong/complex password guidelines should be established and enforced. This should be coupled with active password rotation which expires passwords and forces them to be reset at least every 3 months. Users may chafe at these practices, but not more than if they get hacked.
- Actively Manage Vendors: Many systems (such as Home Depot’s in 2014) are compromised using hacked vendor systems as the initial point of attack. Create a third-party vendor questionnaire to make sure that all vendors meet minimum security standards, and have all third-party vendors sign confidentiality agreements. Consider vendor contracts with security provisions to provide legal recourse in the event of a breach.
- Conduct Regular, Comprehensive Backups: Make sure that systems are backed up frequently (ideally daily) with a private encryption key and be sure that the scope of data that is backed up is sufficient to restore the business to full operation in the event of an emergency. Effective backups are one of the best defenses against ransomware attacks like WannaCry.
- Don’t Overshare: Establish a social media policy and train staff members to protect their personal information on social media. Information disclosed via social media can be used by hackers to conduct social engineering, which are tactics used to dupe targets through familiarity or social pressure. Do not re-use the same personal security questions for any system that is work-related; a favorite sports team used as a security answer could easily be deduced from social media for example.
CAIS is committed to the security of both our own platform as well as the registered independent advisors (RIAs), independent broker-dealers (IBDs) and family offices that we serve with our platform; to that end, we will explore the topics in the above cybersecurity best practices as well as related security topics in greater detail in future blog posts.