By: Kevin Sullivan, Guest Blogger and Director of Compliance
Published June 26, 2019
Every rank, from private to general in the United States Marine Corps has to pass a battle skills test annually. As financial professionals, every day your computer, your network and your employees enter the cyber battlefield against an ever-growing and more sophisticated army of cybercriminals. Their goal, like all criminals, is ultimately to make a quick buck. Those bucks can easily be six figures these days. If they can’t get your money easily, they’ll gladly take your personal, identifiable information and then find a way to monetize that data.
This is why cybersecurity continues to be of primary concern for the SEC, adding two new cyber areas to their 2019 exam priorities. These two new focus areas concern multiple branch offices, as well as mergers and acquisitions.
In November of 2015, IBM’s CEO stated: “We believe that data is the phenomenon of our time… the world’s new natural resource…the new basis of competitive advantage, and it is transforming every profession and industry. Cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world.”
How do Hackers Get What they Want?
To get that data, cybercriminals will seek out the weakest cyber link in your company, and it’s rarely due to hardware or outright theft. Your hardware can be hardened, and your software can be updated. Pandora’s box, however, will get the best of us and as Nietzsche said we are human, all too human. Did you know that 95% of cyber breaches are from human error? Most cyber breaches are the result of sensitive information being handled improperly from a single mistake to paperwork being mishandled.
One of the quickest methods for cybercriminals is to spoof emails, a relatively easy thing to do, and then sit back and go phishing. Targeted phishing attacks look to get recipients to download an attachment, click on a link, and provide passwords. Often the spoofed email address is that of an employee in a position of influence, and the message always seems to contain a sense of urgency to take action.
Protect Your Financial Firm with Employee Training…and Testing
The Commission understands the threat, and their OCIE 2015 Cybersecurity Examination Initiative spells it out very clearly in the first line of the subparagraph under Training: Without proper training, employees and vendors may put a firm’s data at risk.
Training is critical, but the only way you know if your training has been effective is to put your team to the test. As a Registered Investment Advisor, if you haven’t put your advisors and staff through a phishing test, you should. The results may surprise you. When it comes to cybersecurity, is 75% really a passing grade?
The testing will complement your education and training to help build a muscle memory. In addition to understanding the first lines of defense, such as hovering over an email address, it reinforces and identifies the gut instinct and the small clues like these: Why has the sender addressed me as Michael when they always use Mike? Why does the signature look different? Where is the company disclosure that is normally part of the email? The message is out of character for the sender. Why the urgency to take action?
When fighting on the cyber battlefield, instead of aim, breathe, and squeeze… go with pause and think before you click. Take the time to verify that you’re handling your data properly; your clients will appreciate it.