With the Securities and Exchange Commission, the Financial Industry Regulatory Authority and the Senate Banking Committee all making cybersecurity a top priority in 2015, the financial industry seems to feel the crosshairs hackers have placed over them.
Registered investment advisors are gearing up for new regulations, with some spending thousands on IT staff, new technology and cybersecurity insurance. While technology and regulations are certainly important, JP Morgan Chase’s reported $250-million-a-year cybersecurity budget still wasn’t enough to prevent a data breach that compromised the data of 83 million customers.
Dan Hirning, the founder and CEO of Prilock, a new company from Carlsbad, Calif. offering cybersecurity training, said that hackers have pivoted from attacking networks to attacking individual employees. The trail of logins, passwords, emails and social media posts that a person leaves everyday at work and at home can expose their company.
“The IT individuals have looked at the end users as un-trainable, and their answer is [more] technology,” Hirning told WealthManagement.com. “None of that is going to stop the individual user from clicking a dangerous link other than education and awareness.”
To combat this, Hirning launched Prilock to show people how to use the Internet safely and reduce risk, liability and exposure facing companies. His team consists of security engineers he worked with at Science Applications International Corporation, a defense company that helped Fortune 1000 companies and branches of the U.S. government secure their networks. One of the engineers also works on the security for Intuit, the company behind advisor products like QuickBooks and PortfolioMinder, and Prilock said it is “well aware of the complexities and sensitivities of sharing financial and personal information online.”
Prilock is web-based and can be accessed from anywhere and on any connected device. Hirning said he wanted to eschew the tech jargon of traditional IT PowerPoint presentations in favor of interactive lessons that rely on story-based events, cognitive learning strategies and games. The idea is to explain how hackers build their attacks and use psychology to trick users into clicking.
“Once you’ve seen an attack assembled – you know how to spot them, now and in the future,” Hirning said in a statement. “This is the most effective way for users to protect themselves from hacker’s tricks, phishing scams, social engineering, and online predators.”
Another challenge is to help people understand why they need to care about cybersecurity. A 2014 study by the North American Securities Administrators Association found that only 4 percent of small to mid-sized RIA firms had experienced an attack, but security professionals said this number is likely the result of self-reporting. Firms don’t want to damage trust with clients or attract regulators, and many don’t have the ability to detect a breach.
The result is a false sense of security among the industry, even though an RIA’s network could be a goldmine for a hacker. After all, the information shared between a client and an advisor is all a criminal would need to access finances, take over an identity and even commit a physical crime like home invasion. This could ruin an RIA’s relationship with clients, and without the resources of JP Morgan, just one breach could mean the end of a small to mid-sized practice.
“The high-value clients are a target, the person who manages the clients is an even bigger target, and the firm they work under is an even bigger target,” Hirning said. “If I can get into a system in one way, it’s just a matter of time before I get more.”