In the wake of the COVID-19 pandemic comes another threat: Many advisors and reps are now working from home on machines and networks thought to be less digitally secure than their office environment. Still, many advisors are overconfident in their cybersecurity and aren’t aware of the myriad ways client digital data might be compromised, according to many technology consultants.
But now, thanks to recent data gathered from one cybersecurity vendor, we have a clearer picture of just how many advisors are vulnerable, and how.
Cloud security and compliance company OS33 rolled out a free lightweight diagnostic application on April 16 for advisors to use as a means of checking their cybersecurity preparedness.
The diagnostic application checks that 12 key security and compliance points identified in a recent FINRA cybersecurity alert are protected by the advisor’s systems. Hundreds of individual advisors and reps, from 60 RIA and independent broker/dealer firms, with total client assets near $3 billion, had downloaded the application since the rollout.
In data shared exclusively with Wealthmanagement.com, the firm found only 15% of advisors and reps passed all 12 checks. Half the advisors failed two checks, and 20% failed three, said Morley Ivers, president of OS33.
A lack of hard disk encryption, operating systems without the latest patches, and antivirus and malware software that were not fully updated were the most common failings. Ivers said his firm is working with advisors to fix the issues the application has found to bring them into compliance.
The current state of threats comes as no surprise to cybersecurity professionals that work with advisors.
“Bad actors are on the rampage,” said Brian Edelman, CEO of managed security service provider FCI. “We all assumed it would get to this point but now it is here.”
While a whole host of threats, from phishing attacks to malware infection have been on the rise, so has bandwidth consumption, thanks to work-from-home mandates that have forced employees to work over their personal in-home networks, opening up data to inadvertent leaks or interruptions.
The FBI and Internet Crime Complaint Center (IC3) published a warning Monday in response to the recent increase in reports of online extortion scams.
And there is a growing list of new outlets from which bad actors are sending out attacks. Global cybersecurity firm Palo Alto Networks said in a report that as of the end of March it had identified 116,357 newly registered coronavirus-related domain names.
Of those, they found 2,022 to be “clearly malicious” (with attacks originating from them) and identified another 40,261 as “high-risk” (meaning suspicious activity or associations with malicious domains).
“Unfortunately, it’s like shooting fish in a barrel [for bad actors], so many people at home and too many of them on home machines,” said Edelman. His firm, founded in 1995, provides endpoint and network security as a managed service working with independent b/ds, RIAs and insurance firms.
“Regulators don’t want to know that you got a virus and your AV quarantined it—they do want to know that you had a data breach and someone got into your CRM and took sensitive client information,” he said.
Gone are the days when it was enough to simply show a regulator that you had a plan printed out on a shelf, he said. Going forward, he said, regulators will expect you to provide evidence that you have a system in place and can generate a report on demand showing how your systems are secured.
“Regulators are not lowering the bar on security and privacy expectations,” Harry Valtek, a partner specializing in cybersecurity at Baker & McKenzie, said on a recent webinar. “Despite being strained in a telework environment, they are still expecting financial services firms to have things like data loss protection and encryption in transit in place.”
No end to the threats
There is no shortage of evidence that even large IT vendors, not just advisors, are vulnerable. The Cybersecurity and Infrastructure Security Agency (CISA), a part of the Department of Homeland Security, posts daily alerts on newly discovered threats and product patch updates. On one day alone this week patches were announced for products from Microsoft, Google and OpenSSL, along with a warning about a newly discovered form of malware.
Security software provider Check Point and Dimensional Research recently surveyed 411 IT and security professionals, all from organizations of 500 or more employees globally and from a range of industries.
A full 71% of security professionals reported increased security threats or attacks since the beginning of the COVID-19 pandemic. The leading threat cited by respondents was phishing at 55%, followed by malicious websites pretending to offer information or advice related to the pandemic at 32%, followed in turn by increases in malware 28% and ransomware attacks at 19%.
Fueling a lot of this increase in threats are the millions of workers now at home on their own networks that hackers know are more vulnerable than better-secured corporate networks, these groups say. Data from both network-intelligence firms and internet providers are revealing the extent of the change in this new workday transition.
Traffic on the public internet has increased by 50% since the beginning of the year, according to Kentik, a provider of machine-learning-based network operations technology.
Comcast, operator of the largest residential internet network in the U.S., has seen its peak internet traffic increase from 32% to up to 60% in some areas. In addition, the company has seen a 24% increase in mobile data usage.
Overall, Kentik has seen videoconferencing data traffic increase by 500% around the country, while Comcast has measured a 212% increase in videoconferencing traffic and a 40% increase in virtual private network (VPN) traffic since March 1.
“The weakest link is the person,” said Sid Yenamandra, CEO and co-founder of Entreda, which works with enterprises, particularly those in regulated industries like financial advice, to manage cybersecurity risks.
“There is no concept of a perimeter anymore, the corporate boundary is the user. How do you manage them like they are in an office?” Yenamandra asked rhetorically. This is especially true for many of the independent broker/dealers his firm works with, including Advisor Group and many independent advisors affiliated with LPL. “How do you secure your independent contractors and get all those folks meeting the same standards?” he said.
“From a security perspective, don’t let patch management slip, keep your systems updated and patched,” said Jessica Dore, a principal and leader in Rehmann’s technology group, where she works mainly with financial services firms that are clients of the large Michigan-based firm.
“It is also important to reboot your machine regularly to make sure these patches and updates are actually running,” she said. “Strong passwords for all your key applications and multifactor authentication wherever possible for any type of remote access,” Dore said.
And if advisors lack those features with the applications and programs they are accessing from home, the best thing they can do? Ask their firm why, she said.