March 25, 2020 - Cybersecurity is a key part of ongoing risk mitigation for any business, but over the past few weeks, that risk has spiked due to an unprecedented wave of attacks. Additionally, U.S. agencies are expecting a deluge of coronavirus-themed cyberattacks in the very near future. Individuals and business institutions must therefore operate in a heightened state of awareness and diligence to avoid potentially catastrophic effects of these scams, as the world waits out what is likely to be one of the worst pandemics in history.
How financial services firms can protect themselves
On a "typical" day, hackers everywhere are creating countless fake websites and phishing email scams. Due to the coronavirus, businesses and institutions are rushing to accommodate a nationally spread out workforce, the majority of which will use virtual private networks (VPNs) on their home Wi-Fi. So, how can small to midsize companies remain safe from those hackers and avoid a firmwide data breach? It starts with a strong IT department and a solid business continuity plan. Not there yet? No time like the present. You need to ramp up your company's emergency plan now.
Unsure of where to start? Work quickly to identify your organization's vulnerabilities. Create and perform a "cyber hygiene" audit. If you are a small to midsize financial services firm, consider: How strong are your encryption technologies and firewalls? As part of regular maintenance, your IT department should perform security audits by running diagnostics, checking security patches, and testing antivirus software every few minutes. Larger, company-wide security audits should happen if the company adds more than five employees at a time, after new system upgrades or installations, or after a security breach of any size.
The International Association of IT Asset Managers (IAITAM) suggests tracking every IT asset being taken home, implementing strict firewall and password protection for accessing company systems and data, and tightening restrictions around the use of personal devices for accessing company information. For the time being, it may be worthwhile to consider restricting access to sensitive systems where it makes sense.
Many larger organizations back up their files frequently, as well as store them in multiple locations and formats. Small to midsize firms should do the same, and if your organization uses a cloud service for data storage, make sure it is vetted for use by businesses.
If you have not already, consider implementing a virtual private network (VPN) and forcing multi-factor authentication (MFA) for all remote access accounts. That way, when users log on to email from a device outside the company firewall or go on to the Internet to access remote email, another layer of security (in the form of a pin or authentication code) must be bypassed.
ZDNet suggests employers also consider outlining security and telecommuting policies in a memo that employees must read and sign. The policy should include:
- A "quick start" guide to your firm's VPN, with self-help tips for those who are new to remote work
- A means of communication that enables constant contact between employees and the IT department, with clear guidance around how employees should react if issues arise.
- Emergency service hours until employees have returned to their physical offices.
- Offer specific work-from-home training to help identify and defend against data breaches.
- Reminders that employees should not attempt to download messaging or conference call services outside of those prescribed for use by the company (Zoom, Slack or Microsoft Teams).
- A strong caution to employees against engaging in "shadow IT solutions," or trying to solve IT problems on their own outside the norm. Reinforce the idea that any issues should be handled only by the company IT department.
How financial advisors and staff can protect themselves and their clients
Regardless of the size of your company, the actions you take to keep yourself and your clients' assets protected bears responsibility. First and foremost, listen to your IT department. They have your best interests and the interests of your clients in mind. If your company sent out the above-mentioned memo outlining programs and self-protective measures to be taken over the next little while, read it carefully.
Make sure you keep your systems and software up to date. Oftentimes, firms will update employees' computers in the background while they are working, but you can't afford to make an assumption that your computer has updated security features. Make it a habit to leave your machine on and plugged in during non-business hours. Reboot your computer at least a few times a week to ensure your system receives the necessary updates and remains protected. Use secure browsers while at work. Chrome and Firefox are generally recommended because they have blocking tools, add-ons, and security patches that are updated frequently.
Protect your data
When conducting business, stay on your virtual private network (VPN) at all times. You should never be working from your home office unless you are signed onto your company VPN. Doing so adds an extra layer of security for your entire organization, but especially for you. A data breach that jeopardizes your clients' personal information and is traced back to your personal network would be catastrophic to a financial advisor's business. Make sure your home Wi-Fi connection is secure. It should have strong password protection so no one outside your home can see what you are doing.
All sensitive personal data, such as bank accounts, social security numbers, and health information should be encrypted, kept off of your workstation and saved on an external drive. Avoid non-secure or non-corporate managed file sharing services (e.g., Google Docs, etc.), and last but not least, never share personal information of any kind (yours or your client's) over video conferencing software or applications
Advise your clients to stay alert
As the government is encouraging everyone to stay at home, financial advisors should be instructing their clients to stay alert. As their advisor, it is your responsibility to help clients decipher legitimate versus illegitimate risks. As coronavirus related fraud becomes more rampant, pick up the phone and call them, because they trust you and will be grateful to hear warnings directly from you.
Make sure they know that any communication regarding one of their financial accounts could be fraudulent. One of the most common scams depicts some kind of account problem, and clients are asked for their personal credentials through a text message or email.
Many financial services firms use what is called a "known good number." When transactions are made, a known good number is a verification code or other detail that indicates to clients and financial advisors that a transaction or request is legitimate. If you cannot validate a "known good number" for a client transaction, consider it void. Pick up the phone and call your client immediately. If you find that your client has been compromised, have their credit frozen as a protective measure. That way, if anything happens again, they will be notified by credit reporting agencies.
Pay close attention: Be on the lookout for scams like social engineering
As you likely tell your clients, be careful what you click: In the age of coronavirus, social engineering is a particularly slick form of hacking that fools its victims with familiarities. As a reminder, social engineering manipulates people into performing tasks or revealing confidential information in a few ways, usually through phishing emails, text messages or instant messages that look or sound deceptively familiar.
They often present with a sense of urgency and will ask you to perform some type of task or unwillingly disclose confidential information. In the business world, the most common type of message is usually an email or text message that appears to come from the CEO of your company and asks you to do something on his or her behalf. Other scams direct users to a shortened URL or embedded link that looks familiar, but instead, sends them to an illegitimate email that steals their information.
If you receive communication or emails asking you to verify or renew passwords or credentials, double-check with your IT department immediately. Do not ever click, download or forward any suspicious emails. Immediately delete the email and report the incident to your IT manager.
Engage in strong password management
It may seem repetitive, but in a time of heightened risk, it bears repeating. Make sure you have strong, unique passwords. Despite this advice, most people remain vulnerable because they use similar passwords across multiple websites and apps. Recent research in the UK found that millions admitted to using easily distinguishable passwords like "123456."
Long passwords of at least 10-15 characters with a combination of numbers, special characters, and/or capital letters should be required by every organization. Never use names like those of your spouse or child, and don't use dictionary words. Hackers have databases full of common passwords or popular naming conventions.
Consider a password manager like LastPass. $3 per month is a small price to pay for protection and peace of mind. LastPass and others like it will auto-generate passwords on smartphones, tablets, and desktops, and users must only remember one master password. Especially now, financial advisors should be randomizing passwords, with different ones for every account.
Use your smartphone safely
Many companies now have what's called a "BYOD," or bring your own device to work policy, which allows employees to use their personal devices while doing business on the company's network. If you are at a BYOD firm, make sure your phone automatically locks and can only be unlocked using a code or facial identification tool. Though you're not spending a lot of time in public right now, keeping your device protected is important, considering the financial information you have at your fingertips.
Always keep operating systems on your smartphone device updated - don't ignore auto updates, and don't even consider downloading an app if it does not come from one of three trusted sources: the iOS app store, Android, or your company's IT department.
Be aware of specific, coronavirus-targeted fraudulent hacks
New scams specific to the coronavirus pandemic are being introduced and attempted daily. App scams have shown up in both iOS and Android stores, promising accurate tracking of new cases of COVID-19. Once downloaded, however, the apps insert malware that infects users' devices and tracks their personal information.
In another scam, hackers pose as political, government or international health organizations and send phishing emails to users offering helpful tips through a link or download. It should be known, though, that authorities like the World Health Organization do not email people, especially at work.
It may help to keep a running list of coronavirus scams. Forbes is currently tracking them, as is the Federal Trade Commission. The Cyber Infrastructure arm of the Department of Homeland Security also has good information for both consumers and organizations.
Keeping your digital systems safe requires common sense, but even the smartest among us can be fooled, especially when under stress. Unfortunately, these are unprecedented times, as the coronavirus pandemic has affected the world economy in a way that no one ever expected. This is the first time a medical crisis has caused such widespread investor and consumer panic. The sense of helplessness and stress we are all feeling makes it easy for cybercriminals to convince us to act on those fears, but now is the time to be extra vigilant and ensure that we don't. For further resources, reach out to your financial advisor or visit https://www.cisa.gov/cybersecurity.