Due to a very well-received Cyber Security panel conversation held at an Ultimus client event in Cincinnati, Secure Cyber Defense CEO Shawn Waldman and Melvin Van Cleave, Vice President of Ultimus’ Technology Infrastructure, agreed to share the following tips and other relevant information in honor of October’s National Cyber Security Awareness Month. The following is presented in a Q&A format with questions from Van Cleave, and answers provided by Waldman, who is very experienced in the cyber security needs of the financial services industry.
Should investment advisers really worry about cyber security? If they are independent or not part of a large firm, would anyone be interested in attacking them? First, investment advisers are legally obligated to protect any confidential information, and that responsibility is growing in the financial industry and beyond. For example, the European Union recently enacted the General Data Protection Regulation (GDPR), the most important change in data privacy regulation in 20 years regarding anyone holding confidential information about any EU resident. The Commonwealth of Massachusetts was one of the first in the U.S. to legislate how confidential data is protected for residents, and the state of New York heavily regulates companies regarding privacy data. Finally, the California Consumer Privacy Act was passed in 2018 to protect state residents by giving consumers more control of their personal information. Everyone has seen the news. If investment firms and advisers have financial data of any kind on their systems, they are a target. And even if they don’t have financial data and aren’t the intended target, there is always the potential to be an intermediate target. Black hat actors may use intermediate systems and infrastructure to gain access to other systems. The most common tactic is leveraging systems as ‘bots’ to get to other systems. Being an unwitting partner in attacking someone else is not a role that anyone wants to play.
If resources are limited, where should advisers and investment firms focus their attention? This is a difficult question to answer because cyber security is based on a complex set of related items including computer systems, cyber needs long-term and other issues. It’s not just ‘do this or that’, and ‘skip the rest to save some money’. Firms and individuals understand that in today’s complex environment, they can spend a lot of money on cyber security and still fall victim to a security breach. Organizations including the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), and the SANS Institute have published frameworks for cyber security programs and other valuable educational materials. These websites are a great place to start for companies and individuals who want to learn more about cyber security and the programs they might need.
Is installing anti-virus protection on every computer enough? There was a time when having anti-virus protection on personal computers at work was enough. But those days are long gone, and today it’s not even considered a good baseline defense. While traditional anti-virus software has improved its protection against malware, it’s also a great idea to have a back-up system in place that provides both anti-virus and malware protection on all firm computers. For home systems, there are many vendors that offer anti-virus and anti-malware products for free because usually home computers don’t require the extensive management capabilities that businesses do. But it is worth the time to research options. Performing backups regularly covers advisers, correct? Not necessarily. Of course, backups are critical but where are they kept? Are the only backups sitting on a network within reach of a crypto-breach that could encrypt all backups, as well as any online data? It’s important to have backups that are out of reach – such as in the cloud. So, a combination approach with backups onsite for convenience, as well as backups off-site for extra safety, is recommended. I’d also suggest maintaining an offline copy as a last resort. What worries you most? What keeps you up at night? Let’s assume an investment adviser worked with security professionals to implement a reasonable security program in their company, and there are system protections/monitoring in place including patches that are doing all the right things. But at the end of the day, the one thing that remains the ‘weak link’ in any security program is human nature. That’s why black hat actors continue using methods that work. Phishing scams and other forms of social engineering remain the method of choice for one reason, because they are successful obtaining a password over the phone or through email – even with layers and layers of technology in place. So, it’s essential to continue training employees. Our company, Secure Cyber Defense, has seen significant improvement in testing and training over time on how to get employees to not fall for follow-up phishing scams. But statistics show that investment advisers and firms never get to a 100 percent success rate. And unfortunately, that one failure can be the one that triggers a severe crisis for the business. So, keep training employees and keep them informed about the latest hacking and phishing scams – especially when there is a national disaster. Scammers love to leverage disasters as the perfect time to scam users whose natural tendency is to send monetary donations. Can you provide more detail about a “layered cyber approach”? In summary, a good cyber security program is often based on the onion analogy. If bad actors get through the first layer (i.e., getting a piece of crypto-locker malware installed on an employee’s computer), there should be additional layers of protection below that level to effectively quarantine that problem to minimize any damage. If bad actors happen to penetrate another layer, are there additional layers of protection beneath that? Below is a full example of a layered approach:
- Anti-Virus/Anti-Malware Solutions – As mentioned earlier, this is the outermost layer but not nearly enough.
- Vulnerability Scanning – Perform a monthly scan through systems to make sure everything is patched and up-to-date. Vendors update their software regularly, sometimes even daily, because of security issues and there is a lot to keep up with. This can be difficult for a couple of reasons, including the amount of work it takes to keep dozens or even hundreds of systems patched. There are also times when those new patches break things, and fixing those issues is learned the hard way.
- Intrusion Detection and Prevention – At the perimeter of the network, make sure only permitted traffic is allowed in and out. Next-generation firewalls have become much more sophisticated at evaluating traffic and determining what’s ‘normal’ and what is ‘unusual’ – meaning suspicious.
- Compliance, Auditing and Logging – Keep tabs on what’s happening on the network and keep records, such as reports to review and archives (for forensics purposes). If someone keeps trying to login under a privileged account and failing, that information should be recorded.
- End User Security Training – Investment advisers and managers should encourage cyber security training often because industry professionals rely on each other to be smart about security.
- Security Incident Event Management – Plan what to do if something does happen. Practice and prepare so that if a cyber event occurs, there is a plan in place to minimize the damage.
Conclusion Cyber security has become more and more complex. But if addressed in a logical way and under guidance from an expert, protecting your business is essential. Ultimus takes cyber security very seriously and invests in IT systems, training and resources to be certain the business is protected. Testing, training, updating, and repeating that process again and again are all part of everyday business.
Shawn Waldman is the Chief Executive Officer (CEO) and Founder of Secure Cyber Defense, LLC, a company in Miamisburg, Ohio that delivers cyber security services for all types of industries including finance, manufacturing, education, pharmaceuticals and healthcare, and government agencies. Specific services provided include vulnerability assessments, security controls, risks and compliance evaluation, threat protection, and ongoing monitoring for any size organization. Related: The Security of Our Transactions Just Gets Worse