Cybersecurity: There’s always more you can do
No matter your company's size or your role in it, cybersecurity should be on your radar.
Whose job is cybersecurity? If you work at a large company, you probably have an entire department devoted to it and don’t think much about it. If you’re a mid-sized or small company, however, you might think you just don’t have the resources to do anything, cross your fingers that you’ll fly under a hacker’s radar, or maybe you think that investing in identity theft monitoring services is precaution enough.
Wrong on all accounts. No matter the company size or your role in it, cybersecurity should be on your radar. When everyone starts taking responsibility for data security, the collective result is a more aware and resilient population.
“We’re after personal accountability,” said Dave Sonheim, a cybersecurity advisor with the Department of Homeland Security. “What we find across various organizations, people say, ‘That’s IT’s problem, that’s security’s problem.’ But everyone has a level of responsibility.”
Related: 7 cybersecurity questions to help protect your clients’ data
October is Cybersecurity Awareness Month, a perfect excuse to check up on both your company’s cybersecurity practices as well as your personal risks.
Charles Schwab recently teamed up with the Department of Homeland Security and the Society of Professional Asset-Managers and Record Keepers (SPARK) Institute to offer financial professionals in the Denver area insight into the wealth of resources available to them. But there are lessons for everyone.
Recognizing hackers’ tactics
Knowing the strategies hackers and educating employees and clients on what to look for is a first line of defense. The cybersecurity landscape has gotten more complex in recent years, moving from DoS attacks and identity theft to include complex phishing schemes, the sale and resale of information on the dark web, and more advanced scams targeting seniors and vulnerable investors. A panel of cybersecurity fraud experts from Charles Schwab, including Peter Campbell, Carol Sniegowski, Cary Nichols and Lisa Tassara discussed just a few examples of how hackers could be stealing information from companies, their employees and clients:
Credential stuffing: Do you use the same password or login name for different websites? Probably. Credential stuffing is where hackers take usernames and passwords from one compromised site, and, knowing they might be able to use those credentials to gain access to other accounts, will create bots that crawl websites and enter combinations of credentials to see what works and what doesn’t.
To combat this, at the very least, make sure you’re using unique passwords for each financial site you’re signed up for. Better yet, Campbell recommends use a password manager that will assign each account its own unique password and change it periodically. Multi-factor identification, where a second form of verification is required to log into an account, will also help. When you receive a sign-in attempt notification that you know isn’t related to your own actions, it’s a tip that someone else is trying to hack the account.
Email takeover is another issue to be aware of, especially for those working in the financial sector. In this situation, a hacker will access the email exchanges of the parties involved in a major transaction, such as the purchase of a house or car. When it comes time to close the sale, they will step in and pose as a financial institution and send the purchaser false bank routing instructions.
The best solution, in such cases, is to ALWAYS phone the financial institution to verbally confirm the routing instructions. Even if you’re not making any large financial transactions, now is a good time to check your email’s advanced security settings and ensure that there are no phantom accounts BCC’d on your correspondence.
Companies like Charles Schwab have sophisticated computer algorithms that can spot irregularities in user behavior based on how and how often they access their account, whether the demographics match (does the person on the phone sound like a 70-year-old man from Texas?), but many of these irregularities can be spotted by a keen-eyed employee. Tassara shared one such story, in which the financial representative started receiving questions and emails from a client that were out of line with her typical behavior. The suspicious advisor decided to call the woman, who had no knowledge of the emails sent from her account.
One of the scariest sources of a potential data breach that likely hasn’t crossed your mind: LinkedIn. While Facebook has gotten its share of flak over the last couple of years for playing fast and loose with user data, you’re likely giving away important information on LinkedIn without realizing it. How many of your connections are you sure are actually who they say they are? It’s entirely possible that fraudulent accounts could connect with you and use information about your role at the company to further infiltrate. This is an example of a social engineering hack.
Knowing how to respond
Financial companies like Charles Schwab are watching their information and clients’ information like a hawk. But just as important as knowing the signs of a potential attack are knowing how to respond. As soon as possible, they’re tracking how much money has been moved and where, reaching out to the financial institution on the receiving end of the transaction, as well as law enforcement. If action is taken quickly enough, the money can often be recovered and the account locked down before too much damage is done.
But then there’s the need to figure out how the breach happened. Was there a weakness in the system somewhere? Is there a new iteration of a scam making the rounds? It’s Charles Schwab’s practice (and should be a standard practice) to find out as much as possible, and then pass that information along to employees and relevant parties–including competing financial institutions. When companies in the same industry are sharing details about cybersecurity incidents, it may reveal a larger scam at work that can be addressed.
All of these are easy precautions for companies and their employees to take in building what DHS’s Sonheim calls “Cyberhygiene.”
“There is no ‘secure,’” he says. “You cannot never have a breach. You can have it, you just don’t let it impact your line of business. Understand it and gain awareness.”
Fighting back
Keeping up with the evolving cybersecurity best practices can be daunting (unless your a large company with a devoted team), but fortunately, you’re not alone in this. SPARK has been on the forefront of the issue, trying to find effective solutions for plan consultants and record keepers to share information about their more than 100 million plan members without compromising data security. They’ve created a data security oversight board and have been working to help companies understand their own data security and make that information transparent to clients.
Their work, in fact, has caught the eye of legislators in D.C. Particularly Senator Patty Murray and Congressman Bobby Scott, who are asking the GAO to study cybersecurity in the Retirement industry and the potential need to add “data security” to fiduciary duty. “What if we told plan sponsors that if you have an employee benefit plan, and it’s farmed out, you have a fiduciary responsibility to validate cybersecurity with that vendor?” said SPARK executive director Tim Rouse. “That’s likely where they’re going to be going.“
The Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) serves 17 “critical infrastructure” sectors, including financial services (others include energy, health care and transportation). Their main goal is to drive awareness of the threat of cybersecurity vulnerabilities and get companies working on baseline or benchmark of cybersecurity response. As such, they’ve got a lot of no-cost resources, particularly aimed at small- and mid-sized companies without the sophisticated in-house resources of larger companies.
“There’s not much that happens today that isn’t connected to a cyber threat,” Sonheim said. “Building these practices into how we do business will build capacity and build resilience.”
Read more: