As the end of the year approaches, it is a good time to revisit cybersecurity focus points and remind firms and their representatives of potential weaknesses. Cybersecurity is no longer a big firm program. Cyber-attacks occur from one-man shops to multibillion-dollar financial institutions.
Learning from the mistakes made by other firms in regards to cybersecurity can be extremely valuable. Earlier this year, FINRA held a cybersecurity conference where speakers shared real-life experiences. Below are some of the most significant lessons that firms learned the hard way.
1. Don’t Change a Payment Based on an Email
One firm’s story shows how patience and timing coupled with loose controls can create a cautionary tale. In this story, the fraudsters watched the firm’s social media, noting an upcoming charity golf tournament. Consequently, they chose this time to send an urgent “wire change” request to the firm. Because there were no controls in place to require a verbal authorization, the fraudulent wire went through.
2. Know Where Your Cybersecurity Weaknesses Are
Using creativity in the types of testing performed by firms shows the customization of the program. Additionally, these tests could become great learning tools for employees. Another example from the conference was a test performed by a firm where a thumb drive was labeled indicating it contained sensitive information (i.e. “payroll”, “commission”, or “bonuses”). Then, the firm monitored employees who took it home and opened files on their laptops to identify security breaches. This is an example of using a creative approach to find the gaps in a firm’s program.
3. Know Where Your Jewels Are Stored
The argument that firms can wipe their hands of cybersecurity concerns because all of their data is stored through large publicly audited vendors may not be based in reality. Ultimately, it is important for firms to recognize and understand that data can be easily transferred to laptops, smartphones, and tablets. Outside the controls of the large vendor, there are undiscussed areas that can become vulnerabilities to the program.
4. Have a Cybersecurity Plan and Test the Plan
Having a plan is a great first step. However, testing the plan in a real-life scenario is what ultimately solidifies a plan. For example, the speaker at the conference told a story where she performed an exercise with senior personnel for one hour. She staged a drill where there was a malware attack, and the firm no longer had access to their emails. Then, she watched the panic of management as they had to make operational decisions and go through a 16-page manual to find their IT provider. As a response to this, the speaker recommended a top sheet of important numbers that personnel can immediately access in stressful scenarios.
5. Keep Multi-Factor Authentication on All Devices
Occasionally, there is an option at login for certain accounts to recognize your computer as a trusted device. Selecting this will typically bypass the multi-factor passcode feature which is meant to add an extra layer of protection. In this story, a registered representative’s computer was compromised, and the bad actor gained access to the laptop. Since it was a trusted device, the bad actor was able to bypass controls that were set up by the firm. The bad actor even changed the SMS authentication code destination to their email. Above all, dual-factor systems are implemented for a reason and should always be activated.
Cybersecurity: Top Stories From FINRA’s 2020 Conference provides full details on these real-life cybersecurity stories. Browse our previous blog posts on cybersecurity for more information on this topic.