Top Techniques to Secure Firm-Wide Buy-In for Cyber Security & Compliance
David Edwards, President, Heron Wealth started the discussion by sharing his journey. David started his career in systems at Morgan Stanley, so he knew how to use and manage IT well. Two years ago, he realized that he could no longer manage the IT and compliance issues for his firm by himself, so he engaged Raj Goel and Brainlink International to manage the onsite IT and improve cybersecurity at Heron. He also engaged Craig Watanabe, Senior Compliance Consultant, Core Compliance & Legal Services to implement training for Heron staff.
Over the past 24 months, Heron has had:
- Clients’ emails taken over. In several incidents, Heron’s staff have called their clients to notify them that the client email has been compromised and Heron is receiving suspicious emails. In one incident, they discovered that criminals had infiltrated the clients’ systems for weeks, had studied the client’s buying behavior and sent a fraudulent request to release $27,000 to purchase a horse. The client had a history of buying horses, so this was not an unusual request; what was unusual was the country that the request for funds came from.
- Heron routinely gets well-crafted phishing emails – and when they get really good ones, David encourages his staff to SHARE the phishing emails with the team. They use these emails as a training tool to teach their staff to be aware.
- Heron is constantly on guard to protect their clients from social engineering attacks and elder abuse. As David emphasized, there’s no such thing as 100% cybersecurity. 99% is good enough when your peer firms are at 60%. The bad guys go after low-hanging fruit – and David advises that your mission is to not be in that category.
He reminded the audience about the story of two hikers encountering a bear in the forest. “You don’t have to outrun the bear to survive – you just have to outrun the other hiker!”
Per David, the key risks that firms need to worry about are:
- Clients (the weakest link)
- Team members (the second weakest link)
- Password “hygiene”
- Lost devices
- Compromised technology infrastructure
- Complacency (Convenience trumps security)
- Non-compliance with SEC Red S-ID
- And email !
6-Month Cybersecurity Action Plan (developed by Raj Goel/Brainlink for Heron Wealth)
- Establish 2-person review and release of all outbound cash and securities
- Inventory all applications and devices that hold firm or client data
- Categorize (from critical to no-risk) and establish password change schedules for all desktops, devices, and applications
- Encrypt 100% of outbound e-mail using Transport Layer Security (TLS)
- Add Cybersecurity rider to E&O Insurance
- Apply two-factor authentication to critical applications
- Swap out consumer grade router with enterprise grade router and firewall
- Ensure the Wi-Fi router (provided to team & clients as a courtesy) is isolated from local PC’s & remote server
- Replace consumer-grade anti-virus with enterprise-grade alternative
- Review security protocols of remote IT server provider
- Review the firm’s compliance with applicable Federal, State, European laws
- Train and educate team members
- Educate clients!
By working with Brainlink and implementing a multi-layer defense for his firm, David has established Heron Wealth as a leader in cybersecurity and is routinely featured in financial planning and wealth advisor magazines as well as conferences as a proactive thought leader.
Craig Watanabe focused on the HUMAN ELEMENT of cybersecurity.
User training is critical.
He recommends IN-person training – 1-hour training at the start of the year, then short monthly reminders.
The entire panel agreed that using web-based training or CBT systems is a waste of time.
Craig told the story of a friend who used to work at Sony Pictures. Sony’s cybersecurity training consisted of having people watch online videos/courses, then answer a few multiple questions. Most people started the training, let it play in the background while they did “real” work and then guessed at the answers.
THIS IS NOT EFFECTIVE TRAINING – this is a waste of time & money.
He strongly emphasized that focused, short, in-person training delivers higher ROI than other methods.
Craig also emphasized this his firm trains employees not only in securing corporate IT systems, but also in protecting their home equipment. Raj jumped in with Brainlink’s approach, which focuses on 360-degree threat analysis and training. It does a firm no good to train staff at work, and send them home to defenseless, infected systems. Both Raj & Craig strongly recommend training staff to implement strong cybersecurity at home as well as the office.
Two Factor Authentication
All three panelists agreed that passwords are your weakest link. Using simple or weak passwords is poor security practice.
All three panelists urged the audience to adopt two-factor authentication.
Brainlink uses (and recommends):
- LastPass Enterprise for secure password sharing
- DUO for two-factor windows logins
- Yubikey’s for 2FA hardware tokens to secure Gmail, YouTube, LastPass, duo, etc.
The INCIDENT RESPONSE panel had some good advice as well:
If you host on AWS, read AMAZON SOC2 report, make notes & comments in the margins. Put marked up the document in your vendor file. Review contracts. For one RIA, their administrators didn’t perform a critical function for 3 months and didn’t notify the client. Administrator thought it was amusing, RIA saw it as firm-ending.
Another firm went through the SEC exam – you’re not as good as your best exam or as bad as your worst exam.
Many vendor contracts limit liability to contract fees – that’s unacceptable.
Vendor due diligence visits – visit their HQ, not their sales offices. Do at least one onsite visit and then determine how often it’s appropriate.
Don’t count on your vendors to pay for the breach & screwups. Liability is your responsibility. Review your vendor’s SLA limits – how fast after an outage can they get you back in business?
Raj’s Top 7 Action Steps
- Protect your Credit Cards and Bank Accounts
- Secure your IT (Firewalls/AV/AntiSpyware)
- Implement Policy (Password, Social, BYOD)
- Have a TESTED Business Continuity Plan
- Educate Your Team
- Use Two-Factor Authentication
- Insure Your Business
Brainlink clients enjoy success, security practices they can rely on and a competitive advantage in their industry because we know the cybersecurity industry better than most. Brainlink helps firms by:
- Providing independent third party IT security assessments
- Managing their IT infrastructure
- Developing or testing INCIDENCE RESPONSE plans
- Developing BYOD, Acceptable Use, Remote Access and other policies
- Conducting DISASTER RECOVERY tests
- Providing effective cybersecurity education awareness training
TRAINING RESOURCES TO SHARE WITH YOUR STAFF, INTERNS, SPOUSE & KIDS:
To that end, Raj recommends sharing the following slides & videos with your staff:
Protecting Your Business & Your Family:
Lessons Learned From Hurricane Sandy
Ransomware Warning Email
Social Media Awareness Training
NASCAR & Ransomware
To learn more, visit www.brainlink.com/IAWATCH/ right away. To talk to Raj, reach out at (917) 685-7731 or firstname.lastname@example.org