Greg Croteau from Resolute Technology Solutions joins us to discuss the cybersecurity threats faced by wealth managers and the financial IT security avenues available for shielding both their businesses and clients.
Hi, thanks for joining us today on another podcast blog here with Resolute Technology Solutions. In the past, we’ve discussed some of the digital transformation trends occurring across the wealth management industry and how this is driving increased spending on cybersecurity technology by wealth managers.
Today, we’re going to explore some of the cybersecurity threats facing wealth management firms and their advisors in 2018. For this discussion, I’m joined by Greg Croteau at Resolute Technology Solutions.
Greg, can you give us a quick introduction?
Yeah, sure. Like you said, I’m Greg Croteau. I’m a Senior Consultant here at Resolute.
I’ve been in the IT industry for over 20 years helping customers – large and small – with their technology and security needs.
Thanks, Greg. I appreciate that. So like I said, today we’re going to be talking about cyber security within the wealth management industry.
I guess to kick things off, I want to start-off with a high level topic: What exactly is financial cyber-crime. How would you would define it?
Understanding Your Financial Cyber Crime Threats
Yeah, so that’s sort of a broad term, but what it really means is a cyber attack that has an impact in the financial sector. By financial sector, that can range from anything from large banking institutions, wealth management firms, insurance companies and it really extends right down to independent brokers or financial planners.
What makes financial cyber crime threats unique is that financial institutions are a high value target as they`ve got banking information and personal information on their clients.
Are there various different levels of exposure to financial cyber crime? Or is it all lumped together in your experience?
Well, it all really depends what the attacker is going after, right? Sometimes they may not be after something of financial value. They may just be there to disrupt your business or just hold you hostage and ask for money in-exchange for getting your business back up and running.
The Role of Regulations in Financial IT Security
How do regulations in the financial industry play a role in addressing financial cyber crime.
Well, the financial sector is obviously very highly regulated.
What we’re starting to see across various different government levels is they’re holding financial companies to a higher level of standards. If you’re breached or if you’ve been the subject of an attack there are going to be requirements for you to report that to various regulatory bodies and to your end-user customers.
In the past, and with some other industries, some of the stuff doesn’t get impacted by their regulatory bodies. With the financial sector, it’s fairly highly controlled. We’re even seeing an increase in that regulatory structure as well.
So now it’s interesting you mentioned that there are a lot of regulations around reporting, especially both for public and private stakeholders, whenever there was a breach.
How did these regulations play a role for protective measures to have in place? Or, is it really just all around reporting and institutions are responsible for their own measures?
Institutions are responsible for their own reporting. However, it’s not something that you can easily sweep under the rug anymore.
Today, a lot of these breaches are being revealed to the public. If the regulatory bodies find out about it that way without you reporting it, then there’s going to be some trouble for sure.
Prevent Compliance Penalties from Hurting Your Profits
with Resolute’s Financial IT Security Services
The Main Cyber Security Threats to the Financial Sector
Thanks for that. We definitely have a really good idea of what is financial cyber crime.
You’ve explained to us that there are threats at multiple different levels. Regulations, certainly, impose specific reporting requirements.
Let’s take a deep dive into cybersecurity threats that are impacting the financial sector in 2018: Which ones would you say are the biggest or the main threats to keep on the radar?
Yeah. Well, just to take a step back as well.
The financial sector is about 60% more likely to be a target of attack than any other industry.
Again, that’s due to what they’ve got to protect. With that 60% higher likelihood, there are also industry averages of about seven or eight cyber attacks that happen that companies may or may not even know occurred. In terms of those attacks, malware, ransomware, phishing attacks are the common trend these days. It’s continuing into 2018.
As you’re saying about malware, ransomware, and phishing attacks, what are some examples of these kinds of attacks?
Of course, at a high level, malware, ransomware, and phishing are just high level concepts; but what exactly are the kinds of things that are happening to financial institutions? Who is being targeted, and how are these kinds of attacks being brought out?
Malware is kind of the common one that everybody’s aware of now. It can be anything from a virus to spyware. It’s malicious software that uses your device or network for its own purposes. That’s been around for quite a while.
Ransomware has been relatively new in the security world for the last few years.
That’s, again, usually delivered by malware. However, it acts a bit differently and it actually encrypts or locks-up your data. That could be anything you’ve got access to. The attacker holds it for ransom; basically, not giving you the key to unlock this data without you paying a price.
That one was big in 2016, 2017, and into 2018 it still will be.
Phishing Attacks & Whaling
The largest thing we’re seeing right now is phishing attacks. To take that phishing attack a bit further, there’s also CEO fraud, which they call it “Whaling” is becoming more prevalent.
A phishing attack can involve blast emails to impersonate somebody – i.e. trying to get you to click on malicious links and expose your credentials or data.
The CEO fraud that I was mentioning – or whaling – takes it a step further where they actually try to impersonate a C-level executive, somebody in the finance department or something and get a transfer of funds into to their own bank accounts.
Attackers are quite sophisticated at this. We’ve seen episodes of this where this involves someone actually getting the CEO’s credentials or impersonating them to a very high degree. There was even an email dialogue going between the attacker impersonating the CEO and the finance department or somebody in the finance department.
With these examples here, somebody actually provides information to what they believe is the CEO. In actual fact, it’s just an attacker who’s just very professional in his ability to impersonate someone else.
Correct. They’ll be impersonating the CEO and tell the finance department to execute some fund transfer instructions.
Now, one thing is that cloud adoption is continuing to grow, specifically along with digital transformation. With that in mind, is the shift to adopt cloud in the financial services industry making it more difficult or easier to protect? What would you expect to be protected in an off-site, hosted cloud environment?
Yeah, it makes it definitely more difficult to protect, because in the traditional model you have your company and data all residing in one location. You had one presence to protect.
In the cloud, your data is distributed across several environments. It could be on-premise. It could be in the cloud. It could be with a cloud-hosting provider. All those points need to be protected.
It sounds like there’s, of course, multiple different channels of attack: If you want to breach financial data, the only way you could possibly facilitate any of these attacks is if there were vulnerabilities in place at the company itself.
As it relates to the financial industry, cybersecurity, and the rest of that industry, what are the most revealing vulnerabilities that you see within financial services providers? Do they vary across sizes of financial service providers, and even sectors within the industry?
Yeah. As technology evolves, the industry must get a good handle on firewalls, intrusion detection and intrusion prevention. These are all typical prevention and preventative measures that have been in place for years.
The End-User is the Biggest Vulnerability
What the weakest link that we typically see and the attackers are going after is the end user.
That’s where the malware, phishing, CEO fraud is occuring – it’s all originating with the end user. That’s because the end user is only as good as their education or technical awarenesses.
The Top Barriers to Preventing Financial Cyber Crime
With the end user being the financial services representative or somebody at a bank that would be receiving phishing attacks, like the one that you previously talked about, what exactly are the biggest barriers to having some kind of effective security protocol at your financial institution?
Yeah, there’s a few different aspects we’re seeing from that.
1. Lack of End-User Education
First off, it’s the user awareness or user education. If they’re not trained or aware of what a potential malicious link looks like, they’re not going to know not to click on it.
That’s becoming large due to just social media in general. People are used to being able to get information and click links to different pages. That’s what the targeters go after, right? They try to bury a malicious link in an innocuous looking email to you, or something like that.
2. Small Financial IT Security Budgets
End users are the first avenue to explore. The next barrier is the lack of budget: not everybody puts security or the value of security at the top until something happens.
It’s usually an afterthought for a lot of companies. Then again, it depends on the size of the company. Larger companies normally have larger security budgets.
When you’re dealing with smaller companies or independent users, a security budget may not be that large to address these issues.
3. Lack of Skilled Employees
The third aspect is this simply lack of skilled employees. The larger companies that have an IT team don’t necessarily have security specialists, or security trained technicians to help deal with the multitude of aspects.
That’s really interesting.
What you’re raising for financial services companies are certainly very familiar with the basic security requirements that they need to have, i.e. a virus software, and various other technical tools that would enable them to protect their data.
Then, when you’re talking about a lack of budget, I guess anything above and beyond the just most basic protections is significantly more expensive. Or, is there just a lack of awareness to the fact that these other perimeters are important to have as well?
I think it’s a combination of both. Everyone knows what a firewall is and that you need to invest in that to protect your company. However, not everybody knows what a proper end-user training routine would look like.
The cost of these things aren’t necessarily prohibitive. It’s just a matter of knowing these types of services exist, or there’s a lack of that in your environment.
The Cost of a Breach
So staying on the topic of costs, what really is the cost of a breach if you were trying to compare and contrast that with the lack of budget that is currently available for security?
Well, based on a report that was published last year, they actually were able to put a dollar cost on a breach. How they did that is they put a dollar cost on a per record basis. Meaning if your company was breached and you lost 10 records, it was basically just doing the math of the cost.
I think they surveyed over 500 companies and the average was $141 per record.
You can then image how with the larger companies that have a large data breach – perhaps of thousands of records – it’s quite costly, to say the least.
There are so many potential vulnerabilities, especially at the end user level, and a perception that the bare essentials such as a firewall, and virus protection are enough.
How exactly can a wealth management firm begin to assess their current risk? What steps do you recommend, either to ensure that cyber security risks are both flagged, addressed, and even mitigated sooner rather than later?
Mitigating Your Financial Cyber Crime Risks
Build a Security Focus Assessment
Yeah, so like you said, the largest risk we are seeing is with the end user.
However, there are numerous other aspects, right? There may be a significant weakness in your infrastructure, for example, along with many other financial IT security challenges.
What we’re seeing is the best approach is having a security focus assessment done in your business, so you actually know:
- What data you’re protecting and
- How well it’s being protected.
Okay. So I’m just wondering, are there any specific steps involved that you would be able to speak to? For example, things like vulnerability assessments, various procedural approaches, and things of that nature?
How to Build Security Assessment for Thwarting Financial Cyber Crime
Yeah, so a security assessment usually starts out with getting a whole inventory of your environment.
Each of those nodes are assessed for their current state for anything from patching, antivirus, to how well the firewalls’ been implemented and how well your internet facing servers are shielded.
Then, we can go into the kind of controls that are in place within the organization:
- Do they identify their critical data?
- Is the data well protected?
- How well do they manage their inventory?
- How well do they manage their antivirus?
This gives an overall basis of the maturity of the security of the company.
Then, from there, we can typically move on to the end user perspective. Are they educating their users on a regular basis about safe computing habits? Do they have a routine in place to keep their IT staff aware of the industry trends?
Leverage True Financial IT Security Experience to Build a Cost-Effective IT Security Roadmap
How Resolute Helps with Cyber Security in Financial Services
How’s Our Preparation for Preventing Financial Cyber Crime?
What you’re explaining to me here sounds like all of the regular things that Resolute would get involved with if a financial services company came to you and was looking for cyber security solutions, mitigation plans, and things like that.
You would start with one of these assessments, which would run the gambit from everything at a technical level, straight down to a behavioral level with processes and activities do they in place, or set practices in order to protect themselves?
In your experience running these kinds of assessments with potential clients within the wealth management space or financial IT security space, how developed are these companies with their security protocols?
When you run one of these assessments, do you see a lot of common issues all the time? Are these issues very similar? Could you speak to some of those examples, perhaps?
Yeah, absolutely. There definitely are common themes.
Despite the best intentions, we’re still seeing very common things that are ignored, for lack of better terms. For example, they may be patching a certain subset of servers, but some others have been forgotten for quite a while. They’re quite out of date and vulnerable to even older types of attacks.
The end-user education perspective, that is in the very low adoption rate right now. That’s unfortunate because that is almost one of the best preventative measures against a lot of the current and common attacks.
Industry Standard Solutions for Cyber Security in Financial Services IT
Now, how would Resolute step into the picture in order to provide solutions for these kinds of vulnerabilities. I guess the technical ones would be a little bit more straightforward, but on the behavioral factors, do you have a role to play there and some value that you add for these institutions?
Yeah, absolutely. Yeah, we’re obviously capable of taking care of all vulnerabilities.
In terms of the assessment-type activities: We work with the customer for their controls and practices aspects. We make sure that the procedures they’ve got in place – anything from antivirus updates, firewall review and to end user education – work. We work with them to develop the appropriate plan for them.
Building a Best-in-Class Financial Services Cyber Security System
Now, what would a best-in-class security protocol look like, from your experience and what you’ve seen? So an organization that has all their ducks in a row, so to speak.
Vulnerability, Control and Practices Reviews
The best-in-class we would see would have completed the overall vulnerability, controls and practices reviews.
Closing all Vulnerability Gaps
They would remediate any gaps that were identified during those reviews.
Third-Party Stress Testing
Typically, we’d also recommend and stress that they have a third party penetration test done on any internet-facing applications or websites.
Implementing End User Education Strategy
Then, they also would be implementing a regular end user education strategy.
The Cost of Cyber Security in Financial Services IT
I appreciate the insights. Thank you so much for that. I guess that as a final question, of course, as with any implementation for any business, costs certainly always come in as a primary factor.
Even as you said, there’s a lack of investment within a lot of the things that you would strongly recommend having for addressing financial industry cyber security needs.
What is the typical cost of cyber security as a wealth management company?
Obviously it’s very difficult to give a specific dollars and sense value, but is there a percentage of sales, a percentage of IT budget, or even a cost per client that somebody could keep in mind and even start to guesstimate and see, are they within that range?
If they’re not, then they can definitely see at a cost level they are below the industry. If they’re above that range, or at it but still vulnerable, then they’re clearly misallocating funds. Is there a range that’s appropriate based on the industry? Could you speak to that?
Best Practice: 20% of IT Budget Goes to Financial IT Security
Yeah, absolutely. We’re seeing for companies that have a successful security plan – and again, this is also based on industry surveys that were published – 20% of their IT budget normally goes towards the security aspect.
That obviously scales: with larger companies, larger budgets. Again, 20% is the well-rounded approach. In addition to that, the other thing to include is with any new engagements or new projects they’re taking on, security needs to be forefront in that as well.
The budget for security-related aspects needs to be put up front.
Optimizing Financial IT Security Costs
Now, as of course security is an ongoing threat, and an ongoing cost center for your business, are there some economies of scale that you benefit from?
If you’re doing everything right, eventually your percentage of costs would become more optimized. As a result, you’ll have fewer threats and lower costs because of ongoing investments. Or, is it a regular cost that would stay the same, and is even, perhaps, slated to grow as a result of the growing complexities of cloud, and various new threats from around the world?
Yeah, I mean there definitely is. There’s benefit to keeping on top of things.
Regular Financial IT Security Maintenance
Just like maintaining your car. The more regular maintenance you do, you’re not going to be stuck with unexpected large bill when something happens. It’s the same with security.
The more attention you give it throughout the year, the better shape things are going to be in and the less likely that you’re going to be vulnerable to these common attacks.
Routine End User Education
In terms of end-user education, there’s typically a cost to getting the training set-up. However, after that, it’s just a per-user cost, typically, to keep the routine going with the end users.
Again, that scales easily for a larger company because the cost to set it up is typically the same for any size of company. It’s just the marginal per user cost that they’d be paying that varies.
I appreciate the insights there.
That’s some incredible value that you provided for anybody in the industry who’s trying to understand exactly what are the threats and where they are coming from.
As you’ve indicated, although there are technical measures that we can have in place for external threats, a lot of the times, there’s a lack of investment internally that allows even the most comprehensive security technology to be circumvented.
For example, a skilled operator can just get in front of the right person, ask the right questions, and grab the information they’re looking for.
Well, I appreciate the time you spent today. Greg.
Did you have any other comments before we close off the call? Something for security planners, and executives in the industry? Perhaps, I know there’s a lot of talk about at various levels as people know about security, but perhaps there’s not always buy-in from the executives?
Do you have any experience there, or some final parting commentary?
Yeah, absolutely. Again, with the percentage of IT budgets allocated to security, we also see that proper financial IT security must start from the top.
If you don’t have your executives aware of the risks out there, they’re going to be hesitant to spend the money on it. Any successful plan that we see, especially when it comes to budgeting, always starts from the top.
That’s phenomenal. Thanks so much for you guys, certainly appreciate your time. I’m sure everybody reading the blog today has certainly gained a lot of value from it.
Absolutely, thank you for asking me.
Identify Your Security Vulnerabilities
with a FREE Online Security Assessment
Resolute Technology Solutions offers IT Security Services to protect your Financial and Wealth Management IT system from financial cyber crime.
From assessing the state of your vulnerabilities to providing day-to-day security functions, our team is equipped to ensure that your wealth management firm avoids costly breaches and grows in its credibility. To learn how, contact us today.