Cyber attackers target financial advisers’ lax defences

Imagine an invisible person gaining access to your office. For two months, they rifle through your desk and stand in the corner during meetings, listening to everything you discuss.

The online equivalent is happening on computer networks across the world, says Shawn Henry, president of CrowdStrike Services, a cyber security company.

“Dwell time” is the period between an adversary accessing a network and their ultimate detection: the average dwell time is between two and three months, security consultants say.

In today’s connected age, cyber security is not just an IT problem but a business risk for financial advisers. It starts with understanding the threat. “These attacks are not computer versus computer,” says Mr Henry. “There is a human being at the other end of the wire in all these attacks. Understanding who is going to target you is really important.”

In January, the US Financial Industry Regulatory Authority (Finra) warned about a heightened risk of cyber attacks against the US by Iran. It followed the US assassination of Qassem Soleimani, the commander responsible for Iran’s foreign military strategy, in Iraq. Mr Henry, who previously oversaw cyber investigations at the FBI, says Iran has a history of targeting the US financial services sector, usually in response to sanctions.

But most cyber attackers are part of criminal gangs rather than state-sponsored, according to Jeremy Kennelly, manager of analysis at FireEye, another cyber security company.

Ransomware is a favoured technique. In a ransomware attack, a criminal encrypts a business’s servers and renders them inoperable, demanding a fee from the victim to access their data. Mr Kennelly warns that some criminals have developed this type of attack by demanding yet more money for not releasing any sensitive data they have gleaned.

Mr Kennelly says cyber attackers unlock servers to encourage compliance from future victims. “If a press release or news article goes out that XYZ company paid a ransom and didn’t get the decryption tool, then no one may pay them ransoms any more,” he explains.

You need to succeed 100 per cent of the time. Criminals need to succeed once

But no one, of course, should trust criminals to keep their word. Businesses should back up critical data and systems and should have procedures in place to test the back-up restoration process. They should also closely monitor networks at all times so that if these are breached the attacker can be found and stopped before they can do any harm. Reducing dwell time is the most important preventive step businesses can take.

That is easy enough for a business with one central office. But large broker-dealers face a particular threat, says Jason Lish, chief security officer at Arizona-based Advisor Group. The group serves about 13,000 advisers across the US. “The advisers have their own systems, their own networks and, in a lot of cases, they rely on their own technology support partners,” Mr Lish says.

Advisor Group has since developed its CyberGuard program, which affiliated advisers can install on their devices. The program gives advisers a cyber risk score, similar to a credit score, which tells them where their cyber security might be strengthened. If they fail to meet a minimum score, Advisor Group blocks them from accessing its web portals and suggests how they can improve.

“We know, from an economic standpoint, the challenges that any type of incident can have on an adviser,” Mr Lish says. “Whether it is ransomware, or any type of [attack], this is the adviser’s livelihood.”

Other companies are adopting similar measures and many now offer employees training in cyber security best practices.

Individuals also can play their part. Dual-factor authentication should be enabled whenever possible and passwords should never be used on multiple sites. There are many password-manager programs that can store and encrypt logins. These steps can help reduce the risk of email account takeovers, a threat that Finra warned advisers about in October. The US Department of Commerce has made a cyber security framework available through the National Institute of Standards and Technology.

Many businesses are taking these risks more seriously, says Mr Kennelly, but there is a danger of complacency.

“To be protected from this type of activity, you need to succeed 100 per cent of the time,” he says. “Criminal actors [only] need to succeed once.”