The cybersecurity defense advisors forget
LAS VEGAS — Wealth management firms are overlooking a crucial line of defense when it comes to cybersecurity: their own employees.
“Criminals will always go for the humans first, and we as businesses tend to fund the training of our humans last,” said John Sileo, CEO of Sileo Group, a data security think tank, at the Investments & Wealth Institute’s annual conference.
More than half of RIAs say cybersecurity was their biggest area of technology expenses last year, according to TD Ameritrade’s 2019 RIA Sentiment Survey.
But while advisors spend big bucks on technology, they may not be investing enough in arming their employees with the skills to recognize cyberattacks and wire fraud attempts.
“We’ve got to train our people to have a moment of skepticism — when they slow down, ask some questions and think through this,” said Sileo.
Many hackers use “spear-phishing” tactics — emailing a target ostensibly from a known sender after obtaining personal information that makes the ruse more believable. The phishers obtain this personal information by mining Facebook profiles, among other tactics.
Sileo noted one tech firm that fell prey to wire fraud after a hacker impersonated an employee. The finance department at the company, Ubiquiti Networks, erroneously transferred $46.7 million out of its accounts in 2015 as a result of the fraud, according to an earnings report.
Cautionary tales like this, Sileo said point to the necessity of investing in training so that staff is immediately skeptical and on the lookout for this sort of employee impersonation or any type of fraudulent request.
“Ninety-nine percent of the people inside your organization don’t know the simplest tool of detecting phishing,” Sileo said, noting that most employees fail to hover their mouse over links inside an email, which would reveal suspicious links or web addresses from other countries.
Firms also need to ensure their advisors and clients have two-factor authentication. “That takes cloud and account hacking so low it becomes almost insignificant,” Sileo said.
In order to train firm employees, advisors need to be strategic. “When you teach your employees in terms of layered security they fall asleep,” Sileo said, noting the importance of using real-life scenarios.
Incentives can work as well. “Reward your staff for not having a phishing incident,” Sileo said. “You’ve got to have it tied to positive metrics.”
Cybersecurity is not a one-time spend, according to Sileo.
“You should not be ignoring [cybersecurity], even if you spent the whole last year thinking about it. You have to constantly be thinking about what you are doing.”
Advisors should also see this heightened awareness about cybercrime as an opportunity to add value to client relationships, Sileo said, noting that clients face the same issues and similar cyberattacks.
“Using this information to deepen client relationships is one of the best practices I have seen,” Sileo said, adding that security is one of the most-requested education topics in the financial services industry. “They trust you more than they do their bankers, their credit cards and so forth. It’s a better source when it comes from you.”
Even if advisors don’t discuss the topic with clients, they need to recognize what could be at stake.
“When you are handling that wealth and personal information of your clients, you have to treat it like it’s your own and take it personally,” Sileo said.