As a follow-up to one of our hottest and most talked about discussions at the 2018 Ultimus Client Summit, Shawn Waldman shares more insightful knowledge and tips regarding cybersecurity. Over the years, cybersecurity has become more and more complex because the threats have also heightened in complexity. Years ago, just installing anti- virus on computers was pretty much sufficient. Then, scanning email for problems was the next iteration. Now, neither of those are adequate even on the most basic level.
Ultimus’ VP and Director of Information Technology, Steve Nienhaus, and Shawn review the top security tips and the concept of the ‘layered approach’ in this Q&A blog post format. Continue reading to learn about the necessary measures you must take in ensuring your business is safe.
Steve: Do investment advisers really need to be worried about this? If they’re not a big fish, why would anyone be interested in attacking them?
Shawn: First of all, advisers have legal obligations to protect whatever confidential information they have. And those obligations are becoming more and more stringent. For example, the European Union recently put their General Data Protection Regulation (GDPR) into effect, which includes an extensive set of requirements that covers anyone holding confidential information about any EU resident. The state of Massachusetts has, for a number of years, had more stringent rules than other states regarding the protection of confidential data of its own citizens. New York recently implemented strict rules for New York companies. California has now passed the California Consumer Privacy Act of 2018, which ratchets up the requirements even further. I think it is safe to say that we can expect more to come.
We’ve seen the news stories. If firms have financial data of any kind, they are a target. And even if they don’t have someone’s financial data and aren’t the ultimate target, there is always the potential to be an intermediate target. Black hat actors may want to use intermediate systems and infrastructure as a means to get at other systems. If they can leverage systems as ‘bots’ to get to other systems, that is incentive in and of itself. Being an unwitting aid in attacking someone else’s system is obviously not a role anyone wants to be playing.
Steve: If resources are limited, where should advisers focus their attention?
Shawn: This is a difficult question because cybersecurity is based on doing a number of related things. It’s not just “do this and that but skip the rest to save some money.” And it’s no secret that a fortune can be spent on cybersecurity while still providing no guarantees of falling victim to some form of security breach.
Standards organizations such as the National Institute of Standards and Technology (NIST), SANS and the International Organization of Standardization (ISO) have published frameworks for cybersecurity programs as well as other valuable educational materials. This is a good place to start to educate oneself about what a program needs to do.
Steve: Is having anti-virus on all firm computers enough?
Shawn: There was a time when having anti-virus on PCs would have been considered a reasonable defense. But those days have long since passed. That’s no longer enough even as a baseline defense. While traditional anti-virus software has expanded the kinds of malware it aims to protect against, it’s still a good idea to have a “second set of eyes” in place. Products are different; some products are better at detecting some kinds of malware while another is better at detecting other kinds.
Note that there are many vendors who offer anti-virus and anti-malware products for free to home users because those systems don’t require the extensive management capabilities that businesses with a significant number of systems do. It’s worth the time to research those options for your own home systems.
Steve: Performing backups regularly covers advisers, right?
Shawn: Not necessarily. Of course, backups are critical. But where are they kept? Are the only backups sitting on a network in reach of a crypto-breach that could end up encrypting all of the backups as well as the rest of any on-line data? It’s important to have backups that are out of reach, such as in the cloud. So, a combination approach, where there are backups on-site for convenience and backups off-site for extra safety, is highly advisable. I’d also recommend, if the risk is high enough, to maintain an offline copy as well as a last resort.
Steve: What worries you the most? What is it that keeps you up at night?
Shawn: Let’s assume an adviser worked with security professionals to implement a reasonable security program in their company. And there are system protections and monitoring in place and the systems are being patched and it is doing “all the right things.”
At the end of the day, with all of the technology in place that is reasonably affordable, the one thing that remains the ‘weak link’ in any security program is human nature. That’s why black hat actors use the methods that they do. Phishing scams and other forms of social engineering remain the method of choice for one reason – they work. Even with layers and layers of technology in place, if the bad guys can still obtain a password over the phone, it may all be for naught.
So, it’s essential to continue training employees. We’ve seen significant improvement with each round of testing and training in terms of how many people fall for follow-up phishing scams. But statistics confirm that firms hit a ceiling at some point. They never get to a 100% success rate. And unfortunately, that one failure can be the one that triggers an existential crisis for the business. So…keep training employees. Keep them updated on what’s going on in the security realm. Let them know when there’s a prevalent scam going on surrounding the most recent natural disaster. (Unfortunately, scammers love to leverage disasters to play on our tendency to want to help and do something for those in need.)
Steve: Let’s go back to the concept of a “layered approach.” Can you elaborate?
Shawn: In summary, a good cybersecurity program is often based on the onion analogy. If bad actors get through the first layer, e.g. they manage to get a piece of crypto-locker malware installed on an employee’s computer, there needs to be additional layers of protection below that. In other words, effectively quarantine that problem to minimize any damage. If they happen to penetrate another layer, are there additional layers of protection beneath that? Here is an example of a layered approach:
Anti-Virus and Anti-Malware Solutions – As mentioned already, this is the outermost layer. Necessary but not nearly enough.
Vulnerability Scanning – Periodically (e.g. monthly) perform a scan through systems to make sure everything is patched and up-to-date. Vendors update their software regularly, sometimes even daily, because of security issues, meaning there is a need to keep up. This can be difficult for a couple of reasons – it’s a lot of work to keep dozens or even hundreds of systems patched. And there are times when new patches break things. And often that is learned the hard way.
Intrusion Detection and Prevention – At the perimeter of the network, make sure only permitted traffic is allowed in and out. Next-generation firewalls have become much more sophisticated at evaluating traffic and determining what’s “normal” and what is “unusual” and therefore suspicious.
Compliance, Auditing and Logging – Keep tabs on what’s happening on the network and keep records, such as reports to review and archives (for forensics purposes). If someone keeps trying to log in under a privileged account and keeps failing, that is information worth knowing!
End User Security Training – We’re all in this together and we’re all counting on one another to be smart about security.
Security Incident Event Management – Know what to do if something does happen. Practice and prepare before something happens so if it does, there is a plan to minimize the damage.
In the end, yes, cybersecurity has become more and more complex. But if addressed in a logical and well-thought out way, with the guidance of an expert, protecting your business – to be able to continue doing business – is essential. At Ultimus, we take cybersecurity very seriously and invest great resources to make sure our business is protected as well as it can be given the status of the environment. Testing, training, testing, training, updating, investing. It is part of our everyday business.
Shawn Waldman is President and CEO at Secure Cyber Defense, a cybersecurity service company that provides consulting in today’s cyber warfare world. Services include security assessments, risk analysis, consulting and threat monitoring for any size organization.