When the SWIFT global banking network was hacked earlier this year, it was yet another wake-up call for all businesses to bring cybersystems up to secure standards. The hackers found the weak link of the SWIFT system, targeting the Bangladesh central bank and implanting malware that would go into action when the right events occurred. They did and the thieves got away with $81 million.
Experts estimate that at least $450 billion globally will be lost to cybercrime and hackers this year alone. Though monetary loses are bad, cyberthieves also are on the hunt for personal information, such as Social Security numbers, passwords, intellectual property and identities, and ultimately inroads for other attacks. RIAs are especially vulnerable as target rich environments.
Mike Brice calls cybercrime the “hidden epidemic.” Although warnings to fortify cybersecurity systems are getting shriller, some companies still haven’t seen the benefit. Brice’s consulting firm, BW Cyber Services, understands the issues that cause companies to flinch when told the cost of protection. Yet in a business built on protecting assets and risk management, it seems financial advisory firms would see the light right away, he said.
Two main perpetrators of cyberattacks on financial managers, especially those in the under $2 billion AUM zone, are organized hackers and “script kiddies.” The latter is just people hacking into systems using public code for bragging rights. The main threat is from organized crime, which has built a multi-billion dollar business on implementing various malware, ransomware and social engineering techniques.
Simply put, ransomware infects a company network and “cryptolocks” it out until a ransom is paid (typically in bitcoin). Two dangers beyond the obvious regulation and reputation damage it can cause are that ransomware can remain in the system even after action has been taken to mitigate it, and second, managers often don’t report the breach. The Securities and Exchange Commission is less patient with this later action, Brice said, and has now fined firms – which include even large companies – for not admitting a breach.
Social engineering uses social media against users to spoof targets, Brice said. A 2016 Symantec study says small businesses of under 250 employees are most likely today to be targets of these attacks – especially spear phishing – up to 43% in 2015 from 18% in 2011.
Brice told a story of a firm that hired a new CFO who put his new position on LinkedIn, which was flagged by organized crime. The bandits got the CEO’s email from Facebook and on a late Friday afternoon sent the new CFO a note from the “CEO” stating the need to transfer funds immediately. The CFO “eager to please and not yet familiar with all the controls” wired the money and let the CEO know Monday morning he had taken care of the transfer. When they called the FBI to report the attack, the agency said if it was a loss of less than $1 million, they didn’t have resources to follow up. “It just shows how prevalent and successful organized crime is in leveraging various cyber techniques,” Brice said.
By Ginger Szala