Common sense would lead you to believe that cybercriminals are primarily targeting large corporations. The reality is they want easy access and valuable data. It is the information that makes the target attractive, not the size. Large companies have the resources to fight cyberattacks, but hackers understand that valuable private information is oftentimes more easily accessible through small and mid-sized businesses that do not always have the resources or knowledge to protect their data.
In the financial industry especially, we have access to and are provided with sensitive information daily, in connection with the normal business and operations of our companies. Thus, the financial services industry is a favored target for cybercriminals.
So much has changed in recent years with how employees of smaller businesses handle clients’ secure files and information. There was a time when confidential documents were left on desks overnight, file cabinets were rarely locked, and phone messages containing nonpublic information were left with no security measures in place. We never gave a second thought to the jeopardy we were putting our clients in for identity theft or devastating financial harm, not to mention the breach of goodwill and the business relationship.
The internet and email have dramatically changed the way business is conducted today. Now that electronic data transfer is overwhelmingly the preferred method of communicating information, cybercriminals have developed more and more sophisticated methods of gaining access for illicit purposes. Recently, we have all been introduced to countless – and sometimes mandated – security innovations, and have learned the hard way why prevention is key.
While the most frequent root cause of data breaches is malicious in nature (hacking, malware), human error still accounts for many of the data breaches encountered in small businesses today. This can be the result of carelessness around someone’s work area or during document disposal, as well and sensitive materials left or transported in one’s vehicle, on laptops and on mobile devices.
The most common way, however, to obtain information in a nefarious manner is through password breaches, simply because passwords are weak, set as a default, are easily guessed or missing altogether. A surprisingly large number of people leave lists of passwords in conspicuous places. Even when passwords are changed habitually, usually just one character is changed or added to the current password, increasing the probability of cracking it. Additionally, answers to many security questions can be found on social media sites, negating a second tier of protection.
Cyber events and data breaches continue to rise, often via social engineering; more people have opened phishing messages so far this year than last, and the number of infected attachments has also increased year over year. Spam accounts for the majority of all inbound emails.
There also continue to be new threats that challenge old solutions and technology. Many smaller businesses don’t have the resources – or a department – dedicated to upgrading and updating software and hardware consistently, so that increases risk of a cyberattack.
The risk to regulated entities is great due to the potential of significant financial losses to consumers of these services. The majority of small businesses are most concerned with protecting customer records and their own intellectual property. There is much that can be done to protect customers’ personal information from illegal access. In addition to federal initiatives set forth (the Financial Services Modernization Act, the Identity Theft Prevention Act of 2000, and the Consumer Financial Protection Bureau, to name the major ones), there are state- and industry-specific requirements also introduced. According to the New York State Department of Financial Services, certain minimum requirements need to be in place, and adoption of these regulations – effective March 2017 – is a priority for our state. This applies to all agents and agencies that hold a license in New York, and, by March 2019, all must be in compliance with all provisions that apply to them.
A few notable prevention tools are simple for small businesses to adapt, and will go a long way toward mitigating cyber risks.
- Invest in prevention tools – Make it a practice to allocate time, resources and budget to risk mitigation, and to evaluate and solidify your company’s entire security chain. Start with a risk/vulnerability assessment. Install security software. Set up encryption methods. Choose an archiving and supervision provider that can retrieve and store data. Employ penetration testing (hired assessors that try to defeat or bypass security features). Any monies dedicated to these prevention tools will pay off in the long run by saving your company money that might have been spent to recover from an attack.
- Multifactor authentication – When accessing websites, emails or internal documents, employ two-part authentication. In addition to the username and password, require a second factor. This can be knowledge factors, like a security question, possession factors, like a token or text message, or inherence factors, like fingerprints or facial recognition.
- Secure email exchange – Secure email, encrypted so only the sender and receiver can read it, should become standard practice in a small business environment, especially within the financial industry, given the nature of the critical information exchanged. Thankfully, email security has become simpler and more web-based, and there is no shortage of companies that offer solutions to this end, in a range of prices, from free to a set fee per user. Beware that sometimes the less the solution costs, the more basic it is.
- Compliant texting – This starts with an enforced company-wide protocol. Over the past several years, texting among millennials, who represent a rising proportion of the financial services workforce, has become the preferred method of communication, surpassing phone calls as the dominant form. With the right third-party solution, compliance officers can easily capture and archive, as well as supervise, all business text communications, no matter which devices, operating systems, or carriers are used. This will not only monitor appropriate application and website usage (Remember, there can be nefarious insiders, too.), but it will also help prevent possible regulatory fines against retention and supervision of company-issued phones.
- Incident response plan – While this is not a prevention tool exactly, it is important to develop an incident response plan to help you detect an attack and have procedures in place to minimize or contain the damage. A written plan and defined procedures help ensure everyone understands the steps that need to happen, and each person’s role. While each incident will be unique, laying out general rules and running exercises can quicken reaction times when a real incident occurs. Evaluate this regularly so that it becomes a more optimized and streamlined plan. If possible, keep a 6-year audit of those who had access to protected information. This can help identify patterns, and aid in more fine-tuned prevention efforts. For an extra layer of protection, there are more and more carriers offering cybersecurity insurance policies now.
Regularly update your software solutions. Monitor your business credit reports. Encrypt your databases. Make these simple practices habitual.
Most of all, educate your employees on expected best practices and enforce your policies!
For further information, the New York state website for cybersecurity is at https://dfs.ny.gov/about/cybersecurity.htm.
Other sites that can offer clarification and useful materials are
www.insurancejournal.com/news/national/2018/02/15/480708.htm or www.naic.org/cipr_topics/topic_cyber_risk.htm.
*Resources referenced for this article include CyberSecurity Presentation provided by ESET, https://dfs.ny.gov/about/cybersecurity.htm, PaperClip Compliant Email Service Whitepaper Rev 8/12/14.