The financial sector spent $90 billion on cybersecurity last year. What keeps the technologists in charge of financial firms’ cybersecurity efforts up at night?
Rachel Wilson, head of cybersecurity for Morgan Stanley’s Wealth Management unit, shared the major concerns and provided some cybersecurity advice for advisors at a general session on the first day of the 2018 NAPA 401(k) Summit in Nashville. Wilson joined Morgan Stanley in April 2017 following a 15-year career with the National Security Agency (NSA).
Risk Landscape
Wilson listed the top four things that keep her and her cybersecurity peers up at night.
- North Korea. The North Korean government is funding the development of its nuclear weapons program by hacking into banks and stealing millions of dollars, most notable the theft of $100 million from the Bank of Bangladesh.
- Organized Cybercrime. What Wilson termed “cyber crime syndicates” are aggressively targeting the financial sector, Wilson noted.
- Fraud. Financial institutions are facing a new strain of fraud, aided by cyber means, that “is much worse than just two years ago,” according to Wilson.
- New Malware. “All 40 major U.S. banks are suffering from “Marcher,” a new form of malware impacting Android devices,” Wilson explained. The program pretends to be a form of the popular Solitaire game for smartphones. When a user uses a mobile banking app on their smartphone, however, Marcher creates an overlay that allows hackers to capture their username and password – and thus access to their accounts. “Marcher can be purchased on the ‘Dark Web’ for $60,” according to Wilson.
‘The Weakest Link’
Wilson identified advisors as “the weakest link” in the financial services chain, and offered some suggestions for improving their personal and business practices – what she terms “cybersecurity hygiene.”
Drawing upon the lessons learned from last year’s Equifax breach, Wilson emphasized the importance of keeping all mission-critical software up to date by installing vendors’ updates – “patches” – immediately. Patches can be reverse-engineered by hackers, she noted, and used to hack into systems on which they have not yet been fully installed. “In the Equifax data breach, Equifax sent out a patch to their user firms, but some IT departments did not fully implement it, creating an opening for a breach,” she said. “The result: 150 million people had their personal information stolen.”
The Equifax breach also compounded a growing problem in cybersecurity, Wilson pointed out: authentication. For one thing, she noted, the breach highlighted the weakness of knowledge-based security authentication like Social Security number, mother’s maiden name, and other “secret” knowledge that, in today’s world, is no longer secret.
Phishing emails – as in the Nigerian prince archetype – are now informed by hacked personal information, Wilson noted, making them more authentic and much more different to identify as fraudulent. Wilson warned that advisors are now being targeted by hackers posing as prospects. “They are looking for personal information and information about the firm, and also for opportunities to download malware via links and spreadsheet files,” she warned.
Call centers have also emerged as a top target of cybersecurity fraud, Wilson noted, and thus a focus of financial firms’ cybersecurity efforts. In this type of scam, fake clients have been able to gain access to accounts and institute successful distribution requests. Defensive actions now being implemented in this area include biometrics, especially a validated voiceprint from the account holder.
[caption id="attachment_81083" align="alignright" width="200"]
Rachel Wilson discusses cybersecurity in regard to financial services[/caption]
Action Steps
Wilson offered some suggestions to help advisors avoid being victimized by cybercrime and cyberfraud:
- Don’t use public wifi hotspots on a work device. Not only can they be used to gain access to email and other data, but also to download malware to your device without your knowledge. Use a personal hotspot instead.
- Don’t download apps from a third party.
- Lock down what your permissions allow your apps to do.
- Don’t use public charging cords to recharge your device, like those sometimes offered by Uber drivers.
- Replace your manual passwords with a password manager service, which creates and stores complex passwords in a secure, non-documented environment.
- Don’t keep client data on a laptop or other device that you also use for email or browsing.
- If you deal with client data or communications outside your firm’s secure internal system, have a single device that you use for that purpose and nothing else. No browsing, no apps, no games – and no teenagers allowed.
