There are several important steps that RIA firms should be taking now — if they haven’t already — to reduce their risk of cybersecurity issues, especially now that their practices have largely gone remote as a result of the coronavirus pandemic, according to GJ King, president of RIA in a Box.
During a webinar Friday called “How to Manage Cybersecurity Risks with the Coronavirus Disruption,” he pointed to three key areas that RIA firms need to focus on as part of their cybersecurity considerations: People, technology and vendors.
Vulnerabilities with people include phishing, ransomware and spyware, with preventive steps that need to be taken for those including access controls, employee training and phishing testing. Underscoring the importance of employee training, King said those who work for you “are your firm’s greatest cybersecurity defense or weakness” because they are “being targeted more than ever right now during this disruption” and are at their most vulnerable.
“We’re seeing a huge increase in email phishing attacks targeted at RIA firms,” he told listeners. He pointed to a few specific email phishing attacks that have been experienced in the industry recently that advisors and their firms should avoid at all costs.
There have been “fake delivery of household goods confirmations” and fake Amazon order confirmations, where scammers “try to get employees to click on and enter in user credentials to confirm orders” of hand sanitizers and other products, he warned. Those kinds of attempts have been happening more often now, he told listeners.
There are also “fake charities being set up right now, trying to encourage employees to provide billing” and other information to make donations. Also being seen are scam emails “claiming to be from authoritative sources” including the World Health Organization, he noted.
The latter was among the phishing attacks that law firm Eversheds Sutherland recently predicted we would see more of now, along with emails from scammers claiming to be from other health-related organizations and even companies’ own human resources departments.
RIAs should also be on the lookout for scammers who email employees and claim they need to download software onto their devices to work remotely, and that software is actually malware, King warned.
Meanwhile, as more companies shift to Voice over Internet Protocol phone systems, “voice mail downloads are kind of scary right now” as scammers send fake voice mails as attachments in some phishing attempts, he said.
RIA firms should immediately conduct cybersecurity training if they haven’t already, and the five key areas they should focus on are internet security, company vs. personal devices, email phishing, wire transfers and protection of client information, he said. Hackers are beginning to target high-net-worth individuals more often, according to RIA in a Box.
Regarding wire transfers, King said it is crucial that firms make sure policies are being followed with “absolutely no exceptions during this unique time.”
Employees should also be told to make sure their devices remain secure while working remotely, he said, noting one way to do that is make certain they are “only accessing the Internet through secure Wi-Fi connections.”
Tech vulnerabilities, meanwhile, include companies’ networks, endpoint devices, email and websites, and prevention initiatives for them include setting up firewalls, penetration testing and endpoint security, he noted.
Because so many people are working remotely now, “that means there’s probably no one in your office,” he said. Therefore, now is the time in which “your server is most vulnerable,” he warned, suggesting all RIA firms make sure they are monitoring network activity and that “all the latest security patches are installed on that server or network at your office.” Firms also need to make certain nobody has physically broken into their offices and accessed their networks to steal “sensitive client files,” he noted.
Vulnerabilities with a company’s vendors include business continuity initiatives when working remotely, integration partner access and cloud/Software-as-a-Service storage breaches, with preventative steps for those including risk assessment and vendor due diligence, King said.
In another recent webinar, King provided RIA firms with advice on business continuity and regulatory matters, while touching on some cybersecurity issues.