Running a successful wealth and asset management business is filled with competing priorities and challenges. Market volatility and uncertainty in the economy ratchet up the pressures even further. But one of the biggest threats that many firms fail to take as seriously as they should is data security — their clients’ and their own.
While recognizing the importance of adequate cybersecurity is essential to business resilience, many companies overestimate the effectiveness of their current defenses and are ill-equipped to limit the impact or recover effectively when a breach occurs.
No organization flies below the radar when it comes to threat risk. Regardless of the size of your firm, attackers are out there trying to break into your networks, infiltrate your cloud systems and steal or ransom your data.
While companies are still fearful that their data – their intellectual property – could be stolen and sold to others, cybercriminals, overall, have shifted mindsets, going from “your data has value to someone else” to “your data has value to you.”
The rise of ransomware, fueled by cheap access to ransom services and tools and the emergence of access brokers, has democratized cybercrime. There’s a relatively low cost of entry for criminals to start targeting you.
Adapting to changing risks requires constant vigilance and commitment to action. It’s useful to shine a spotlight on some key realities about cybersecurity that may help you focus on vulnerabilities at your organization you may not have recognized.
1. Smaller businesses are an easier target than larger organizations
Small firms are less likely to invest in security measures to protect customer information at the level that large institutions are, which inherently raises their risk profile. Smaller firms tend to prioritize investments aimed at growing the business, acquiring clients and improving operational efficiencies. But nothing can derail a firm faster than turning a blind eye to security.
2. Trusted insiders pose just as big a threat as external attackers
Employee loyalty as a value has all but disappeared from the workplace. Recruiters are regularly trying to poach your staff, and when they do leave, it’s not uncommon for them to steal intellectual property that can serve them in their new role. They may be motivated to take data, thinking it would help them excel in their new job, convincing themselves it’s not wrong, let alone illegal. Similarly, staff thinking of leaving your firm to open their own shop may be prone to taking your information with them.
To defend against this kind of threat model, you need to be able to identify when an authorized user is starting to engage in unauthorized activity, such as mass downloads or activity at unexpected hours. You can counter this behavior with security monitoring that picks up suspicious use behavior patterns. As soon as you detect something of concern, you need to be able to respond to the activity and evaluate the circumstances.
Still, never rush to judgement if you notice this kind of behavior. Look for red flags and start an investigation, but no one should automatically be presumed to be involved in nefarious activities, though individuals with performance issues or someone brand new to your organization may pose a higher risk, all else being equal.
3. Insufficient identification and authentication of your system users leaves your business exposed
The cloud is where more and more work is managed, particularly at wealth and asset management firms that have small internal network capabilities. Online portfolio management systems or customer relationship platforms are provided by third-party services and the data is accessed remotely. The mistake many firms make is overlooking multifactor authentication (MFA) on the cloud applications your organization uses or integrating it into a single-sign-on platform that is validating the identity of users.
MFA must be enabled in all the spots you need it to be, including your VPN, your cloud-based email and your portfolio management system if that is in the cloud. MFA may be a premium feature that is part of a more expensive plan, but it’s always worth the expense. Because many people continue to use relatively weak passwords (and firms still allow them), having MFA in place as an additional safeguard is all the more important.
It’s also essential not to exempt any users from MFA requirements. Exceptions for high-level executives because it is a cumbersome step is inexcusable. The potential damage incurred if they experience a business email compromise is likely to be more significant precisely because of their role. People impersonate C-suite leaders in their attacks, which makes their accounts and online identities more vulnerable than those of other staff.
4. Failing to validate your security systems regularly increases your risk
Without penetration testing by an experienced outside firm, you may have no idea where your vulnerabilities are or how easily you can be breached. Repeated penetration tests can shed light on whether a firm actually made the changes recommended in the past.
Many firms remain unaware aware of the pace of technology change and how it affects their security posture. Knowing how someone can circumvent the measures you may already have in place can inform your decisions about additional or updated actions you need. Whatever security steps you took several years ago could be out of date and ineffective today. Your determination to be a resilient business can easily be undermined by inadequate attention to cybersecurity needs.
How Wipfli can help
The rising incidence of cyberattacks highlights the need for wealth and asset management firms to assess their security measures to protect the range of data they are responsible for. Wipfli’s team stays on top of threats and has deep experience helping organizations develop or fine-tune their protocols to defend against attacks. Contact us to learn more about our cybersecurity services.
Sign up to receive additional wealth and asset management content in your inbox or read the other articles in this series: