Small- to medium-size business security used to be somewhat straightforward. For many financial services firms, it was a simple matter of having a strong lock on the door, a sturdy safe in the office and some well-placed security cameras.
These days, however, a few lines of code is often all that may stand between cyber criminals and your clients’ assets. The business (and reputation) you’ve worked so hard to build over the years may be at risk, too.
Indeed, 75 percent of U.S. businesses experienced a cyberattack during the previous year, according to the 2020 State of Cybersecurity in Small to Medium Size Business study, conducted by the Ponemon Institute, sponsored by Keeper Security.1
And for a number of reasons, companies in the financial sector are highly attractive to cyber criminals. The average annualized cost to financial services companies affected is $18.37 million—the highest amount paid by industry segment, and a 10 percent increase over the previous year, as reported in the 2019 Cost of Cyber Crime Study undertaken by the Ponemon Institute and jointly developed by Accenture.2
Why your business may be vulnerable
Since hacking into larger businesses may require greater effort and more sophisticated strategies, small- and medium-size businesses need to assume that they could be the target of cyber thieves. So for most independent broker-dealers or RIA firms, it’s not a question of if they will be exposed to this risk—it’s more the questions of when and how hackers will choose to strike.
Surprisingly, many businesses still don’t take steps to defend themselves. According to the State of Cybersecurity in Small to Medium Size Business study, only 40% of business leaders revealed that they have a cyberattack prevention plan. Digital criminals know this fact, as well, which means you can expect their attacks to increase in frequency.
With so much at stake, here are three ways to protect your business against cyberfraud.
1. Manage risks
Exercising caution when using the internet is a best practice to adopt. This can include using different passwords for different platforms, and not using public Wi-Fi for financial transactions or sensitive work functions. Think about your business as a whole, and where potential online weaknesses might be.
- Make sure you secure client data and have up-to-date software throughout the system.
- Download and install the latest security updates on all your devices.
- Regularly back up data off-site as loss prevention measure against a potential ransomware attack (by which a hacker locks you out of your system until you pay the ransom demanded to return control to you).
You should also manage risks associated with any partners or subsidiaries in your network that could be used as an entry point for hackers. Do your due diligence with anyone who links into your systems to confirm that the steps they take to protect their data are adequate. You may want to periodically verify that these businesses you do business with are maintaining proper security protocols to keep up with changing technologies.
2. Educate yourself and employees
The weakest point in your cyber protection strategy also happens to be your first line of defense. Of course, we are talking about each employee at the individual level. Cyber scammers may target employees personally in attempts to trick them into providing information that will enable the hacker to access private areas of your network.
To help your employees successfully fend off potential cyber threats, establish security policies and procedures to protect sensitive information. Then explain these standards to employees so they understand why they are in place, how they apply, and the risks to themselves or the organization if they don’t follow them.
3. Have a plan
If a cyber attack may be a foregone conclusion, it’s important to have a plan in place to help minimize potential damage. To help protect clients, employees and the organization as a whole, the plan should include which parties need to be part of the decision process as the attack unfolds. Take advantage of the fact that you control the messaging as the attack happens, to make sure your clients and employees know and understand how you’re acting in their best interests.
After the attack, it’s important to take ownership of the event, be up front with all who were affected by it and communicate measures you plan to execute to help avoid a similar experience from happening again. If you do these things right, you maintain a level of integrity and trust with the clients that you service.
An ounce of prevention is worth a pound of cure
By implementing simple cybersecurity practices throughout your organization, you can safeguard your information and data. If you don’t have the internal resources to build and maintain your company’s cybersecurity defenses, consider hiring consultants or third-party vendors who specialize in helping businesses like yours fulfill cybersecurity needs.
The SIFMA cybersecurity resource center(Open in new window) offers authoritative information for independent broker-dealers and RIA firms.3 Topics include, but are not limited to, guidance for small firms, cyber insurance, sheltered harbor (customer data protection and restoration) and third-party risk management.
Please also download a complimentary copy of The Art of Fraud Prevention