Cybersecurity: Don’t Become the Hacker’s Next Victim
Investment professionals need to focus on the threat poor cybersecurity poses to asset managers of all sizes.
Cybercrime and cyberespionage cost the US economy about $100 billion annually, and the worldwide toll is climbing toward $300 billion. These numbers are projected to rise even further as the severity and frequency of attacks increase.
Firms that fall victim to cybercrime potentially face a complete loss of client confidence. How much damage can result from weak cybersecurity? Just read the latest headlines about data breaches at large, sophisticated firms like Home Depot, JP Morgan Chase, and Experian.
Despite all the recent publicity about cybersecurity, many still question whether asset managers need training in it. After all, the thinking goes, why would hackers target the asset management industry? Why should busy investment professionals bother to learn about something so technical?
These Were Decent Questions . . . 10 Years Ago
Hackers prey on the mentally unprepared, and the greatest weapon they have in their arsenals is their targets’ apathy. Nothing sounds sweeter to a hacker than the words “It won’t happen to me.” Combine a general lack of interest in cybersecurity with the massive quantities of client wealth and confidential information stored online, and it is obvious why the asset management industry is a prime target for hackers.
Still, investment professionals’ apathy about cybersecurity is somewhat understandable. Much of the training is esoteric, intimidating, and boring. But it doesn’t have to be. Hacking is actually quite an interesting process. Consider this hypothetical attack:
Stage 1: Reconnaissance
Everyone leaves a digital trail online: traces of the sites they visited, the purchases they made, etc. Hackers have ways of tracking this information through a process known as footprinting, the most important and overlooked part of any cyberattack. Footprinting is free, legal, difficult to prevent, and nearly impossible to detect.
Suppose a cybercriminal wants to obtain confidential information about high-net-worth individuals (HNWIs) at Company X. To begin, the hacker searches Company X’s LinkedIn page to find members of the portfolio management team who would have access to the client database. In particular, the cybercriminal focuses on one individual, “Mr. Doe.” Because Mr. Doe is an avid social media user, the hacker is able to ascertain his personal email address, social circles, and internet browsing habits via his digital footprint.
Next, the attacker uses a port scanner and recent Twitter updates to find that Mr. Doe often conducts personal business on his company laptop during lunch breaks.
Stage 2: Infiltration
The hacker scours Mr. Doe’s social media postings and learns that he plans to attend a fundraiser for a nonprofit, “Volunteer Organization A.” The attacker discovers that Mr. Doe is a board member and longtime supporter of the group.
Based on this information, the cybercriminal composes a credible spear phishing email. To fool Mr. Doe, the hacker purchases a URL very similar to that of Volunteer Organization A and builds an email template to match its branding.
The hacker sends Mr. Doe a message from the fake Volunteer Organization A email address. The attacker knows how to entice Mr. Doe and phrases the message to sound like a confirmation for his seat at the upcoming fundraiser. The cybercriminal also times the message so that Mr. Doe will receive it during his lunch, which is when he tends to use his company computer for personal business. The unsuspecting Mr. Doe takes the bait and clicks the “Confirm” button contained in the email.
Stage 3: Escalation
The attacker has embedded a piece of malicious software known as a “remote access tool” in the fake “Confirm” link. Once Mr. Doe clicks on it, the hacker has complete access to his work laptop and can now use the computer to download thousands of confidential client files.
Stage 4: Exploitation
The cybercriminal uses the confidential client files to obtain illicit lines of credit and to forge identities that can be employed in future attacks. In addition, the hacker uploads the data to the dark web, where the information will be sold to other cybercriminals. Word of the successful attack is anonymously leaked to the media. Details of Company X’s cyberbreach are widely disseminated, severely damaging the company’s reputation.
Before writing Mr. Doe off as another hapless victim, consider how common and simple his mistakes are. Indeed, many well-educated and informed professionals commit these same errors every day.
But avoiding such mistakes and preventing these attacks is not impossible. Here are a few tips to remember:
- Be careful how much you share on social media. Hackers use public information to build credibility and perfect their attack methods. Frequent posts about your location, interests, coworkers, or hobbies generate a large pool of information for cybercriminals to exploit, allowing them to find a convincing pretext and identify gaps in your cybersecurity.
- Avoid conducting personal business on sensitive machines like work-issued laptops. Segregating devices prevents hackers from exploiting personal accounts, which often have fewer security measures.
- Be mindful of when you let your guard down. Hackers will take advantage if you are overly trusting and inclined to believe a good story. Skilled cybercriminals craft their attacks so that they seem to come from a credible source, such as a coworker, friend, or loved one. Inspect the email addresses and embedded URLs before clicking any link in a message.
Hopefully this all instills a healthy dose of what cybersecurity experts call “professional paranoia.” It is important to develop that voice in the back of your mind that cautions against oversharing on social media or using “password123” to lock a work computer.
Knowledge is power in the world of cybersecurity, and just a little insight into how hackers think and operate can better prepare you for the next potential attack and help turn the tide against cybercrime.
If you liked this post, don’t forget to subscribe to the Enterprising Investor.
All posts are the opinion of the author. As such, they should not be construed as investment advice, nor do the opinions expressed necessarily reflect the views of CFA Institute or the author’s employer.
Image Credit: ©iStockphoto.com/FrankRamspott