Are Small RIAs Perfect Targets for Cybercriminals?

Many small and mid-sized businesses think they aren’t a target for cybercriminals. But the truth is, they might be exactly the kind of target that cybercriminals like the most. And for small RIA firms, this might especially be the case because of the kind of data you can provide them access too.

Why smaller firms?

Quite simply, it’s often easier for the bad guy to get what he wants. Many smaller firms don’t have adequate systems and processes in place to keep cybercriminals out. For some companies, it’s a lack of financial investment in their system, and for others it may be a lack of understanding of what’s required or what inadequacies their current systems have. Others yet might simply think they aren’t big enough or important enough to be a target.

Why RIA firms?

If you were a cybercriminal, what kind of data would you want? Personal information, financial data, banking information? Exactly the kind of data RIAs have in their systems.

The number of incidents continues to rise.

The PwC The Global State of Information Security® Survey 2015 show some alarming trends. Between 2013 and 2014, detected security incidents increased by 48% to 42.8 million or 117,339 attacks every day of the year. And over that same year, the number of organizations citing a loss of $20 million or more almost doubled.

What to do.

We have a whitepaper that outlines the 9 Urgent Security Protections Every RIA Firm Should Have in Place Now that goes into more detail, but here are those top recommendations summarized:

  1. Train Employees on Security Best Practices. PwC’s security survey told us that current and former employees were cited as the source of 65% of the security breaches. Employees can be a huge liability if you they don’t know and aren’t regularly reminded of some of the precautions they can take in their day-to-day email and web use.
  2. Create and Enforce An Acceptable Use Policy (AUP). A comprehensive AUP will outline how employees can and cannot use company-owned software, hardware, internet access and email. Limiting what websites an employee can visit is a common component of AUPs. You can back up this policy with content-filtering firewalls and software but it’s equally important that you educate your employees on the risks to themselves and the company if they don’t use their access appropriately.
  3. Mandate Strong Passwords. SplashData publishes an annual list of the worst passwords. If your password for ANYTHING is “123456 “or “password” – you really should stop reading now and go and change it. Change it often and remember that it should be at least 8 characters long, contain both upper and lower case, symbols and at least one number. Mobile devices should also be set up to require a passcode so a lost or stolen phone is less likely to become a liability.
  4. Keep Networks Up-To-Date. New vulnerabilities are often found in some of the most common software, like Microsoft Office. Keeping your system updated can help prevent some of these
    problems. Managed IT services are often set up to automate these updates so you have less to worry about.
  1. Create a Comprehensive Backup and Recovery Plan. Backup and recovery plans are good not just to protect yourself from data loss from hackers or employee mistakes, but they can also protect you in the event of natural disasters, fire, water damage, hardware failures or any other nightmare that results in the loss of your data. Your plan should include AUTOMATED backups and ongoing monitoring.

Have you heard of RANSOMEWARE?

“Ransomware” cybercriminals hack your system and hold your data or system ransom until you pay a fee. If your data’s backed up, it can be recovered without paying anything to the hacker.

  1. Maintain Control of Software and File Downloads. While an app or file may look innocent enough, many cybercriminals use those innocent-looking platforms to embed not-so-innocent malicious software. A good firewall, employee training and monitoring can limit the risk.
  2. Speaking of the Firewall. A firewall is your frontline. It blocks anything from entering or leaving that isn’t specifically allowed to. But firewalls need to be maintained and updated. Like your other systems this should be done regularly and can be automated.
  3. Stay in Control of Remote Access. Most of your employees likely have mobile devices they use for work or use company hardware outside of the office to work remotely. A written policy for remote access is important and technology is available to offer remote wipe, mobile phone lock and password complexity enforcement. Remote access technology is also available to keep data off of a mobile device and entirely on the server.
  4. Don’t Publish Your Email Address. Your email address moves a cybercriminal one step closer to hacking your system. We know you want potential clients to be able to reach out to you, but a phone number or generic email address can add another layer of protection for your firm.