eSentire’s Eldon Sprickerhoff says airtight policies and processes fortify up-to-date software.
On Sept. 19, Eldon Sprickerhoff of eSentire will speak at External IT’s inaugural Wealth Management Technology & Cybersecurity Summit in New York. This event gathers industry leaders and influencers for a day of collaboration and networking on the most crucial matters impacting their businesses. This blog is the third in the series of profiles of speakers for the upcoming summit.
A few years ago, the cybersecurity provider eSentire noticed suspicious activity on the operating system of a client. An employee at the client’s firm had conducted a simple Internet search about cell phone chargers, and the website the employee clicked onto as a result of that search triggered a malware attack.
It was “zero day” for the malware, so its code had yet to make news or prompt cybersecurity experts to protect against it. Over the next 24 hours, eSentire informed the client of the breach, then fought off and purged the virus as it tried to spread across the firm’s operating system. Incident response communications went all the way to the top of the firm.
“That client has five offices around the world,” said Eldon Sprickerhoff, founder and chief security strategist at eSentire, which serves numerous industries including the financial sector. “Its entire system could have been corrupted.” This real-life example demonstrates how pernicious hackers have become and why fast-acting cybersecurity measures are necessary for all firms.
RIAs and broker-dealers exhibit certain security gaps they ought to close now, before the inevitable attack occurs. Fortunately, several different types of technology exist, all of which firms should implement to combat the mounting threat. Any firms debating whether they ought to devote resources to better digital protection should simply ask themselves whether or not they want to survive.
One of the most common statements Sprickerhoff hears from clients is that they don’t know which cyber threats are real and which are imagined. This points to a huge gap in defenses: clarity on how airtight policies lead to safe procedures for using the most up-to-date cybersecurity software. Another big gap is a basic ignorance at firms about where sensitive data resides on their operating systems and where it flows – because it’s hard to defend something if you don’t know where it is.
That gap is understandable, since financial firms in particular can have thousands of data files accessible to hundreds of employees, clients and vendors, each of whom who may access the system from various devices in any number of locations. That’s one reason why very few people should have full access to everything in a file server. If left unrestricted, a single person could make a mistake that encrypts the entire server. The other reason to restrict access is that, unbeknownst to the firm, a disgruntled insider may intentionally steal or damage data.
In the past couple years, ransomware has emerged as the looming menace for firms. Its popularity has grown as hackers have used bitcoin to anonymously monetize data theft and destruction. The most common route of attack can exploit weakness at every step, and the longer this trail goes unknown, the bigger the risk.
Ransomware sent through email may penetrate upstream mail service providers. Ransomware that reaches the client environment may evade antivirus scans for malicious code at the user’s inbox. Users who click on emails harboring ransomware may lack sufficient cybersecurity training. And finally, out-of-date operating systems or old patches may allow ransomware to encrypt the user’s files.
A competent response calls for improving both the people and the technology at a firm’s disposal, and writing down formal guidelines to this effect, Sprickerhoff says. Considering the relatively small cost of outsourcing training and cybersecurity management, it’s wise to hire third-party experts that can provide ongoing, objective guidance. Elite consultants can help firms choose strategies fitting their asset size, number of clients and employees, domicile and service model.
Regardless of the chosen strategy, staff and clientele will need training on how to detect and avoid hackers and malware. Doing so in-house is often time-consuming and labor-intensive. In some cases, firms can more reliably assign costs to acquiring new software – although choosing vendors may feel daunting. These tools include next-generation firewalls, anti-spam and anti-malware programs, multifactor authentication, patch management, systemwide activity monitoring, and user-access control programs.
When firms that have not yet suffered a crippling cyber attack engage in the cost-benefit analysis of enhancing their defenses, they must strive to see the big picture. To be sure, firms should never pay so much for protection that business becomes unprofitable as a result.
But firms should determine what it costs to get their operating system 90-95% secure while remaining in growth mode, then upgrade accordingly. “You can never be 100% covered from all cyber attacks, because they evolve over time,” says Sprickerhoff. “But you can figure out what is justified and responsible for your business.”