Trending
Financial advisors often make grave cybersecurity mistakes without realizing it. These seemingly minor errors in judgment can significantly increase their risk of data breaches and cyberattacks. What can they do to improve their security posture? Here are some common mistakes and how to avoid them.
1. Making Compliance the Goal
Financial advisors often mistakenly consider compliance the goal. In reality, it should be the baseline. For instance, while the United States Securities and Exchange Commission requires an annual cybersecurity report detailing vulnerabilities and mitigation efforts, reviewing security risks just once yearly is insufficient.
The number of data violations due to cyberattacks is rising. It increased from 268 instances in 2022 to 744 in 2023, a 177.6% increase year-over-year. Professionals don’t have to prioritize reporting to enhance their cybersecurity posture — improving visibility is enough. They should gather and act on data more often, considering compliance requirements as the starting point.
2. Discounting Backup Importance
In finance, backups are often outdated hard drives operating on legacy systems. The data storage equipment sits in mildewy basements or cramped closets, only receiving attention when necessary. Many long-standing institutions have grown used to letting their data sit untouched. After all, why fix what isn’t broken?
In reality, leaving storage systems — especially backups — out of sight and out of mind is often a death sentence for data. While cyberattacks typically end in exfiltration or encryption, anything from water damage to power surges can cause corruption. In these situations, data loss is inevitable, making recovery unfeasible.
Backups are only good if they are intact and recent. Moreover, firms must store information in a secure location to maintain privacy and security. Prioritizing backup integrity and security is essential for data loss prevention. It also provides resiliency to ransomware and man-in-the-middle attacks.
3. Not Budgeting for Cybersecurity
Most business leaders do not adequately budget for cybersecurity, with many neglecting funding to mitigate common cyberthreats. For instance, just 8.2% of IT budgets go toward insider threat management — unsurprisingly, 58% of professionals feel their current spending is inadequate.
Adequate budgeting for cybersecurity is vital for updating legacy systems, securing networks and recovering from cyberattacks promptly. If financial advisors can’t increase funding themselves, they must make their case to a decision-maker. Putting together infographics on today’s cyberthreats can help them secure buy-in.
4. Putting off Security Updates
High and critical-level threats are more common than most finance professionals think. Many put off security updates, assuming the risk is not significant. However, even one missed patch allows cybercriminals to infiltrate a network or system. Since the legal repercussions of a breach are so severe in this industry, caution is essential.
Many firms fall behind on security patches because the work is tedious and constant. Automation is the ideal solution. Already, 75% of banks have incorporated artificial intelligence into operations. Financial advisors should follow suit, using this technology to automate the bulk of updating software and hardware.
5. Not Managing Work Devices
How often do employees take their work laptops home? Do they keep up with security patches? How many of their login attempts are legitimate? When staff members bring their work home, their employer instantly loses visibility. Cybercriminals thrive in ambiguity — their login attempts and brute force attacks are more likely to go unnoticed.
Vendors should be held accountable to the same extent that employees are. After all, third-party attacks increased to 49% in 2022, up from 44% in 2021. Visibility into their actions is already limited, so they should only be allowed to take work devices away from the office with explicit authorization and security procedures in place.
Decision-makers should consider implementing security features to reduce the risk of man-in-the-middle attacks and physical tampering. For example, they can enable session timeouts to log out inactive users or turn off high-risk settings like the remote access feature. This way, they enhance visibility into network and system actions.
6. Neglecting Cybersecurity Training
Cybersecurity training is vital because most issues stem from employees’ mistakes. Almost all cybersecurity incidents — around 95% — can be traced back to human error. Whether they fall for a social engineering attack or step away from their logged-in laptop, they give cybercriminals an opening.
Financial advisors should brush up on the latest guidance to ensure they are aware of relevant cyberthreats and and best practices. Any employees or colleagues should do the same thing. Since the cybersecurity landscape is ever-evolving — and it takes just one person to let a cybercriminal in — everyone must be well-versed in what they should do to stay secure.
Improving the Firm’s Cybersecurity Posture
Financial advisors shouldn’t feel discouraged if they’ve made most of these mistakes — many people in their industry are in the same position. If they can’t fix them all at once, they should prioritize based on a pre-assigned threat level.
Related: The Impact of Open Banking on Traditional Financial Institutions