Undergoing a digital transformation generates a lot of opportunities for financial firms to become more efficient, reduce operational risk and increase revenues. However, moving IT infrastructure to a cloud-based environment, if implemented incorrectly, can leave businesses more susceptible to a whole new plethora of cybersecurity threats.
Before the turn of the year, many studies were released showing that enterprise executives are planning to increase their cybersecurity budgets for 2021. What’s more, the World Economic Forum highlighted how information security and business continuity have become a greater priority since the outbreak of COVID-19.
A growing threat in Financial Services
Financial services are becoming more disproportionately targeted by hackers when compared to other industries, and almost 65% of large financial services companies were subjected to some form of cyber-attack last year. For many financial firms, it can be incredibly costly and time-consuming to implement the right cybersecurity practices on their businesses’ platform. This makes it even more vital for enterprises to consider what practices they have in place and where their operations need added protection so they can focus on their day-to-day operations – without fearing their systems will be compromised.
Recently, the SEC highlighted in its latest Risk Alert that “credential stuffing” cyber-attacks are growing against SEC-registered investment advisers, brokers and dealers. This involves a cyber-attack to client accounts by using compromised client login credentials and often results in loss of customer assets and unauthorized disclosure of sensitive personal information. It is becoming a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks.
As asset managers continue to digitize their businesses to stay afloat in the current environment, security needs to be maintained at the end-user to ensure they do not fall victim to these attacks. This is especially crucial in light of a recent report which found that around USD 147.4 trillion assets will be under management by asset and wealth management companies by 2025.
Measures to reduce risk of cybersecurity attacks
When it comes to implementing measures aimed at reducing cybersecurity breaches, some methods might sound straightforward and obvious but are overlooked.
- Password security is a prime example of this. It is crucial to enforce password complexity to mitigate the risk of being easily compromised through social engineering or a dictionary attack. For example, when creating personal accounts with some of the massive commercial companies in the world, such as Amazon or Google, individuals are asked to create a password to be a certain length, have at least one letter, at least one number, and to be case sensitive. Furthermore, businesses should encourage their employees to avoid using the same passwords across multiple personal and business accounts. Having these measures in place makes it a lot more difficult for hackers to gain unauthorized access to an account. However, some financial businesses fail to implement the right policies and procedures for password security, which can often leave them easy to guess, exposing their account and causing severe damages, both at a personal and business level.
- Multi-factor authentication is another key step in mitigating the risk of data breaches. In many cases, third-party authenticator apps are deployed by businesses to prevent unsolicited access to devices, accounts and/or data. This requires employees to log on to their accounts using their password in addition to a randomly-generated code or push notification. In the event a password becomes compromised, the hacker will still need to have access to another process of identification. Enforcing multi-factor authentication provides an added layer of security that can not only prevent unauthorized access but can also alert users to any attempts to access their accounts.
- Implementing controls that detect and prevent unauthorized access is another common action businesses can take. This can be in the form of adding in various requirements for employees such as timeframes and geographies to analyze and understand their traffic on a business’s platform. Therefore, if any activity should be recorded outside of these usual traffic parameters, it will alert the business of a potential breach, enabling employees to take quick and decisive action to address the issue and avoid fraudulent access to the firm’s systems.
- Web application firewalls are extremely effective in detecting and inhibiting credential stuffing attacks. These help to protect a company’s web applications by inspecting and filtering traffic between each web application and the internet. By implementing these controls, financial firms can limit access to fund transfers and prevent hackers from getting hold of personally identifiable information when an account is taken over.
By using a managed services provider, investment managers can take advantage of these measures and more, ensuring that their assets and IT infrastructure are safe from potential cybersecurity attacks.