When Suits Give Way to Sweatpants: New Work-from-Home Cyber Risks

April 24, 2020by Smarsh

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

The coronavirus pandemic has triggered new cybersecurity risks for financial advisors, as employees around the world continue to adjust to working from home. While some broker-dealers already have robust cybersecurity programs in place, experts say there are steps advisors can take as well.

“Most enterprises had invested their resources into protecting corporate assets and investing in perimeter security,” says Sid Yenamandra, CEO of cybersecurity software company Entreda. “Now, the classic notion of a perimeter has extended to the employees' home networks. This creates a new set of challenges for unprepared organizations.”

Many broker-dealers were already facing a variation of this threat, with affiliated advisors scattered across the country, cybersecurity specialists say.

“Many have their own devices. Their own networks. These are all fiercely independent firms, so, they have their own sort of digital workflows,” Yenamandra explains. “How do the internal risk teams, how do the compliance teams, the IT teams, make sure all these folks out there in the field are doing what they need to?”

“The classic notion of a perimeter has extended to the employees' home networks.”

Sid Yenamandra - Entreda

That’s why Advisor Group partnered with Entreda to develop a program called CyberGuard, which launched in July last year.

Once downloaded, the application scans an advisor's devices and looks to make sure they’ve taken certain basic steps, such as installing up-to-date anti-virus software. The advisor is assigned a cyber score, similar to a credit score, based on how secure they are.

Advisor Group sets a minimum score that advisors must meet before they are able to log into any of the company’s portals. If they score too low, they are prompted with steps they can take to improve their cybersecurity.

Yenamandra says a lot of broker-dealers have similar programs.

But Covid-19 has exacerbated this challenge, cybersecurity specialists say. As employees work remotely, the range of systems and networks that need to be secured extends even further.

“Check your home-based routers and WiFi,” advises Wes Stillman, CEO of RightSize Solutions, a cybersecurity provider for RIAs. “If you haven’t changed the default passwords, you should do that.”

Stillman also warns against using unsecured personal devices to log into secure work portals.

“Most fintech providers have spent millions to secure their environments,” he says. “And once in the environment, it’s really strong. But getting into that environment, the access to that environment, is where the vulnerability is.”

To mitigate that risk, Stillman suggests using multi-factor authentication wherever possible.

The use of password managers is also considered a general best practice, cybersecurity specialists say. These programs offer an encrypted place to store login information, so that different passwords can be used for every account one may have. Some password managers even generate secure randomized passwords.

Newly remote workers should be careful about blending the personal and professional too much, cybersecurity specialists say.

During a March 31 cybersecurity webinar moderated by Stillman, Jeff Groves, president of ComplianceWorks, offered a good rule of thumb: “If there are any prohibited communication types at work, they’re still prohibited here.”

Avoid blending personal and work

As suits give way to sweatpants, cybersecurity specialists say, employees should be careful not to let other standards slip.

Regulators have been known to hand out five-figure fines because of inappropriate text messaging, Groves said during the webinar. “Just because we’re at home and it’s easy doesn’t mean it’s appropriate to use,” he said.

Jason Lish, chief information security officer for Advisor Group, says “there is increased risk with blending personal browsing activity on company devices and networks, as many employees are not accustomed to working full time from home.”

Advisor Group, like many other businesses at this time, has increased their security awareness reminders, giving advisors tips on things like how to secure their home networks and webinar calls, says Lish.Jason Lish

The latter is particularly important right now, as increased reliance on video calls has led to a rise in “Zoom-bombing,” the hijacking of video teleconferences nicknamed after the popular software. The Federal Bureau of Investigation recently issued an article offering advice for that particular threat.

“We’ve also received positive feedback for several additional cybersecurity capabilities Advisor Group introduced last year, including secure remote access and encrypted network connectivity that provides an additional protection when working in remote setups,” Lish says.

Zoom-bombing isn’t the only threat that has escalated during the pandemic. “There’s no question that the industry is seeing increased attacks in the form of targeted phishing attempts to solicit user action, recorded voice scams, and text message scams,” Lish warns.

Financial advisors should be particularly wary of websites with Covid-19 in their name, which may have been set up by cyber criminals to play on current anxieties, Lish says, and induce someone to install malicious software or buy something they don’t need.

“Cyber criminals are acutely aware that internet users are more paranoid in a way that conditions them to spend more money on additional forms of protection, and they are increasingly working in a home setting where they’re not as vigilant as they normally would be,” he says.

Maintaining that vigilance is key, cybersecurity specialists say. Though cybersecurity best practices may be inconvenient, they are critical now more than ever, he notes.

Share this post!

Smarsh
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Contact Us

Tell us about yourself, and we’ll be in touch right away.