“Once you’re required by the courts to do anything, your ability to negotiate price is now gone.”
–- Brian Edelman
Brian Edelman is a nationally recognized cybersecurity expert specializing in the financial services industry. He is the CEO of FCI, a Managed Security Service Provider (MSSP), which he founded in 1995. FCI offers a comprehensive suite of cybersecurity solutions that are customized for financial services firms. One of Brian’s areas of expertise is cybersecurity regulations and compliance at both the federal and state levels. This includes the 23 NYCRR 500 regulations from the NY Department of Financial Services (NYDFS), which impact almost every major financial services organization. Brian is frequently asked to speak at major industry conferences such as TD Ameritrade LINC, The Financial Planning Association, and T3 TechHub.
Now hit the Play button!
This episode is brought to you by Ezra Group Consulting. Hiring the right technology consultants can have a huge impact on your business, while the wrong ones can crater it. If your company sells software or services to the wealth management industry, Ezra Group can help you improve your products, better understand your target markets and gain insight into your competitors.
Topics Covered in this Episode
- How to build a culture of cyber experts [00:53]
- Brian’s background in cybersecurity [7:26]
- How firms can better prepare for SEC audits [9:17]
- Data loss prevention tools [17:24]
- How to find common ground between enabling advisors to do their job efficiently and securely [23:09]
- CleverDome – what is it? [26:47]
- How firms can do a better job in education their staff about social engineering attacks [31:11]
- BYOD – bring your own device [37:30]
- What are attack surfaces? [39:23]
- Insider threats, how to prepare for and deal with them [40:50]
- Protecting your clients’ privacy [48:13]
- Plugging into Alexa on your work network [53:45]
- Emerging cybersecurity threats [1:09:08]
- Artificial Intelligence [1:10:04]
Companies and people that were mentioned:
- Amazon [50:36]
- AWS 
- Bitcoin [44:48]
- cleverDome [26:15]
- eBay [1:01:41]
- Equifax [18:01]
- FCI [00:09]
- FINRA [3:49]
- NAIC [6:50]
- New York DFS [3:07]
- OCIE [6:02]
- Ring [54:52]
- SEC [3:48]
- Staples [20:42]
- Voya Financial [13:07]
If you are interested in more information about some of the topics Brian and I discussed, these blog posts would be useful:
- Is CleverDome the Holy Grail of Cybersecurity?
- FundFire: Wells Fargo Data Leak Shows Risk Goes Beyond Hackers
- The Ultimate Cheatsheet from the T3 Advisor Conference
Complete Episode Transcript:
Craig: Brian so as CEO of the cybersecurity firm I know you were talking about before we started about how you build a culture of cyber experts can you expand that a little bit?
Brian: Well again you know my role as being a cyber expert and CEO are very different. On the CEO side, as a former financial adviser we run our practice very much like an advisory practice and it’s about our internal culture as well as just some of the key ways of attracting and recruiting really talented people to serve our clients.
Craig: Well I wanted to ask you about the what I think is that there’s there’s an Armageddon coming. Cybersecurity mainly because firms are somewhat aware but they don’t see the importance of cybersecurity in their business. Would you agree with that?
Brian: Well I agree with that 100 percent for those firms that are not prepared for those firms that haven’t taken any time to follow what the regulators are asking of them. For those people that have not developed the culture of cyber security those firms that have not done those things will face an Armageddon.
Craig: What would you say the percentages of firms that have not prepared?
Brian: That number in the last couple of years has significantly changed. Certainly New York DFS seem to be the most influential in getting firms up to action and that’s simply because in the NIS based model which is an evidence based model. You’re no longer testing to and being held to a standard of attestation which simply means if you tell me that you’re cybersecurity you are. And In this model it requires evidence of it.
Craig: When you say evidence what do you mean by that?
Brian: Within the series of the regulators the SEC and FINRA New York DFS they’ve outlined exactly what you as a firm are supposed to be doing. And within that they’ve defined the evidence requirement. So for example if you say you have an information security policy and it’s written they’ll simply ask for the information security policy to be printed out. And that’s evidence that says you can print it or not print it as opposed to the prior standard of attestation which says Do you have an information security policy the adviser may say. Sure I do. And then they go on to the next question. They don’t do that anymore.
Craig: OK. So evidence could mean just printing out your policy. Or is it more than that?
Brian: No it’s exactly those types of things. How do you evidence things like I have a commercial firewall so you can take a picture of it. You can log into it and demonstrate that it’s properly licensed and has the right security tools. Those are the types of evidence that would suggest that almost everything that you state. Anything you attest to has the ability to have evidence behind it.
New York City DFS
Craig: Gotcha. You mentioned a New York DFS. Can you explain what that is.
Brian: New York Department of Financial Services took a position following the NIS standard and setting dates and timelines and requirements for all financial advisors that do business in the state of New York.
Craig: Understood. There may be some people I know any advisors in Manhattan would know that. Or in the state of New York would know that. But just wanted to get that out there for anyone outside of the city. Do see this that New York is driving regulations in this area or are other municipalities copying New York or are they a one off.
Brian: I would suggest that many of the regulatory bodies are implementing their own variation of these standards. So we’re seeing things like OCIE which is the Office of Compliance Inspections and Examinations. Actually they were the first to come out with a standard and give instructions on what they would look for during an exam. And when we provided those instructions we did notice a significant increase in advisers wanting to become cyber secure typically before an exam. So they did set the bar before an exam. Advisors are getting secure and going through the requirements that are defined by that prescriptive document that OCIE had provided. Secondly New York DFS says Well now you have to meet our standards and you have to certify every year so they change the language from attesting to certify. And that certainly has changed the bar considerably and now something called the NAIC which is the National Association of Insurance Commissioners who regulate insurance licenses and some other licenses as well for financial advisors has also jumped in the mix and added what’s important to them. And now we’re starting to see the different states like California that also turn around and add in. And when you go Back to the original state which was Massachusetts. They were really one of the first and most progressive to put together some privacy regulations.
How Brian Got Into Cybersecurity
Craig: I’ve seen you at A lot of conferences and we’ve known each other for a while and one thing I wanted to ask was how did you get into cybersecurity?
Brian: Well the reason I got into cybersecurity I was fortunate enough to be raised in a house of a financial adviser and that financial advisor was my mother and in essence my mother had started to work with some very very successful people she was focused on the business market of financial planning. She was helping these businesses with everything from deferred compensation to succession planning to estate planning. I was raised to understand all of those aspects of financial services and in that with those very high profile clients they helped us even back then to standards of their private information because these were very public figures. These were billionaires that if the media or if it had gotten out aspects of their life they would have recourse against us. So really the passion to protect private information was really defined by the importance of those clients that we had that demanded that we keep their private information safe.
Craig: Raised at the knee of a financial adviser.
Craig: She bounced you on her knee as she was doing financial plans.
Brian: And then with that you know the appreciation for the industry and what it did for my family. And the idea of being able to provide a service to protect financial advisers who we all know want to focus on taking care of their clients and having cybersecurity be something that is important to them but not something that distracts them from what they need to do every day which is take care of those clients.
Preparing for an SEC Audit
Craig: Right. So other ways that wealth management firms can prepare? One of the biggest issues besides actually getting hacked is getting audited. So how can firms better prepare for the SEC coming in where they’re giving cybersecurity special attention now.
Brian: Well a couple of key things is number one you have to find a provider that’s familiar with financial services because there are a lot of advisers that go out to the market and they’re working with firms that aren’t focused in financial services. Second thing that you can do and there are three elements to really making sure that you know you have a program in place one of which is to make sure that you indeed have an information security policy. So we talked about that before to make sure it’s in writing and make sure that within that it has and is defined typically into two parts one part is the policies and procedures. So that discusses when you add a new employee or a new financial adviser what are the steps that you use to put them into your systems and what are the steps when they leave that you take them out. Those are policies and procedures. And the other aspect is technical controls which is of the machines and equipment that people are using. Are those indeed safe. Do we have the right equipment to keep our private information safe based off of not only the best practices but what the regulators are requiring.
Craig: Are there specific connections between the policies and procedures and the technology that you recommend?
Brian: Without question. the traditional approach to this is to do a risk assessment which is a lot like a financial plan but instead for cybersecurity. So you’re gathering all your documents. You’re then asking questions observing whether you’re seeing or not seeing those things and then doing some technical scans. certainly the technical scanning component is very very enlightening in that one of the biggest risks to the entire industry is when we talk about the different levels of cybersecurity and the fact that even advisors themselves for years have been attested to by their own I.T. resources that they’re safe and secure and that’s not necessarily the case. So best thing to do if you want to know whether or not your cyber secure is to engage a firm in a risk assessment.
Craig: So when a wealth management firm engages outsources this and engages in a risk assessment, I have some notes from when you spoke at an earlier conference. Does performing a risk assessment put your firm at risk?
Brian: Well it can. If it’s not done right. There’s different parts to the risk assessment. One part is again that policies and procedures and that’s done through a series of questions and evidence and documents that you say that you have. The other part which is the security assessment component which is where you’re doing technical scans and the traditional approach which it really should never be taken is to turn the firewalls off of all the devices so that you can scan them. So we see it where the technical scanning firm to save time and energy on their side because they haven’t automated they put all the machines at risk in order to scan them and that should never happen.
Voya’s Cyber Breach
Craig: Last September the FCC fined Voya Financial a million dollars over a cyber breach. What should they have done to avoid that?
Brian: In our opinion we’ve taken a position that says Voya was taking action to try to get cyber secure. So it wasn’t that they did absolutely nothing. And in those actions they followed the traditional process of a risk assessment. Building your program and delivering your program. Third and the problem that happened with Voya was in the delivery of their program they never got to delivering the program because they either run out of resources or time. Those are the two elements. And if they had reversed it if they had delivered the technical controls first. They would have been able to number one demonstrate that they all of the machines that that their advisors are working off of our cyber secure. Based on the the requirements of those regulations and not just regulations but what keeps the machine safe then they could run a security assessment on those machines and that would uncover things around the policies and procedures that either were we’re not being followed and it uncovers it without an attestation from the I.T. team. So it’s very important that it’s an independent third party team providing those services because of course if it’s the internal team doing it there are a lot of things that the executives need to know that they may not know.
Craig: So they should have got an objective third party and they sort of did it backwards.
Brian: They did it they did it traditional so backwards was the traditional approach. The only reason that we’re seeing a significant change in what we call the upside down approach which is the technical scans first is simply because there is a finite number of technical controls that are required to be on a computer. They should have good Endpoint Protection. They should be encrypted. They should have passwords. I mean these are things that no matter what regulation that you’re trying to to adhere to. Those are called data loss prevention tools. And when you have them in place it just simply means that in the face of an incident if you can demonstrate that at least you had the right technical controls in place then the regulators and the authorities and the insurance companies everybody is willing to work with you. But when you don’t have the technical controls in place what we’ve observed is that we call it the double and triple victimization where because you didn’t have the technical controls in place now you’re required to do things like send out notifications to all clients that were affected. Well think about the reputational damage of doing that let alone the costs. And then you’re also required to hire forensics and when you’re required by the courts to do anything the ability to negotiate price is now gone so imagine being from an insurance and the life insurance background you think about this and you say the risk assessment and the security is all the tools we’re talking about. It should be viewed as the premium. And if you don’t put those tools in place you could be held to the death benefit.
Craig: Yeah. That’s a great quote when a court orders you to do something you don’t have any room to negotiate price. Because everyone knows you have to do it.
Brian: Right. And that’s the difference between having a good cyber program in place and not so if you have a good cyber program in place during an incident the likelihood is you’re in control of how to proceed and make sure that the right thing is done when you don’t have the right controls in place. You’re not in control and again thinking back to a correlation for financial advisors. It’s like dying with or without a will.
Craig: Can you explain a little bit more about data loss prevention tools?
Brian: Data loss prevention tools are one of the aspects that we’re referring to as technical controls and those loss prevention tools are things like everybody should really have a good antivirus program to protect them from viruses. Right. Everybody should have an encrypted computer with Windows 10 pro there’s no reason that you don’t have an encrypted computer. These are things that don’t have to cost money. You turn them on and you simply evidence them. Every machine should have some good settings like they should be patched. So we think back to what happened at Equifax which is one of the the biggest breaches in the history of the world when it comes to non-Private data. And you think about what they missed was a patch so you know things like patch the computer antivirus encryption. Screen Savers that lock along with you know complex passwords on the computer. those are the types of things that you’ll hear about when it comes to technical controls.
Will We Ever Eliminate the Need for Passwords?
Craig: That’s one of my pet peeves is passwords. Coming from a technology background I guess I know more than some people but it always bothers me when I saw these password requirements where it’s eight characters with a letter and a punctuation. But isn’t that not security more based on the level of how technology has advanced and the speed of decryption tools and hacking tools and rainbow tables and other such things now are available to hackers.
Brian: Yeah I think that there is sometimes there are unintended consequences of an approach. At the time. Certainly cybersecurity is advanced so that it’s not an intrusive process it’s actually something you look forward to changing your passwords in 90 days doesn’t necessarily create a more secure computer adding things like multi factor authentication so not only do you need to know your password but you need a device or to be able to let you in to the systems is as really risen as as a great approach and puts a lot less emphasis on the password. So the idea of changing passwords when you have multi factor authentication is not as necessary but what becomes more important and I think it’s kind of interesting when you talk about the length of a password and the upper case and lower case what we’ve been doing as it relates to passwords is helping our clients use the same password. That’s fine for multiple systems with the exception of something we call a pre password. Now the pre password imagine that I’m logging into my account. So i’m logging into whatever financial institution or even if I’m logging into Staples as an example I may start my password with staples as being the beginning of the password. So I put a capitalS. And then I just put the rest whatever whatever abbreviation I want to use. Depending on how much data may or may not be there. So for Staples I might just type staples with a capital S. I put a dash and then I put the password that I’d been using which I can remember because part of the problem is when you can’t remember the password. That’s what puts people that use changing passwords at risk they start to write it down on a piece of paper next to their computer. They start to put it into their outlook account and create a spreadsheet. I mean we know that they’re doing these things and the unintended consequences of passwords and password management has been the exposure of the passwords to either those again spreadsheets that we see being created. So to answer the question around passwords is it’s more important to use a password manager or an enterprise password manager for an office very important to store those passwords. You’re storing passwords in a safe location. It also tracks the logs when those passwords are used. Very important as part of that process. And like I said with multi factor authentication the password becomes a great way especially with that pre-password. If a password does get compromised you’ll at least know as a consumer. Which system it was.
Craig: Shouldn’t passwords be obsolete by now? I mean it was I think five or six years ago I saw a tool on the phone where you could scan a QR code with your smartphone and it logged you in automatically I know I saw that at a conference just last year as well on the banking side and with fingerprint identifiers on your phone and laptops. What are we still using passwords for?
Brian: Well right. So we’re starting to see the use of the multi factor authentication and what we’re talking about the next generation version of it. So when you use an iPhone or an Android and it can look at your face and recognize that it’s you. That’s the form of the next generation multi factor authentication. I do think that passwords still have a place and that is simply to identify any system that’s been compromised. You want to be able to have another form of authentication and a password. What you know in your head. It just becomes less important whether or not the passwords themselves are compromised. It becomes an indicator of the system being compromised.
How to Balance Security and Convenience?
Craig: One thing I’ve heard it. we work with a lot of broker dealers and banks and one thing I hear from advisors and people representing the advisor side of the business is that cybersecurity is inconveniencing them that it’s making it harder for them to do their job. Which you could respond well would you want to be hacked which is more important having. Which would you rather have a couple more steps and a few more things to go through versus having all your data hacked? But how do we find the common ground between enabling advisers to do their job and be efficient and effective but still do it in a secure manner?
Brian: Well that’s that’s exactly what we’ve been focused on for the last twenty eight years making sure that advisors can be cyber safe but not be the cyber experts making sure that we’re selecting tools that create that next generation feel where you start to feel safe as opposed to being inconvenienced. So anybody that’s out there that is feeling like they’re spending too much money on cyber it could be that they really have to take a look at that. But cyber should not be overly expensive. And in addition the way it’s delivered needs to be seamless so that the end user isn’t being inconvenienced by cyber and the tools that are being used are tools that we described that leverage. For example your phone or device in order to get in. So today if somebody were to say that cyber was expensive and inconvenient the likelihood is they’re using older tools.
Craig: You mentioned earlier reputational risk if the firm is hacked and you have to send out communication to all your clients. Which was never good for any firm’s reputation. What about managing third party risk all your other vendors and were getting more and more outsource services more and more online services. How do you manage all the risk of all the third party services that a typical firm’s using these days?
Brian: Well some of the most important things are to use best of breed. So make sure that you’re not taking any risks of your own. Find out what your peers are using and always leverage the best of breed software that’s out there. That’s at the various conferences that we’re at. Those those companies have invested time and energy in protecting. And are also passionate about protecting this space. Secondly the vendors have to go through the same process that a firm has to go through. So once they go through a risk assessment there’s a lot more clarity around the types of questions you might want to ask a vendor that you learned in your own risk assessment so do you have people accessing our data where are they accessing it from? Are they from within the United States not the United States. Where’s my data housed. What does our agreement look like if you have a breach. How do I know that you’ve had a breach. these are all questions and the more questions that the advisors and the community can ask. I also like the initiative of cleverdome. This is one of the areas that I think are very inefficient that we need a centralized service like clever dome to go out and reach out to all the vendors and collect this data. Ask the right questions because if the advisors don’t know the questions they ask and somebody has to. Why not have an organization that’s doing that for us and then we subscribe to that organization and ask them to vet out our other vendors that might have access to our non-public information.
Craig: I’ve written about cleverdome on my blog but many people may not know what it is can you give a quick 30 second overview of what clever dome is what does it mean and what does it mean to join it and be under the dome.
Brian: Well clever dome and its mission is really what attracted me to it which was to protect the financial services industry and to collaborate on how we do that. As a community. Clever dome is a B corp so it means that it’s required to have a community impact which says their community mission is to protect the financial services industry. Now they’re doing that through three separate initiatives one initiative says Can somebody just give me an information security policy that I can adopt and adjust it a little bit. But let’s make that part a lot easier so that. Not every firm is out there doing their own information security policy that works well for both the firms because now when you join clever dome you get that policy. So now instead of having to invest in legal you can actually take this and like everything else with the lawyer the more prepared you are upfront the less your legal costs will be. So we’re not suggesting you just blindly adopt it but certainly suggesting that clever dome is defining a standard of technical controls on the machine and good policies and procedures for financial advisors. So that’s one. The second component says in this third party discussion you know if all advisers reached out to these small firms and imagine how many of these small entrepreneurial firms that cater to the financial services adviser. To create that efficiency to create a value proposition for that adviser to the client and imagine those smaller firms having to then hire. So many resources to respond to these requests they’d have to make a decision do I respond to these cyber requests or do I improve the product and when you see that happening where the money that’s being invested is in cyber. I think that’s going to have a longer term impact on innovation. So with clever dome doing that once and then distributing it to the advisers who are members that’s a great service. So you turn to them and say I’m using this vendor. They say great. We have their security information already. Here’s their security package. You take that you put that in your cybersecurity folder and now we’ve saved time and energy across the whole industry all over the place from the third party vendor to the advisor in their office not having to do all that work by themselves especially without the experience of doing risk assessments on third parties. And the last part of clever dome says that with these integrations that we see happening there’s the unintended consequences of cyber. Again it shows it’s head and now all of a sudden we say OK well we have to protect that data especially when we have a connector between two vendors. we have to make sure that the data throughout the lifecycle of that data is protected all the way through. So you can have one cyber secure vendor. And now suddenly you’ve got another vendor that doesn’t have the resources and are less cyber secure and now the data is exposed. And everybody’s in trouble. So what clever dome says the third piece of what clever dome is is really defined is something called a software defined perimeter. It means that if we can take the information that is being shared among vendors and advisors and take it off the open Internet. That the likelihood of having that data compromised would be significantly reduced.
Craig: Seems like it’s a big time savings for everyone especially on the legal and assessment side.
Brian: I mean the value is in my opinion. since I’ve seen it soon as I heard about what they were trying to do and that’s why I’ve spent a lot of time helping them giving them whatever insight in my 28 years of experience that I can give them. And the reason for it is because if it saves the industry money and time and reputation and all of the good things that it can do I really don’t see where there’s a downside to what a clever dome. I don’t see any downside to what cleverDome is doing.
Craig: What about social engineering? How can firms do a better job in education of their staff to avoid social engineering phishing attacks and other such ways to break into firms data?
Brian: I think that when we look at the regulations even the O.C. regulations and one of the very clear guidelines is around education and we say OK you know people have had their head in the sand for so long and we take our head out of the sand and start to talk about this stuff. It doesn’t become as scary anymore. And the example that I sometimes will give is has anybody received their check from the Nigerian prince because I’m waiting for mine and everybody laughs. But the way cyber works is they’ll laugh at that now because ultimately they’ve shared it and they educate themselves that the guy is never going to send money. the idea is you’re supposed to receive the money not send them money yet people were sending in money now. These scams work for a little while. All of them do until everybody starts to educate or talk about what they’ve seen. So things like Hey I sent you a bunch of documents. Are we going to fall for that hopefully not. If you weren’t expecting those documents you shouldn’t be opening them and these are great conversations to have with your staff and even your clients for that matter because it develops that culture. when we talk about the CEO role before and I’m a cybersecurity expert and CEO role I navigate to the culture of cybersecurity as being a leadership role. It’s what every adviser should be doing and leading their own organization. And not that they have to be cyber experts just they have to lead the conversation. So as a CEO if you were to add to the agenda of a staff meeting discussions on cyber. What has anyone seen or heard or gotten from home. You know those are things you want to share because the more that we’re alert and aware of these things the less likely they are to have a breach. Now we talked earlier when did we see the financial adviser get motivated. We said with OCSI it was when they were going to have an examination or with New York DFS that’s what they had to certify at the state. There’s another element that we need to make sure we understand and that is if one client were to complain about your firm. The authorities are notified and when the authorities come in no different than the regulators when they come in no different than examiners when they come in. They’re going to come in and ask questions. They’re going to look for evidence that you have a couple of things one is that you have a cybersecurity program. Two that you have a culture of cybersecurity. this was the problem in the Voya case. They had a program. They just didn’t have it rolled out yet. So you want to have that culture of cybersecurity and do you have the right tools so when a regulator comes in or when the authorities come in because a client complain. They’re going to be looking for evidence of these things and if you have it you control the incident. And when you don’t you become that double victim. You now have a client that complains and look their data could have been breached in the Equifax that could have been breached in a thousand other breaches that happened out there. But they’re pointing at you. And if they’re pointing at you and then regulators come in and they don’t find what they’re looking for then you can expect to be fined and you can expect to be required to notify all of your clients that you’ve had an incident and you can expect that you’re going to have to hire forensics and you can expect all of the bad things. And here is even the worst part. Even if you bought a cyber insurance policy when the cyber insurance company takes your application and money they don’t look for evidence at that point. You know when they look for evidence when you have a claim. And if we’ve all experienced this from commercial insurers and it’s in their policies. They have policies and procedures that order for you to effect coverage. You also have to follow. So imagine you have an incident and you don’t notify the insurance company. They can deny the claim and they have every right to imagine that now you did and you notified them but now they come back and said Well on your application for insurance. You said that you have the appropriate technical controls in place. You have good data loss prevention tools. Can you evidence that? Can you show us that or you said? You had a cyber program in place. we want to see it. So they start to ask these questions because the representations were made in the application for insurance. They have the right to ask these questions. And if you can’t evidence it you now become that double victim.
Craig: So it makes no sense to sign up for insurance if you’re not prepared. in every other way.
Brian: It makes no sense to sign up for insurance. Fill out an application that you can’t evidence in that application. So if that application says that you have a commercial firewall take a picture of a commercial firewall and put it in your insurance application for the protection of the firm. So whatever the answers to the question don’t allow an insurance professional to fill out that application on your behalf just to get you the coverage because all that does is it gets you to pay a premium but you may not have coverage.
Craig: Because when you actually have a loss they’re going to come in and check and find you would never really covered.
Brian: They have the right to request evidence of cybersecurity. When it went to the NIS model it became an evidence-based model. So in the old model the attestation model that was fine everybody was believing everybody and that’s the way that model works. So if you said your computer was encrypted the insurance company didn’t they ask that on the old standard in the new standard because it’s an evidence based standard. They will ask for that evidence at the time of an incident.
Bring Your Own Device (BYOD)
Craig: What’s your opinion on bring your own device BYOD. Is that something firms should be doing. Can it be secured. Is it inherently unsecure. What do you think about it.
Brian: It’s a great question and this has been something that a lot of the enterprise technology cyber experts have been faced with. especially with an independent sales force there is a lot of challenges in two different approaches. One approach says no BYOD. So I’m going to issue you a computer from my financial institution and you can only use that computer to conduct business with us. Well the problem is that you inherit then a lot of I.T. type services. You inherit a lot of services that your firm may or may not be prepared to use. And here’s the worst part. The advisers then don’t really use it for anything other than working with you. So they have two computers. So you’ve doubled your attack surface. When you issue a non BYOD. So imagine I now have my own device and my corporate device and I’m operating on both of those. So that’s not the best approach that we’ve seen the best approach that we’ve seen is to allow an adviser to use one device whether it’s corporate issued or not. Make sure it allows them to operate. Successfully. And secure it. Properly with the tools that are available today. So do I think that adding a enterprise device and not allowing BYOD works. No. I think that you have to secure any device no matter where it is. if it has access to the private data of the enterprise.
Craig: Can you explain for those uninitiated in the technology of security what is an attack surface?
Brian: Well it’s a great question. So your attack surface, the various different devices that you use the more devices the larger your surfaces. So if I’m using one cyber secure laptop and that’s all I use with one phone that’s probably your smallest attack surface. So if I secure both of those I’m good. But if I now start to add another Ipad or another tablet device and I add a home computer and I add a laptop computer now I’ve got three devices where I take an Apple computer and I put in a Windows virtual machine in it. these are all things that increase the attack surface meaning the amount of systems you have to maintain. So cybersecurity is focused on a device level protection. and a user level protection. So you’ve got these different layers you’ve got the user and you’ve got the device and because you add more devices the quantity of devices you’re protecting increases that attack surface.
Craig: This is an area that I think a lot of firms don’t want to think about and don’t want to talk about. But what about insider threats. When you’ve got someone inside the organization that’s looking to attack them looking to cause damage not physical damage but cyber damage digital damage. maybe a disgruntled employee. What can they do. What can firms do to avoid those situations.
Brian: This is where those policies and procedures become so so critical. And it really is about not only the technical controls but policies and procedures. When somebody comes on board are you giving them access to everything or are you giving him access to only those things they need to do their job. And what monitors do you have in place in order to make sure that somebody didn’t hit the button. And download all of the client private data right to their computer and then send it off on an email system that’s their private email. So these are all important things and I think you’re right I think that a lot of attacks are disgruntled employees. And we need to make sure. And again this comes back to the policies and procedures because as a firm if you haven’t provided to your employee what it means to be cyber secure in a document then ultimately you could be at risk for them doing those types of insider thing, Insider actions that put the firm’s data at risk. And yet the firm would be held accountable not the individual. So imagine that. You have an employee who takes an action against your firm to end your firm and when it comes down to it. As a firm you’re the one that’s going to get in trouble and fined, not that person who stole the data.
Craig: I don’t think many companies realize it.
Brian: I would venture to say that almost every one of them don’t really. I mean we work in an industry of a high amount of trust in the people we hire. So the idea that and this is when we talked about a culture of cybersecurity and what they’re talking about is the importance of these discussions because take that same scenario right. And now as the CEO and leadership of the organization we’re committed to having a culture of cybersecurity and we talked about the things you can and can’t do. Now all of a sudden I’m covered for that right. So we have a staff meeting and we say in the staff meeting does everybody understand one of our jobs is to protect our client’s private data. And that means this this this this and this. Well now we’ve had the discussion now we’ve had it in a public forum. Now it’s part of our culture. If that same scenario where you had somebody internal who stole the data and made it available on the Dark Web or wherever they did and it came back to you. You’d at least be able to say no. We have a firm that is and has a culture of cybersecurity and every single member of our team knows that it’s wrong to steal the private client data of our clients.
Craig: Yes some of those things you think would be obvious to people but they’re probably not.
Brian: And that’s exactly what I mean about cybersecurity does not have to be expensive what does it cost to add the discussion of cybersecurity onto your your staff agenda.
Craig: Shouldn’t cost much.
Brian: It’s free. You’ve got to open up the dialogue. That’s the most important thing is this is a scary topic and most people put their head in the sand. But as soon as they start to talk about it and have discussions and bringing in what they’ve seen at home and there’s a recent thing going around where they send you an email and it says I watched what you did last night and I’ve got video of it and I’m going to post it on your social media if you don’t send me [00:44:48] bitcoin. [0.5] The first time that comes out the person is really scared. And then as we see it more and more and we’re at the center of a lot of these attacks. So when people see these things fortunately as cyber and we’ll talk a little bit about the different layers of cyber but we are a cybersecurity security operation team. So it means that where any incident and this is where you know when you have a really strong cyber team is at the time of an incident. But the question is is the incident being handled in a way that protects the firm. What that means is whenever there’s an incident in the industry we get to see it because we are in so many different firms cyber team.
Craig: I saw some stats that. Most internal frauds are still committed by junior staff and middle management but there is some senior management involved.
Brian: I absolutely see it at the senior manager level. And sometimes it’s not even intentional. in the old days if you think all the way back to AOL and you think of all the incidents that took place because of AOL. AOL was where we were getting our own personal e-mail and imagine the CEOs of these companies were all using AOL at the time. And the cyber experts on your teams and the enterprises have such good cyber teams. These are guys that think about it all day long. And all of a sudden they’re being commanded by the executive leadership to open up the ports to allow AOL to be usable. And when they do that they put so many enterprises at risk. That’s just an example of an executive making a request for something they want. That puts everybody at risk. So we see that happen unfortunately more than we’d like to.
Craig: That goes back to the convenience versus security debate.
Brian: Right. And that’s why with the new tools out there like you were talking about being able to look at your phone and how convenient it is when you download the banking app that you use and now it says Do you want to get into next time using your face and you say yeah. And the bank has made it so convenient you just click on the link and you get right in and it knows it’s you. That’s an example of the next generation type of cyber services. But what you need to also know is that there’s a lot more to that than just letting you in at the time that you try to get into the app. It’s also knows your geo location. So it’s adding that to the ability to protect you. So if you’re sharing your geo location with the bank and all of a sudden they get a charge from some other location they know that that’s not you. That helps with the ability for that bank to add artificial intelligence to solve a really big problem which is the first part of this cyber thing was to try to extract money and that side of cybersecurity is not where this Armageddon. that we’re talking about takes place Armageddon in cybersecurity is simply a unprepared financial institution and or advisor that has an incident that they’re not prepared for.
Protecting Client Privacy
Craig: So that leads into my next topic which is protecting privacy so having geo location on our phones so every app we’re talking to knows where we are at any point time and wherever we’re logging in from Web sites are asking for location information. How does protecting users privacy both advisors and clients link into cybersecurity or cybersecurity assessments of cybersecurity policies?
Brian: It’s kind of an interesting thing it’s become a question of the good side or the bad side. And what they’re gonna do with that private data do I care that my back knows where I am. Because they’re going to protect my money. I’m OK with that. Do I care that social media app knows where I am. Well in that case I don’t want the social social app knowing where I am. So within even the devices you have the ability to simply google it to control who has access to where you are and who doesn’t. And when. So it really is important when it comes to the data privacy and the privacy we want to customize our privacy to what is OK and acceptable for us. In some cases we can say OK I don’t want them to know anything. Well if that’s the case then you’re going to have to know that your protections are less. And be OK with that. And in other cases where I use my GPS. I don’t let it know where I am at all times only when I open the application it’s the only time I want them to know where I am. So it does two things One is when you are able to go in and set the settings for privacy on your devices. You also get better battery life by doing it. So it makes a lot of sense to really master that part of it as well.
Craig: So people should pay more attention to their apps on their phone and what access they’re giving to different pieces of data about them.
Brian: And the devices. It’s kind of scary to me that there’s this idea of single sign on. The other day I had an experience where I have an AWS account which is Amazon Web Services it allows you to create. a server and put private data on it and do all sorts of great things within Amazon. I also have an Amazon account same log in. That gets me to be able to order anything I want online and it shows up the next day. Amazon Prime great example. Now I go out and get the Amazon reader out there and my daughter gets it and I have to log into that reader in order to set the parental control. So again it’s that same account. So now I’ve got this one account that’s accessing all these different systems. And it really becomes a question of just being aware and knowing how to navigate these things so that you don’t end up with a much bigger breach than not being aware.
Craig: Because they only have to break into one account to get access to all these different services.
Brian: Right. And I noticed it as soon as I logged into that device and all of a sudden I looked at what I could see and I’m like well this is on one hand a great convenience on the other hand as a cyber expert. I looked at it and said no. And I had to go in and I had to educate myself on where to set the settings not to allow that to take place but the default allows that.
Craig: Yeah there’s so much to worry about. I know in my family I become the I.T. person and I’m constantly getting calls from family members what do we do about this and what should we do about that. And I don’t blame them. It’s just very complicated for even someone. I’ve got a degree in computer science and some of these things are amazing to me to try to figure out how to get access to some of the screens and how do you turn off the different access of knowing where you are. The geo location some apps don’t make it easy to find. Some apps don’t make it easy to find where your privacy settings are. So it’s certainly complicated and getting more so.
Brian: And what we’re seeing which is a very different approach used to be that all these settings were there and you had to turn them on. We’re starting to see the opposite they turn it on. You have to take an action to turn them off. So we are seeing a great response in that. But again through this education and even the discussion like we’re having now. The question I have for people is where do have your Alexa device. Do you have it in a place where you’re discussing private things. Or do you have it in a place where it’s public and everybody knows it’s public. Something as simple as that. The idea that people are so willing to plug anything into their networks. Again one of those major risks out there that say Do you know what’s plugged into your network. And if you don’t. That would indicate you probably don’t have a cyber team.
The Danger of Alexa and Voice-Activated Assistants
Craig: Do you think advisers should not plug in Alexa into their work network?
Brian: Well I would tell you that Alexa is a best of breed application from What I would say is a best of breed provider. So you’re dealing with Amazon and their resources at Amazon and you’re dealing with a company that really is focused on keeping that device secure. So I’m less concerned about an Alexa but I will tell you that Alexa You have to assume is listening to everything you say. So I’d be very careful where I had the Alexa device as opposed to some of these other devices which are less known and they can get us to plug them into their network because they do something cool like hey I can plug this into your network and I can turn a light from orange to blue. who made it. Are they. Best of Breed. Are there any reviews on what I’m giving them access to. So you see these refrigerators even the Ring doorbell. for the doorbell great example of They’d become a best of breed provider. But in the beginning who were they. And we’re just letting them plug in. So very important to trust but verify is probably going to be the best way of looking at these things because we don’t want to live a paranoid life either.
Craig: Yeah. How do you find the balance. You just quoted Reagan “trust but verify”.
Brian: Right. And I’m very happy To quote Reagan I think that he had a lot of very insightful messages. he’s a great public speaker and I think that’s the right approach. You want to be able to trust. Best of Breed but also verify and again You’ve got to focus also on settings not just the tools that we’re using. So it’s a combination. It is a culture of cybersecurity now. One thing that we probably need to discuss no different than there are different disciplines in financial services and if I ask somebody in financial services that’s in a different discipline than the answer I get from them. I need to know that that’s the answer I get from them right. So we have advisers out there that are planners a lot of CPA that do pure planning and they know everything about planning but they’ll also get involved in investing and insurance. We’ve got other people out there that are great investment advisors and that’s their primary but they’ll offer some planning services and maybe some insurance typically term insurance. And then you’ve got insurance advisors out there. And what I’m getting at is that it’s all financial services but not everybody does the same thing. So in cybersecurity those roles are defined as the I.T. cyber the passive cyber and the active cyber now FCI is an active cyber security company it’s an independent third party that checks on the other two but those are all three very important disciplines in cybersecurity so very important for people understand cyber takes on a lot of different dimensions and when it comes to technical controls those are the three different disciplines. You have to be aware of.
What Data Should Be Encrypted?
Craig: We were talking about privacy and data security goes along with privacy of course. So what data should be encrypted and what’s the right level of encryption for that data.
Brian: I believe all data should be encrypted at 256. And that’s the current standard that is available. It’s also the same standard. That’s made available inside of Windows 2010 pro if you set it right. It’ll be 256. But encryption is one of those words that we just have to be clear there’s encryption at rest and encryption in transit and those are concepts that ultimately have a different answer. Certainly when a device is encrypted that’s encryption at rest and that’s where the bit Locker and The File vault and those types of systems make sure that those files that are sitting on your hard drives are indeed encrypted. And if the device was stolen in any way we could lock it down or make sure that no one ever had access to that data. The encryption of transit is a little more challenging. encryption and transit has more to do with your vendors and observations as to whether your vendors are cyber secure. So those are done through certificates and some other methodology to make sure that when you’re bringing data from your financial institution or vendor down to your computer that that process is indeed secure and then you could really mess things up. If you go to an open Wi-Fi and you start to download and log in and do all sorts of things by opening yourself up. So when you’re connecting to an open Wi-Fi. That encryption in transit is compromised at that moment. So very important to understand the distinction encryption at rest and encryption at transit.
Craig: You mentioned 256 for the non-techies listening. What does that mean?
Brian: Encryption like the original Enigma Machine is where they’re changing the Data in a way that has to be decrypted. So the encryption side they change the letter A to a one. And on the decryption side they have to know that one is actually equal to an A. So that’s kind of a simplistic approach to the whole decrypting encrypting process. Now the further that you go out when you go out to 256 bit that means that that same A is not a one. It’s 256 characters it’s a lot more characters that are associated to it in order to bring it back to the letter A. So it just has to do with the level of computing that would be required. To crack into the system. or the data.
Craig: So a higher number of bits of encryption is more secure than a lower number?
Brian: It’s harder to decrypt.
What is the Dark Web?
Craig: You mentioned the dark web. This is something people hear a lot about. They read a lot about what what is exactly the dark web?
Brian: The original monetization strategy of cyber security was to take the data. For example if I can get a financial adviser and I can get to all of their accounts I could start to make phone calls to the financial institutions and try to get them to withdraw money and put it into accounts that I have control over right. So that was the old style and in that old style it was very easy for us to see how they were generating money. But what happened is the financial institutions got wind of this and figured out OK. Typically using multi factor authentication they’ve really done a lot of things to protect the money. So what emerged is this thing called the dark web and it’s simply a marketplace. It’s an eBay if you will for cyber criminals and they can take data and sell it on the Dark Web to somebody who knows what to do with that data.
Craig: So it is not a place that anybody can go. They don’t worry about stumbling upon the dark web when they’re online.
Brian: Well I would suggest that only cyber experts go near the dark web on your behalf. Because the people that are involved in the dark side of the Internet. Are very dangerous people. And these are not just individuals anymore. These are state sponsored. So these are these are other governments with billions of dollars. And they figure out ways to get you to click on links and figure out how to turn that into dollars. So that they can have it be a good return on their investment. And certainly in their interest in things like being able to shut down financial systems electrical systems all that kind of stuff. But outside of that the ability to generate money. In one case we had a client who was using a shredding company and that shredding company had a rogue employee that was selling the scanned service documents to the dark web.
Craig: The scanned service documents?
Brian: Imagine that you have a whole bunch of service documents inside of your folders your client files. You know I I was a financial adviser back in a day where we kept the client file next to our desk and every time there was a service request we had to fill out a form and send it to the institution for a withdrawal a transfer whatever it was. And imagine that you now are following the cyber regulations or the data privacy regulations it says you should go through your client files from time to time and throw those documents into a shredding bin. I see this in a lot of firms. They hire a third party shredding company and in a lot of cases they don’t actually go out there and watch the documents get shredded. They’ll actually have trust in that shredding company and the shredding company will take the document to the box they take it and they bring it into their truck and some of them will shred on site which I recommend and others will shred at the “home office.” Well in this particular case this was a franchise version that. They literally took the documents. And sold them on the dark web.
Craig: Now I see, before they were shredded.
Brian: Right. So they actually weren’t shredded what the company actually did was they created duplicate bins. So imagine how crafty they were. They actually created a bin that looked like the bin. You just took it out so you now have two bins that look exactly alike. So you bring the second bin and that’s what they did to this client of ours. They brought the second bin. as if it were just shredded and they brought that inside and put that in as the empty bin. But the actual bin was sitting in the truck and it was not shredded.
Craig: That’s a whole different, that’s not even cybersecurity, that’s just physical checking on your documentation.
Brian: Cybersecurity principles extend well beyond just the electronic form. And what always is the case is the assumption it’s going to be a cyber attack. And that’s exactly what the broker dealer in this case assumed. That you’d say well how do you have all this data. how do you know that this took place. how would you do that. Well they had stolen some money. And as a result we had the privilege of working with the FBI. So we got to watch. As the authorities came into this advisor office and they were coming in with one of two things to do that day. They were going to shut down any office period. Or they were going to help the client. And get to the bottom. Of what happened. That’s how we found out all the details about the shredding company and the fact that this was a franchise business that took those documents sold them on the dark web got paid a lot of money for those documents. And now imagine as a firm all of your clients are starting to get withdrawal requests. And you’re getting inundated with calls from your clients that are asking what’s going on and how could this be taking place.
Craig: Situation you don’t want to be involved in.
Brian: Well in this case it worked out exceptionally well. this is a firm that had been a client for many years and always asked Why am I paying this cyber firm to watch over. So leadership really didn’t understand why they were spending money on a cyber firm. So the reason it worked out well is because they had a cyber team. So the first thing that happened is the FBI shows up on site. And what do you think they asked for.
Brian: Right. They say Do you have a cyber program? So our client probably breaks out their document and hands them a document which is their information security policy and their incident response plan. And the incident response plan was clear because we had called them in so the client had called the FBI in not knowing that if they didn’t have that document again it would be a second victim. the FBI was ready to shut them down and told them so. The second thing they asked for was OK this is great. You have a program do you have proof of technical controls. We hand that to them. It shows that all the machines are encrypted. All the machines had virus protection and they were all patched it showed all the things that the FBI wanted to know. And then the next thing was the FBI turned around and the client. Very smart. They went back to the FBI and said Did we miss anything. Is there anything we should be doing that we’re not thinking of. We’ve educated our team we’ve done all these things. We’ve got a risk assessment. We’ve got our policies and procedures. We’ve got our technical controls. Anything else we can be doing. And the FBI guy says no to everything you can do and do that and they said OK we’re gonna help you.
Craig: That was nice.
Brian: Well they they ended up finding out about the shredding company in the meantime we notified the broker dealer who treated it as a cyber incident and sent notifications that process was really scary. And I understand that not all broker dealers know how to handle a cyber incident so they get panicked but you’ve got to remain calm and you’ve got to get all the facts and you’ve got to follow a process. they have a thing called an incident response plan IRP and in that case I can tell you with absolute certainty the broker dealer was not prepared.
Emerging Cybersecurity Threats
Craig: So we’ve covered a lot of ground in this call. One thing I want to ask you what are some emerging threats. What do you see in the future. I mean you’re the cybersecurity expert. What could be coming down the pike in terms of emerging cybersecurity threats.
Brian: Well one thing is the physical equipment threat so that’s what I’m saying about things that are plugged into a network that you don’t know enough about. So that is one of the biggest threats because it’s overall only easy and not detectable in a lot of cases that something is looming in your network that you don’t know. So a big threat is to know everything that’s plugged into your network and know if it’s plugged in behind your firewall then your firewall isn’t going to do a great job at identifying. That’s one of the big threats out there.
Craig: What about artificial intelligence? We’ve seen artificial intelligence being used for good monitoring data looking for your credit card company watches your transactions and compares them to known fraud patterns. But could hackers be using artificial intelligence to do a better job defeating these?
Brian: They are they actually are. They’re using a tremendous amount of artificial intelligence and so is the good side. So you think of cyber security. There’s a good side and a bad side. And I will tell you that the good side is defeating the bad side but the bad side always comes up with new and interesting things like using artificial intelligence. So imagine that you’re sent an e-mail and the e-mail turns out is one of these scam emails but they’re not really looking at whether or not you care about this scam and fall for the scam. That’s not what they’re looking for. They’re looking to see that you have an active email address and now they can start to think through and look at things and be very careful of anything that gets installed on a computer. So again the importance of virus protection you open up an email a PDF a word document. These systems are filled with something called the payload. Which is where the ability to leverage something like artificial. Intelligence become so handy. So imagine your device and I don’t know if you’ve noticed this but you could be talking about a song in front of Alexa. And the next thing you know you go to your computer and it’s like up on your computer it’s like how are they. Connecting these things. That’s all part of that artificial intelligence. They’re trying to help you and be convenient. But imagine that could be used against you as well.