The Cybersecurity Risk Pyramid shows small to medium-sized financial services firms how to cost-effectively deploy limited IT resources to protect your clients’ most sensitive data. We break down the five top risks — which are probably in the reverse order that you think they are.
Cyber thieves target SMBs just as much as large companies now, and financial services firms are at particular risk. Look at this sector through a cyber thief’s eyes, and you see three good reasons for this:
- Financial services such as accounting, retirement planning, and insurance create a rich cache of personal financial information.
- These businesses routinely transfer money electronically to and from a variety of sources, often with transactions initiated via email.
- SMBs don’t have the resources that larger companies can devote to securing their IT infrastructure.
If you’re responsible for your clients’ sensitive data — and/or for risk management in general — I recommend the Cybersecurity Risk Pyramid as a useful guide for planning your cybersecurity defenses.
Rank Risks From Most Likely to Occur to Least Likely
Risk pyramids are a familiar concept to those of you in the financial advisor world. For retirement planning, at the pyramid’s base are the safe gotta-haves like a 401(k) and/or pension, and at the top are the more speculative nice-to-haves like stocks.
Dave Jones
A great example of a cybersecurity version comes from Dave Jones, IT manager for the CPA firm Pearce, Bevill, Leesburg, Moore, P.C., in Birmingham, Alabama.
(We first worked with Dave for our post, “8 Cybersecurity Trends Experts Reveal for Financial Services SMBs.”)
Dave, a 20-year financial sector IT veteran, laid out a Cybersecurity Risk Pyramid in an article he wrote for CPA Practice Advisor. We asked Dave to walk us through a slightly updated version:
The Cybersecurity Risk Pyramid
First, we’ll summarize each of these five levels of risk your business faces, and then we’ll detail the nine interlocking strategies for addressing these risks.
LEVEL 1 (MOST COMMON) – Social Engineering
Social engineering attacks result mainly from human error, and mainly from one threat: phishing.
“Phishing is responsible for around 70% to 90% of all malicious data breaches, and most companies probably spend less than 5% of their budget on it,” says cybersecurity author Roger Grimes.
Roger Grimes
In addition to writing 10 books, Roger has been a computer security columnist for CSO and InfoWorld magazines, and now works as a “data-driven security evangelist” for KnowBe4, an IT security awareness training company.
Roger and Dave concur that phishing emails deliver almost all ransomware and other malware, and phishing has graduated to more sophisticated and harmful crimes (see Level 4).
LEVEL 2 – Hardware Loss or Theft and Password Compromise
If you have employees using laptops, tablets, and phones on the road — at clients’ offices, hotels, coffee shops, etc. — it’s inevitable: Some of these devices will be lost or stolen.
Weak passwords and unencrypted data on mobile devices that have weak passwords and unencrypted data can get your business into big trouble quickly, Dave says, especially if your employees typically have clients’ sensitive financial data stored on those devices.
LEVEL 3 – Malicious Web Advertising and Drive-By Infection
You don’t actually have to click on infected links/attachments in emails to unleash malicious code onto your computer.
Some web pages are infected with “malvertising” or “drive-by download” coding. Simply open that page with your computer or phone — and boom! — the bad code jumps on board. It helps hackers find an easy way into your data, and then into all other networked devices.
That easy way, according to Roger, is most often through popular software that hasn’t been updated regularly, so its security patches are out of date (Adobe Flash, Java, and web browser add-ons are typical targets).
“Even if a device is fully patched, threats like cryptominers can silently compromise a device by injecting Javascript into otherwise legitimate website code,” Roger says. “The user’s browser will automatically consume and execute that malicious code.”
Dave estimates that about 99% of your cyber threats will come from these bottom three levels. But don’t let that estimate fool you — the remaining 1% of attacks can still easily total several per month or more, and it only takes one successful attack to do catastrophic damage.
LEVEL 4 – Electronic Business Fraud
The goal of many Level 2 phishing attacks is to identify companies that regularly transfer funds electronically, so scammers can build “spear phishing” attacks. These are fewer (and thus on Level 4) but more sophisticated than regular phishing.
Spear phishing is a common tactic in a type of electronic fraud called “business email compromise” (BEC) attacks.
Trend Micro tracked 9,291 BEC attempts in 2018 Q1-Q3, a 46-percent increase from the same period in 2017. (Source)
Dave says BEC attacks can slip past antivirus software because they don’t include the telltale links or attachments. Instead, they use information available on the company’s website or on social media to dupe employees into surrendering login IDs and passwords.
With that information, scammers mimic CEOs, CFOs, or other executives to pressure employees who normally handle wire transfers into electronically pay into accounts controlled by the scammers.
LEVEL 5 (LEAST COMMON) – Network Firewall Attack
Not all data breaches result in theft of data; a breach can simply be the accidental exposure of data. But the kind of breach that makes the headlines is when criminals deliberately break through a network’s defenses and harvest data.
Dave puts it atop his pyramid because, although it gets all the ink, it’s simply not as prevalent as the threats lower in the pyramid. So, although an SMB’s cybersecurity program should protect against firewall hacks, that shouldn’t be the program’s main focus.
Nine Layers of Cybersecurity Protections for Financial SMBs
We’ve combined recommendations from Dave, Roger, and TechGen into nine layers of cybersecurity protections.
With all nine in place, you’re protecting against all five levels of risk shown on the pyramid, but at the same time, you’re concentrating your cybersecurity resources on the most likely threats in the lower levels.
1. Employee Training
The majority of risks illustrated by the Cybersecurity Risk Pyramid stem in some fashion from human error. That makes training the most important protection of all. Phishing simulations are critical, says Roger.
“Employers don’t think they need to simulate phishing — education is enough. But it really does take a combination of the two,” he says. “And you need is to run these tests about once per month to get the best results.”
2. Antivirus or Endpoint Security
Loading an antivirus program on every workstation may not adequately safeguard your network from viruses anymore. Viruses can be engineered to invade through other devices or “endpoints.”
This is why even small businesses often use a more advanced strategy called “endpoint protection” or “endpoint security,” which centrally monitors all endpoints, including workstations, mobile devices, servers, printers, etc.
3. Application Whitelisting
Tools such as Windows AppLocker help you prevent software from running on your company’s computers that your IT manager or vendor hasn’t explicitly allowed.
“If you use application whitelisting and configure it properly, that knocks out so many problems right out of the gate,” Dave says. “You don’t have to handle every piece of software that pops up and secure it, like whack-a-mole.”
4. Security Patching
When cyber thieves discover a vulnerability in commonly used software, such as Windows operating systems, that vulnerability is often broadcast throughout the cybercrime community.
Hackers prey on these vulnerabilities, so your IT staff or vendor must be vigilant about installing patches as soon as they’re released by software providers.
5. Email Virus / Spam Filtering
Standard email programs have anti-virus tools built in, but Dave recommends external services such as AppRiver to stop virus- and spam-laden emails before they actually get to your servers.
6. Encryption
In case a virus does get through to your network, be sure your databases that store and/or backup clients’ financial information are encrypted. The data stored on workstations, laptops, and other mobile devices should also be encrypted.
As an additional protection for financial services firms, consider a policy of encrypting your emails.
7. Strong Password Policies and Multi-Factor Authentication (MFA)
Use a password manager such as LastPass to help employees create strong passwords that are used only for network login. If an employee has more than one network-level password, e.g. one for an office workstation and another for a VPN, those passwords should be different.
Add another layer of security with MFA, which requires an additional login step to your password. For example, in addition to a password, users must enter a security code sent to their cell phone or to a key fob.
8. Firewall Content Filtering
Even small firewalls now offer filtering of different categories of content. At minimum, “advertising” and “recently registered domains” should be blocked.
9. Proven Professional Oversight and Monitoring
Even with the previous eight layers of protection in place, attacks will slip through. Guaranteed. It’s simply not possible to detect and subdue every attack a business faces today.
However, if your network is monitored by IT security experts, either on-staff or through a vendor, you have a much better chance of catching anything unusual that manages to sidestep automated tools.
A dedicated security expert can also custom-design filters that, for example, identify specific language scammers may use to target your specific products, services, and employees.
For example, Dave has created an email filter for phrases that phishing scammers tend to use when targeting CPAs.
Assess Your Firm’s (or Your Outside Provider’s) Cybersecurity Knowledge
Not all IT services providers are financial services cybersecurity experts — some are more focused on basic monitoring, installations, and tech support. That’s why SMB owners who aren’t IT experts must ask potential cybersecurity providers questions to determine whether they:
- Understand the current threat landscape
- Are aware of seasonal threats and regulatory requirements that face your firm (e.g. tax-related deadlines, data retention rules)
- Stay current with security news from inside and outside of the financial services industry
- Take responsibility for ongoing security awareness training for your employees
One of the main barriers to small financial services businesses seeking the proper level of cybersecurity protection is that they haven’t experienced a cyber theft or breach (that they know of) yet. Don’t wait that long. Start implementing these nine layers of protection now.
