How to hack-proof your practice

With ransomware attacks on the rise, finance and wealth firms have to play tighter defence

How to hack-proof your practice
As increasingly tech-supported wealth and finance firms face increased risk of ransomware attacks, they have to review their security procedures to keep themselves and their clients protected.

Figures from the recently released 2017 Sonic Wall Annual Threat Report showed there were 638 million attempted ransomware attacks in 2016, 167 times the number of attempts in 2015, according to Thirteen per cent of the attempts were aimed at the financial services industry.

To protect their information, the article suggested that firms establish an information security policy based on relevant industry guidelines, such as those from FINRA. In Canada, the CSA published a cybersecurity bulletin in September, which includes a list of cybersecurity resources from various financial industry organizations and regulatory bodies.

Mandatory annual training must also be done to educate staff on how to respond to common threats, such as emails from unknown senders.

It’s also critical to stay on top of patches, especially ones that address severe risks. The WannaCry attack in early May exploited a flaw for which a patch had already been available since March, but many users had simply failed to fix it.

Regular antivirus checks should be done for all firm-owned devices, which should operate under standard configurations and have administrative limits and privileges selectively applied. If there’s a possibility of some devices getting stolen, the capability to erase information remotely would be valuable, as well as data encryption and regular backups.

Physical management of information should also be done: a clean-desk policy would help ensure that sensitive information written on paper, such as usernames and passwords, is not compromised. Passwords should also be strong and complex. Changes should also be done regularly; inactive user accounts should be evaluated for either a password change or deletion at least every three months.

Finally, third-party vendors of software solutions should be screened to make sure they’re not vulnerable to attacks. Instituting minimum security requirements and requiring confidentiality agreements would be a big help, as would specified penalties in case of breach.

For more of Wealth Professional's latest industry news, click here.

Related stories:
CSA: Communication a key in cybersecurity
Canadian firms lag in cyber breach detection