Rob is an advisor in Cincinnati at a firm with some half a billion in assets. He’s always thought his cybersecurity was pretty good and figured his firm would be a fairly unappealing target for thieves and hackers.
Still, he decided to go one step further and get a penetration test—paying professional good-guy hackers to try to break into his company’s systems and test his weak spots.
He felt confident. He had a brother who worked in IT security at a big company and felt he knew the risks pretty well. So he paid a security firm to have people camp out inside the back of his office; indeed they had trouble breaking into his computers.
But he wasn’t thinking about his copy machine and scanner, which might have high-value information like tax returns or investment statements. Like many other machines, copiers have default administrative passwords—easy hurdles for people who manage to get into the facility, with, say, the cleaning crews.
“Both of [the devices] could have been loaded with software to copy data or scans to an outside location,” Rob says. “What I’m going to do is inject this malware into any device, and every time something is scanned, it’s going to go to the person who has scanned it, but a copy of it is also going to me [the bad guy].”
Now that he’s bulked up his protection, he asked not to be identified by his full name for this article.
Cyber criminals have become increasingly sophisticated, and all financial services firms are ripe targets for frauds. In 2016, the FBI’s Internet Crime Complaint Center received almost 300,000 complaints for almost $1.3 billion in losses. According to the IBM X-Force Threat Intelligence Index, the financial services sector was attacked more than any other industry that year. The most pervasive scams involve phishing, ransomware, malware and denial-of-service attacks.
Diane Pearson of Legend Financial Advisors in Pittsburgh, says her IT person once told her that someone was trying to break through the firm’s firewall every night. Pearson knows of somebody at another firm who lost her job after succumbing to a phishing e-mail, wiring $50,000 from a client to a fraudster.
The scams don’t have to be terribly sophisticated. The biggest vulnerabilities of financial companies, say security experts, are perhaps not surprisingly their employees. Naïve staffers are most at risk of opening phishing e-mails that allow fraudsters to download malicious software into their machines, taking over their computers and breaking into networks.
The biggest risk is that a hacker will capture an employee’s credentials and then log in externally to third-party vendors, says Benjamin Gordon, the manager of advisory services at Rook Security in Carmel, Ind. “Employees just aren’t educated enough on security, to be perfectly blunt. It doesn’t matter what technology you have in place, what IT team you have in place. If somebody clicks on a malicious link, it’s a problem.” MORE