Advice firms with 10 licensed advisers or less are particularly vulnerable to IT security breaches and will remain at risk until standardised security protocols are put in place across the industry, an IT security expert has warned.
Nick Ellsmore, co-founder of “community-driven” security firm Hivint, says financial advice is like most other industries, in that smaller companies are more vulnerable to attack than larger, better-funded players.
“Smaller firms often just rely on their IT consultant, who is often a friend of the family or someone who has been referred onto them,” Ellsmore says. “They’re not going to be security specialists. If big companies with millions of dollars in their IT budget and dozens of specialist staff get breached, the odds that a small advice firm can protect itself are pretty low.”
Ellsmore says the only thing saving most small firms from being breached is that they haven’t been looked at yet.
“The fact that nothing happens doesn’t mean that you’re doing security well,” he says. “If anyone looked at these firms, there [would see] ways they can be compromised.”
Rich pickings
About 96 per cent of attacks come through email, Ellsmore says; most are identity frauds, wherein an attacker typically pretends to be a client or provider and illegally coerces the victim into transferring funds. However, the way hackers target financial advice firms is unique.
Ellsmore explains that, while identity fraud usually involves a clumsy and unsophisticated volume-based approach, “spraying out hundreds of thousands of emails and you’re hoping to get five or 10 people to click through”, attackers tend to spend much more time putting together tailored, detailed correspondence to dupe advice staff.
“With these business email compromise scams, they’re not trying to defraud you of two or three hundred dollars,” Ellsmore says. “They’re trying to get two or three hundred thousand dollars. So they’re willing to spend a month crafting the right email.
“The attackers will spend time looking at your Facebook and LinkedIn profile, seeing who you’re connected to. And all of that is to build up a profile so that when they send you that targeted message, it can be as accurate as possible to maximise the return.”
In need of a standard
Ellsmore argues that the biggest hindrance to IT security controls is that there is no minimum benchmark for advice firms.
“As a financial adviser, [you’re not required] to have bank-grade or defence-grade security,” he laments. “The only way smaller firms are really going to get any specific security requirement is if there’s something built into their licensing agreement or some other agreement that they have with a bigger organisation.”
What the industry needs, Ellsmore argues, is a standardised approach.
“There should be a large service that basically provides a secure IT layer to enable a financial advice firm,” Ellsmore says. “An adviser should be able to sign up for one unit of IT and have the whole thing put in place and managed. But at the moment, I’m not aware of that system or that provider being” available.
Ellsmore spent time in San Francisco earlier this year, and says large tech companies such as Microsoft are already implementing solutions like these across US industries.
“Microsoft, for example, on its Azure platform, is starting to make blueprints or templates available so you can say what type of business you are,” Ellsmore explains. “Then, based on that, they will provision you with a system that is going to manage your data, your email, your [customer relationship management] CRM and all the other systems based on your industry. It’s all centrally controlled and accredited.”
He says the financial planning industry is well-positioned to benefit from this type of benchmark, because many businesses have the same systems and processes and can adopt relatively generic solutions.
“Within financial advice, you’ve got thousands of businesses with similar, relatively templated requirements from an IT perspective,” Ellsmore says. “So I think that’s the way forward.”