The Infosec Institute says that malicious cyber activity cost the US between $24 billion and $120 billion and worldwide that number was $300 billion to $1 trillion (see here). And that was in 2013!
For investment professionals (and other businesses as well), poor cyber security practices which lead to being hacked can cause a complete loss of client confidence – leading to a loss of clients.
That of course does not include fines and lawsuits.
Some investment pros ask why would hackers go after me and why do I have deal with cyber security. The CFA Institute’s (Chartered Financial Analyst) answer?
Those were decent questions – 10 years ago.
Combine the huge amount of financial information that an investment professional keeps with the general lack of interest in cyber security that the CFA Institute says some investment professionals have, and you have a recipe for a cyber disaster.
So how do hackers complete their attack? Here is the answer.
Step 1 – Reconnaissance
Check out social media posts. Information on online purchases that you shared about, other public information. Google yourself and see what shows up. If you Google me, you will find articles I wrote 20 years ago. The Internet never forgets.
Given this, a hacker will identify a mark- say a particular high net worth individual. The hacker will figure out what company(s) the mark is working with, maybe find employee’s LinkedIn profiles. Maybe find out who the managers are. Once the hacker has zeroed in on the sucker, he moves on to step 2.
Step 2 – Infiltration
So now we know who the hacker is going to try to attack. He knows what sites the target visits and maybe he knows that he visits social media at lunch. He finds out what the target’s interests are – hobbies, charities, sports, etc.
Now he crafts a spear phishing email – called that because it only targets one person. He buys some domains that look very much like the real domains of the organizations that the target is associated with.
He crafts an email that seems very believable to the target. Maybe it is a confirmation for a meeting associated with his favorite charity and entices him to click on the link in the email.
At this point, it is all over but the crying.
Step 3 – Escalation
The attacker has inserted a remote access trojan or RAT into that link which the target clicked on. Now the attacker has control of the target’s PC, can do anything the target can do. Maybe even capture every keystroke the target types (such as passwords). If the target is a local administrator, he can change the configuration of the computer. If the target is a domain administrator, he can do even more and if he is an enterprise administrator – well, you don’t want to ask.
He can now, for example, find every file of interest on the target’s PC and network shares and send them to Russia. What do you think the odds are of arresting that hacker in Russia?
Step 4 – Exploitation
Maybe the hacker uses the information to obtain lines of credit and forge identities. Maybe he sells the data for other people to use.
Maybe he asks for a ransom to get the data back. Even if the ransom is paid, the attacker may not give back the data. Ransomware attacks are up ovewr 500% this year. Because they work. In fact, the attacker could share the data with the media. Just for revenge.
This is a very real and relatively easy to execute scenario and anyone who thinks they are immune from this is likely fooling him or her self.
There are steps you can take to improve your odds. Watch what you share on social media. Don’t use work computers (or PHONES or TABLETS) for personal email and browsing. Carefully examine what links you click on. Get educated – hire experts if you need to.
This is not a simple problem and there are no simple solutions. The only solution which is a sure failure is to pretend it is not a problem.
While this post is geared to investment professionals, it really applies to almost everyone. I recommend you consider the advice.
Remember that if a hacker wants to target a particular high net worth individual, it may well be easier to get their through his advisors.
Information for this post came from the CFA Institute.