Grant Patten, Communications Specialist | BC Broker, April 2016
According to digital security company Gemalto, at least 59 data breaches involving more than 40 million records occurred in Canadian companies in 2015.
Brokers have likely heard by now that keeping both client and company data secure should be top of mind in today’s information-driven economy. It seems that a fresh cyber attack on a major organization is in the headlines every few weeks. But have brokers considered the specific security practices that can quickly be put in place to limit the impact of such incidents, or prevent them altogether? The security practices mentioned in this article represent major security improvements that are easy to implement, require minimal workflow adjustments and do not involve “big ticket” system purchases.
Password Management Best Practices
It is interesting that the root cause behind many major cyber attacks in the headlines is often something as simple as poor password management, as seen in the high-profile Ashley Madison hack last year. Most of the passwords that the hackers were able to crack were weak, common, overly simplistic passwords such as “123456”, “password”, “DEFAULT”, and “qwerty”.” In contrast, roughly 3.7 million Ashley Madison accounts remained secure, likely because they had strong passwords or passphrases with longer strings of upper- and lower-case letters, numbers and symbols.
Therefore, brokers should consider making it a brokerage-wide practice to require a unique, strong password for each of their systems. A common objection to this type of policy is that such strong passwords are inconvenient to create and often easy to forget. And we certainly don’t recommend that brokers create such passwords and then paste them on their monitor with a Post-it note, as is unfortunately the case with some users. There is a better solution, which is to consider creating a unique, humorous passphrase (e.g., “ImGladMyPassw0rdIsAGood1!” or “ThisBrokerageUsesRealStr0ngPassw0rds”) instead of a random assortment of letters, symbols and numbers. This type of passphrase tends to be harder to crack than passwords and is likely easier to remember.
Bug Protection & Patching
The Heartbleed security bug disclosed in April 2014 affected many businesses, including the Canada Revenue Agency, which revealed that at least 900 social insurance numbers were compromised. The attack exploited a standardized, commonplace security protocol that had not been implemented correctly or maintained with the most current updates and patches.
As a best practice, brokers could educate their office about recognizing and using only secure websites. The primary way of identifying this is to see that the URL, or web address, begins with https://. This is especially important when entering any sort of data, such as in a form. By now, most websites have successfully patched the Heartbleed bug to eliminate the vulnerabilities. But the lesson from Heartbleed is that regular patching of your infrastructure (not just your website) is required – those who do not maintain regular patching remain at risk.
Talk to your IT provider to ensure that HTTPS is being properly implemented on your website and if your site doesn’t have it, consider implementing it. Doing so not only provides extra security, but can benefit your search engine optimization (SEO) rankings as well – Google identifies and prioritizes secure websites in search results.
Social Engineering Protection
Social engineering, also known as “human hacking”, takes advantage of common human behaviour to trick employees into downloading malicious code or divulging sensitive information. One common type is called phishing, where hackers create websites or emails that look as though they are official, urgent communications from a bank or other recognized company. When employees click a link, they may inadvertently download malicious code. Phishing is on the rise – 23% of recipients open phishing emails and 11% click on attachments, according to Verizon’s 2015 Data Breach Investigations Report.
The best way to counteract phishing is to simply be more discerning when reading and clicking through emails. Does the email look impersonal, come from an organization that you’re not familiar with, or contain a .ZIP as an attachment? If so, then it may be spam. If you are familiar with the company name, check the email address – it should exactly match the other emails you’ve received from them. As well, if an email seems suspicious but requires further investigation, users could always navigate to an official website manually instead of clicking on an embedded link from the email. Finally, be careful about using devices brought in from outside the company, such as USB keys, as they are often the source of viruses.
Managing & Restricting Access
The Principle of Least Privilege is an IT security concept that promotes minimal user profile privileges on computer networks; i.e., users should only have access to the parts of the network required to do their job. If, for example, the employee doesn’t handle accounting functions, then they should be restricted from this access. Perhaps the most famous recent example of an organization neglecting the Principle of Least Privilege and paying for it would be, ironically, when Edward Snowden leaked secret information from the US National Security Agency (NSA). Snowden had virtually unrestricted access to the entire NSA network, beyond the access levels required to do his day-to-day work. It was therefore very easy for him to access and leak thousands of classified NSA documents.
Broker principals shouldn’t assume that just because an employee is trusted, they won’t ever take sensitive information outside the brokerage. Whether deliberate or accidental, such incidents can occur with any employee. Most broker management system (BMS) products have different authorization levels that can be customized; brokers should take advantage of this feature to create different access levels for employees, giving each employee access only to the areas they need for their work, and restricting them from the others. Also be sure to remove access to all systems as soon as an employee leaves the brokerage; don’t forget company and partner portals, websites, email accounts and, of course, the BMS. For this purpose, it would be prudent to maintain a list of all systems each employee can access, to eliminate any guesswork once an employee leaves. Note that sharing accounts between employees is not a best practice and should generally be avoided.
CSIO’s intention is to raise awareness around the topic of cybersecurity rather than to make specific recommendations, and the previous points should not be taken as hard requirements. Formalizing security practices such as the above in an official brokerage security policy would be prudent. Once formalized, following up on the policy with an expert, third-party audit and internal enforcement are also important steps. Brokers should consider contacting an established information security firm in order to develop such a policy. Be sure to keep your eye on CSIO.com for more educational materials on cybersecurity in the coming months.