As the country still reels from the effects of the pandemic, the relentless assault of cybercriminals has not slowed. And, with many people continuing to work online from home (66 percent of employees are currently working remotely at least part of the time), the threat posed by cybercriminals has only intensified as they seek ways to exploit this unusual situation.
Investment fund administrator SEI Investments Co. recently experienced a compromising data breach. Other firms and businesses can glean valuable information and enhance their own protective measures by analyzing SEI’s situation.
What happened in SEI Investment Co.’s Cybersecurity Breach?
In this particular cybersecurity breach, the scammers targeted a vulnerable third-party vendor, using a back-end method to attack and to retrieve sensitive data. Using this approach, the hackers were able to access personal information of about 100 of SEI’s clients.
What can we learn from their experience? It’s critical that financial firms complete thorough reviews of their vendors and tech providers, both upon commencement of their partnerships and periodically during the relationship.
The situation with SEI isn’t an isolated incident, and it’s not confined to solely financial industry providers/vendors either. A similar breach occurred at IT giant Wipro last year, impacting clients across a variety of industries and disciplines. With Wipro’s breach, however, the damage reached even further, as they served as a third-party provider for many other third-party providers, allowing the hackers who infiltrated them a wide net of firms to target and collect data from.
What Can I Do To Protect My Firm From Cybersecurity Risks?
Ask yourself the following questions, and focus on the following areas to get started, or to re-invigorate, your cybersecurity efforts.
Do You Have a Written Cybersecurity Policy?
Start by creating a written cybersecurity policy that addresses your needs. A written cybersecurity policy gives your organization a baseline to rely on when interacting with technology, making vendor decisions, and training employees.
As you’re building your policy, the following areas should be considered and addressed:
-
-
- Physical security of data and facilities
- Information technology processes
- Guidelines to ensure appropriate hardware/software choices
- Personnel management and training
- Timelines for periodic auditing and reports
- Policy enforcement guidelines
-
Are you Doing Sufficient Due Diligence On Your Third-Party Providers To Understand The Potential For Cybersecurity Threats?
When you select a third-party provider, you’re giving some portion of control over to another organization. Third-party providers are necessary for business and can provide tremendous essential benefits, like audit support, compliance review management, and more.
However, selecting the right partners requires diligence and care. A few areas to address when selecting a third-party include:
-
-
- Data collection procedures
- Monitoring processes
- Reporting processes if/when a breach occurs
- Screening against industry and government watch lists
-
A comprehensive risk assessment should be part of the review process and your firm should have a standardized scorecard designed to measure and rank third-party vendors on an equal and codified footing.
Working with a compliance consultant can make the process of developing guidelines easier because they’ve gone through these due diligence building programs with multiple clients and have created tried-and-true guidelines that stand up to regulatory scrutiny.
Are You Training And Preparing Your Staff?
Cybercriminals are smart and determined, and they’re going to search for weak links in your security processes in order to exploit them. To be well-prepared against the potential of an attack, you must ensure everyone in your company is well-prepared.
Provide regular training for employees and make it relevant to their specific roles. And, encourage employee skepticism when it comes to email requests, links, data management, and more.
In the remote work environment, it can be even more important to vet requests before processing. Train employees to make follow-up contact by another means if they receive unusual email requests, for example.
An HR representative at a financial institution recently received an email request from the CEO, asking for a spreadsheet of employee data including names, social security numbers, and compensation. After a few moments, the HR rep received another more agitated email demanding a rush be put on the request.
The situation felt wrong, so the HR representative reached out directly to the CEO’s office and learned the request was phony and an attempt to intimidate him into revealing confidential information.
Are you doing enough to mitigate cybersecurity threats against your organization? As one IT security professional recently confided, it’s a strenuous and wearing process because “we have to outsmart the scammers 1,000 times a day. They have to outsmart us once.”
If you are working to develop strong cybersecurity policy for your firm or to analyze your due diligence efforts, it can feel like an uphill task. Our compliance consultants can support you as you build programs to ensure secure third-party vendor relationships and overall peace of mind.
About Red Oak Compliance
Red Oak Compliance is the global advertising review software of choice in the financial services industry, serving clients with more than $19 trillion in assets under management. Red Oak’s advertising compliance review software offers quick implementation timelines, as well as agile technology that responds to client needs and is 100% Books and Records compliant. Our clients report 35% faster approvals and 70% fewer touches, with many experiencing even better results. Are you ready to minimize risk, reduce costs, and improve efficiency? Contact the Red Oak team to learn how.