This is the second part of a feature from an expert about the steps wealth managers should take to protect against the rising menace of cyber-attackers.

This is the second half of a feature about the challenges of cyber-security for wealth managers. The article is by Theresa J Pratt, who is chief information security officer, Market Street Trust Company. The first half of the article appeared here. Details about the author can be viewed below.

In my previous article, I discussed two foundational areas of focus related to cybers-ecurity: policies to help comply with a quickly changing regulatory environment that is delivering new rules, such as the New York State Department of Financial Services Cybersecurity regulations, and employee training to help avoid pitfalls. There are two more foundational components that are essential basics of every technology security system for wealth managers: patch management and vendor management. Failure to carefully and comprehensively monitor these areas can create potentially damaging security and/or regulatory issues.

Patch management is the term used to describe how companies ensure that all of the software they use is up to date. Software enables every firewall, computer, laptop, server, network device, mobile device, automated control (such as sensors and thermostats), multi-function copier, etc. to function. Unfortunately, all of this software is imperfect and vulnerable. Any system or device that connects to the Internet is at risk and needs to be maintained, or “patched,” to ensure it is running with the latest fixes and updates. If not, the risk is this: once a vulnerability is discovered within a system, a race begins between the good guys and the bad guys.

The good guys begin working on a fix (writing a patch); the bad guys begin working on an exploit (virus, or worm). The longer you leave your software unpatched, the longer you remain vulnerable to the exploit. Many of the biggest cyber-attacks, including the high-profile WannaCry, which affected as many as hundreds of thousands of computers in more than 100 reported countries last year, were effective because organizations had not applied patches that were available. In some cases, these patches were available for years. The risk of not applying patches in a timely manner is extraordinary and unnecessary.

When considering patch management there are several things to think about:

1, What systems do you have that might be vulnerable? Every organization needs to have an inventory of everything that connects to its network and every software application running on anything connected to its network. This applies to everyone, even those using the cloud for hosting purposes. Your devices are running software to enable the connection (operating systems and browsers) that can be vulnerable. Depending on the complexity of the environment, it may be best to invest in tools to help you keep track. Some software tools will build an inventory of everything that is on your network and alert you when something new connects. This can be very helpful in detecting rogue, unauthorized devices.
 

2, Do you need all of the systems you have? This is a crucial and often overlooked question. Once you have a clear understanding of what is on your network, conduct a needs assessment. Is this device or software necessary? If the answer is “I don’t know,” look into it further and consider removing it. If the answer is, “it’s always been there” or “it used to do x, but we don’t do that anymore…”, remove it. Browser plugins that we rarely even think about, such as Yahoo! Toolbar, Flash, and Silverlight, are an example of this. They are rarely necessary and notoriously vulnerable. If you don’t need it, uninstall it or remove it, and in doing so you’ve removed a layer of risk.
 

3, What patch level does each device have? Once you’ve inventoried your systems, you need to make sure each device and all software has the highest patch level available. This includes your network devices like switches and routers, which can be easy to overlook.
 

4, What if you have something that cannot be patched? An old system that you need for historical data but is no longer able to be updated might be an example of this. If you have a system that fits this description, consider isolating it from the rest of your network. If it cannot be patched, it creates a real and constant vulnerability. By isolating it, you are removing that vulnerability from the rest of your network, so if it is compromised, an intruder cannot gain access to the rest of the systems in your organization.
 

With all of the complex systems we have in place, it is likely that such an inventory or IT audit will take time and resources. It’s likely that people and tools will be needed to assist with system maintenance. Framing the conversation properly with technical people, so you know what questions to ask and what issues to consider, is very important.

From a management perspective, you need a mechanism to ensure proper patching is being done. Have a candid conversation with your technical person(s), ensure they have the tools they need to accomplish this task, and look for frequent, even weekly reporting on device/software inventories and patch levels. Check in regularly and be open and willing to listen--what was fine last week may no longer be adequate due to an emerging threat.

When considering patch management, it is reasonable to turn to a third party to assist, but be aware of the risk they present, which can be both business- and systems-related. To your clients, third-party issues are your issues. As a result, strong due diligence around vetting all third-parties is critical. Determining whether they can do what you need is only the first step.

By example, I was once asked to investigate a vendor my client had selected to merely “check the box” on due diligence. While the vendor’s software obviously would meet their technical needs, I noticed they had moved and had consolidated from two offices to one. I made a few phone calls and discovered that the company had lost most of its clients and the remaining “address” was the owner’s home, which meant the company no longer had the resources and staff my client was expecting.

When vetting vendors, consider the following: 

• Financials: How long they have been in business? Is their business growing? If they are only a few years old, proceed with caution. Long-term viability is essential;
• Security practices: Request their privacy policy, confidentiality policy, non-disclosure agreements, liability insurance, incident response plan and notification policy in the event of a breach. If the vendor struggles to produce these policies, that’s a red flag;  
• Hiring practices of the vendor: Who works for them and how are those people vetted? Ask if they require background checks. In the world of technology, physical access to computers is key. A knowledgeable person has access to anything on any computer they have physical access to, and that can be dangerous in the wrong hands;
• Exit strategy: What does “divorce” look like in the event you no longer want to do business with them? Find out the following up front:
• Who owns the data?
• What will it cost to get it from them (this can be a nasty surprise)?
• What format will it be when you get it? A “universal format” once meant millions of rows of data in Notepad. Even opening the file was challenging.

Crafting a strong cyber-security program is a complex challenge. While these are subjects that volumes have been written about, the topics covered briefly in these two articles -- vendor risk management, patching, training and comprehensive policies -- form a foundational core. If an organization starts by focusing here, they will make significant strides towards moving the needle on cyber-security for themselves and their clients.

About the author:

Theresa's responsibilities focus on cyber-security, complying with the New York State Department of Financial Services regulations, and strategic efficiencies through technological enhancements. She joined Market Street in 2012. Previously, she worked for CRB Consulting Engineers as its corporate applications manager. In this role, Theresa led the team that supported all major corporate applications, including accounting, intranet, secured client portals and CRB's website.

Theresa is an adjunct instructor for Elmira College, teaching Information Technology in their business management program. She also serves on the board of the Chemung County Veterans Monument organization. Theresa holds a BA and M.S. from Elmira College in Information Technology Management, Microsoft Certification in VB.net programming and has completed executive certification in negotiation through Notre Dame University. She has also spoken at various events, including a conference on cyber-security and family offices hosted by the publisher of this news service.