- October 27, 2020
- Posted by: Pat Riot
- Categories: CyberSecurity, Finance, Private Wealth, RIA
Low-hanging Fruit: a thing that can be won, obtained, or persuaded with little effort. – Google
The phrase “low-hanging fruit” has been a common metaphor in the English language for decades and has sprung various meanings throughout time. Doing the easiest tasks first, or simply taking what is given are mostly referenced. It originates from harvesters grabbing the “low-hanging fruit” first, because it was easier to gather, then go on up the tree for the harder to reach fruit.
Cybercriminals view small to medium size Registered Investment Advisors (RIA’s) and Private Wealth Advisors (PWA’s) firms the same way harvesters look at fruit on a tree. Advising firms are, more often than not, seen as low-hanging fruit for attacks because they have a surplus of valuable financial information with rudimentary security protocols; Advisors typically have hundreds of thousands of assets under management, copious amounts of sensitive & personal client & employee information, and little to no data privacy, protection, or procedures in place. Making SMB advising firms ripe for the picking of bad actors with little to no effort.
“The Securities and Exchange Commission (SEC) cautions that it has observed an increase in cyber-attacks against registered investment advisers (RIAs) and broker dealers (BDs), which, in some cases, has resulted in the loss of customer assets and unauthorized access to customer information.”
This is a quote from the September 15, 2020 SEC Risk Alert (Here). The Office Compliance Inspections & Examinations (OCIE) has noticed an uptick in the amount of attacks focused on RIA firms. They have correlated this increase to a specific attack that has become the preferred method for cybercriminals attacking financial firms due to its efficiency & effectiveness. It’s known as credential stuffing: an attack that uses client & employee credentials found on the dark web coupled with an automated script to basically brute force their way into the network. If the attack is successful, bad actors can steal assets from clients, access confidential information, or completely take over the customer or employee account – granting them full access.
In order to help combat this new emerging threat the SEC has come out with 5 practices all firms should consider implementing to secure their clients information: Multi-Factor Authentication, Detection & Prevention Controls, Monitoring the Dark Web, Updating Policies & Procedures, and Identity & Access Management.
Following these 5 steps in an excellent way to turn your company from low-hanging fruit into forbidden fruit. Here, at Steel Patriot Partners we strive to ease cyber compliance & operations for RIA’s & PWA’s. We understand how difficult it can be to maneuver through regulations, keep up with client demand, and still meet quotas. We also understand cybersecurity and the constant threats that are out there. Our software is guided by governmental frameworks and monitored by security experts 24/7 to give advising firms the level of security maturity they need to be above and beyond regulation standards. By utilizing Steel Patriot Partners services firms can implement the latest policies & procedures to information security with practically no network interruptions. From around the clock threat detection & prevent to identity & access management we can eliminate the threat of credential stuffing and help advising firms make that jump from low-hanging fruit, to the top of the tree forbidden fruit.
If you want to find out more on how your firm can beat the statistics and become forbidden fruit give us a follow on social media (Facebook, Twitter, LinkedIn), send us an email, give us a call at 703-297-4405 or contact us directly! Regardless of the method you choose, we look forward to hearing from you and are excited to help!