The average length of time between a new computer being hooked up to the Internet and its being targeted by hackers is six minutes, experts warn -- so it’s critical to establish a defense in depth against cyber-invasion.
“Set up a computer, and within six minutes your computer will be attacked,” said Paul Horn, chief information security officer at HD Vest, in a session at the company’s annual meeting for its financial advisors, Connect2016, being held this week in the Washington, D.C., area. “So it’s important that you get your security set up quickly.”
What’s more, financial services businesses like accountants, tax professionals and financial planners are particular targets, according to Horn’s co-presenter, Vest security architect Sonny Mauldin, who cited data on security breaches that showed that financial services was by far the No. 1 attacked industry, accounting for 30 percent of attacks across 21 industry categories, with 795 confirmed security incidents of data loss in the most recent year studied.
Between the growing sophistication of “black hat” data thieves and the enormous incentives they have to steal, it’s more important than ever that organizations protect themselves, and with that in mind, Horn and Mauldin offered a number of tips.
1. Keep up to date. Make sure your operating systems, browsers, applications and antivirus solutions are current with the latest updates and patches. Almost 100 percent of exploited software vulnerabilities have had a patch available for over a year, Mauldin pointed out: “If you could do one thing to protect yourself, it would be to patch your software.”
2. Don’t rely just on anti-virus software. “Anti-virus is only good against 40 percent of vulnerability attacks -- it’s not the be-all and end-all,” Horn said. “It’s about defense in depth.”
3. Have a business-class firewall. Note that an ISP-provided DSL/cable modem is not an adequate firewall, Horn said, so you’ll want to add something extra to whatever comes with your basic Internet service.
4. Have current backups of your systems and data. Also, make sure the backup is stored somewhere hackers can’t get at it -- and test your back up from time to time to make sure it’s working.
5. Never update from a page prompt. If a Web site tells you that you need to update an application like Acrobat or Java, log out of the browsing session and go to a trusted Web site and download the update from there.
6. Ensure detailed logging is enabled on your firewall and systems. If there’s an invasion, this will give you valuable information about what specific information was accessed, and what clients or systems, if any, were affected.
7. Remove local administration rights from your employees’ accounts. Mauldin also suggested that if you have administrator rights yourself, you should have a separate account without rights for everyday use so if your account is compromised, the hacker won’t have administrative power.
8. Have a cyber-insurance policy. Eventually, everyone will get breached, and the recovery costs can be significant.
9. Never use the same passwords for different applications or financial institutions. “From a criminal’s standpoint, once they have the one password, they’ll go try it for everything else,” Horn said.
10. Stop and think, don’t click. “E-mail is the root of all evil,” Horn said. “Don’t trust anyone or anything in an e-mail.”