How can regulated firms prevent cybersecurity breaches and fines with training and awareness?

The pandemic caused companies around the globe to adapt to remote work and adopt more cloud-based services. Now cybercriminals are taking full advantage by targeting remote workers. Cyberattacks have skyrocketed since the pandemic, with 70% of breaches originating at the endpoint.

This upswing in cybercrimes is particularly concerning for regulated firms, as many often lack in-house cybersecurity protection and training resources — but still need to adhere to Securities and Exchange Commission (SEC) regulations.

Why is preventing security breaches so important to firms? Aside from the obvious downsides of breaches (lost revenue and reputational damage, for starters), the SEC is showing an increased willingness to levy severe penalties against firms that fail to adequately protect information. In fact, on August 30, 2021, the Commission sanctioned multiple firms and fined each of them between $200,000 and $300,000.

The SEC’s message to regulated firms

How did these firms fall short? The companies failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts in a timely manner. Their deficient cybersecurity policies and procedures resulted in email takeovers that exposed the personal information of thousands of customers and clients at each firm.

In its press release, Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit clearly described what’s expected of firms:

“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."

That statement — along with the hefty fines — makes one thing very clear: The SEC will not allow firms to take cybersecurity lightly.

Phishing is on the rise

What methods are cybercriminals using to attack companies and steal information? For one, phishing attacks rose to unprecedented rates in 2021. There was a 22 percent increase in phishing attacks in the first half of 2021 over the same time period in 2020. Plus, phishing attacks in the cryptocurrency market were 10 times higher.

The problem many firms face is that they haven’t implemented adequate policies and procedures to inform both employees and customers about potential cyberthreats. So users are susceptible to phishing schemes, which can result in disastrous data exfiltrations and exposed information.

How do phishing attacks occur?

In a recent case, a large cryptocurrency fund reached out to Linedata for help combatting a phishing scheme. Their users were receiving a high volume of emails that were designed to look like they were coming directly from legitimate platforms and vendors. These emails contained links and information requests, which the users thought were legitimate. In reality, the emails were part of a phishing scheme that tricked users into clicking unsafe links and sharing sensitive information.

And phishing schemes like this occur every day, often targeting regulated firms.

Combating cyber attacks with training and awareness

Protecting against security breaches, especially phishing attacks, isn’t easy. It takes an experienced and diligent team to stay one step ahead of cybercriminals.

Linedata helped its cryptocurrency client fight the phishing scheme with a three-pronged approach:

1. The technology fix 

We started with endpoint protection by enabling their spam filter with the highest level of security to protect against phishing. However, no spam filter will block 100% of threats, and technology alone is never enough to combat sophisticated schemes. The next step is absolutely essential.

2. Training and awareness 

Here is where many organizations fall short. You must train your employees and users to identify the schemes that lead to attacks. In the cryptocurrency fund example, we defined a detailed training campaign to educate users on common spamming and phishing techniques to be aware of — and warned them against clicking on links in suspicious emails. Furthermore, the training detailed how to:

• Control 'CEO fraud'
• Control SIM swapping
• Set up secure passwords
• Enable secure remote access
• Protect their environment

3. A phishing test

Finally, we tested the employees to see the extent to which they were still vulnerable. Our phishing test involved sending fake phishing emails to users and reviewing their actions. After training, users recognized and reported 98% of phishing emails (compared to an industry average of 83.6%).

This training-heavy approach paid big dividends for the client and gave them the confidence they could handle future phishing attacks competently.

Training is critical…and just one aspect of a complete cybersecurity solution

Cybercriminals are getting more advanced, so unsophisticated or outdated cybersecurity protection strategies will no longer suffice. Cybersecurity training is a must for battling phishing attacks, but it’s only a portion of a complete cybersecurity solution.

From technology to governance to cybersecurity training, Linedata’s end-to-end cybersecurity suite provides expert guidance and services to protect your employees and users from cyberattacks. We have extensive knowledge of cybersecurity delivery in the finance and investment market. And with our bespoke operating model, we serve as an extension of your team and provide award-winning cybersecurity protection.

Protect against more than SEC fines

SEC fines for cybersecurity breaches can create serious hardships for your company. And that’s only one downside. Breaches also result in revenue and data losses, mistrust, and long-term damage to your brand.

You can’t afford to leave your company vulnerable. With Linedata’s support, you get the industry experience and security expertise to navigate this dangerous business environment and keep your firm protected.

About the author, Girish Khilnani

Girish Khilnani co-heads Linedata’s Technology Services business, which includes Public and Private Cloud, Cybersecurity, and Managed Services. He’s spent nearly two decades managing IT infrastructure, cloud, and global service delivery teams to provide leading-edge solutions for financial institutions. Girish is passionate about enabling operational excellence that supports the specific requirements of hedge funds, private equity, and asset managers.