When it rains, it pours. Shortly after the Securities and Exchange Commission (SEC) was the subject of a Government Accountability Office report stating that it must do more to protect its computer systems from cyber-attacks, the regulator announced that its EDGAR network suffered a security breach last year. The SEC originally didn’t believe that anyone’s personal information had been compromised, but later, after a detailed forensic analysis, the regulator discovered that the names, birthdates, and Social Security numbers for two people had indeed been exposed.
This series of events powerfully illustrates the rapid growth and expansion of the cyber threat. Even one of the most powerful federal regulators, responsible for setting and enforcing standards on cybersecurity for financial services firms, finds it challenging to stay one step ahead of cyber-criminals.
I did not write this article to criticize the SEC. The regulator’s staff members deserve praise for their commitment to consistently improving the security of sensitive financial information, and investment firms’ computer systems in general, across the industry. The point I’m making is that if even the SEC can fall victim to hackers, no financial advisory practice or other business, regardless of size, can afford to make light of the cyber threat.
In fact, small businesses are at higher risk of a security breach than their larger counterparts. Half of all businesses with 250 or fewer employees have been targets of cyber-attacks, according to the National Small Business Administration, and as Experian has reported, 55 percent of small businesses close up shop within six months of experiencing a security breach.
Not all clouds are the same
In light of the irreparable business and reputational damage that a security breach can inflict, small and large financial advisory practices alike need to ensure that their sensitive client data and technology infrastructures are protected—and comply with cybersecurity regulations—over the long term. One of the most effective ways to obtain ongoing security and compliance, while also streamlining operations and generating efficiencies that facilitate scalable growth, is to migrate all of their applications, data, and documents to the cloud.
But even though more and more firms are embracing cloud solutions for their IT infrastructure, not all types of cloud platforms are truly secure. Advisors and other business owners need to understand which type of cloud offers the best options for their businesses before moving to the cloud.
For example, private cloud systems are usually safer than public clouds because they are specifically designed to be used by one organization as opposed to multiple customers of a cloud provider. Since private clouds are only utilized and maintained by a single company, it is generally much easier for private cloud users to track data and documents as well as configure customized views across their organization—advantages which also make it much easier for private cloud users to implement and control cyber safeguards across the organization, including all firm-approved mobile devices.
These safeguards include multi-factor authentication, which involves requiring employees and other authorized parties to enter a standard password as well as a one-time code that can’t be used again in order to access company apps and data from mobile devices. According to Verizon’s Data Breach Investigations Report , 90% of security breaches occur because cyber-attackers are able to obtain valid credentials by exploiting users’ mistakes. That’s why requiring a one-time code along with a regular password for access can prevent many of these attacks. Private cloud systems enable multi-factor authentication to be deployed and maintained across all company desktops and mobile devices.
On the other hand, because private cloud platforms are built for use by only one organization, they are also more expensive than public clouds to implement, configure, and maintain. This is why some advisors may be hesitant to adopt private cloud platforms—but in this day and age, sacrificing stronger security and compliance for lower costs isn’t a wise decision.
Outsourcing can provide a happy medium
Independent advisory practices that don’t possess the technological resources or in-house expertise to effectively transition to, and manage, private cloud platforms don’t need to forgo the security and compliance these solutions can provide. Instead, smaller advisory firms can outsource the operations and maintenance of their private cloud systems to a third-party IT services provider which specializes in working with financial services companies. Advisors can also make use of proprietary cloud platforms offered by third-party vendors with established track records for protecting sensitive data and remaining in compliance with cybersecurity regulations.
Both of these choices can give advisors the peace of mind that comes from knowing that reliable IT experts are working on their behalf to keep their systems and client data safe from hackers, and ensure that their cybersecurity measures align with evolving regulations.
The breach of the SEC’s EDGAR system adds a new sense of urgency to the need for advisors to enact measures and adopt tools that protect sensitive client data. A secure cloud solution can help advisors avoid dangerous and ruinous security breaches, while remaining in compliance with cybersecurity rules. As long as advisors take the time to identify which type of cloud solution is the right option for their organization before any migration, they can protect themselves and their clients from the expanding cyber threat going forward.Justin Kapahi is Vice President of Solutions and Security at External IT, which provides the workplace solution, a secure digital hub designed to help financial services organizations operate more efficiently and manage all their compliance and cybersecurity needs as they grow.