When it comes to protecting the data they hold, many businesses mistakenly believe they don’t have anything a hacker would want. However, there are sophisticated hackers for whom credit card numbers or similarly exploitable information holds no interest. These data thieves go mining for proverbial gold in attorneys’ notes, accountant spreadsheets, and unreleased quarterly or annual reports, looking for any information they can manipulate to their advantage in the stock market. They are taking “insider trading” to a new level.
Trading on information stolen from professional advisors is more insidious than credit card or wire transfer fraud, where victims are alerted fairly quickly that a hacker has compromised their data or networks. Day-to-day activity in the stock market always has a certain amount of volatility. Likewise, one individual’s purchase or sell-off might not trigger any immediate alarms. Taken in the aggregate, however, the financial impact can be enormous, in the hundreds of millions of dollars.
Professional advisors may not lose money directly in these schemes, but the ultimate costs can be devastating. Successful lawyers, accountants, and financial advisors all work hard to build excellent reputations and trusted relationships with clients. If clients are able to trace fraudulent trading back to information that was easily hacked from a specific advisor because of insufficient data protection, those relationships can be irretrievably damaged and reputations destroyed.
Any person or firm that is trusted to be a steward of sensitive information must follow the example of those in highly regulated industries and take multiple precautions to protect the data they hold. Four recommendations are especially effective for improving data protection:
- Review your data through the eyes of a thief. Take inventory of the sensitive data you are keeping, and consider how a thief could make use of that information if it were compromised ahead of a merger, acquisition, or other deal.
- Plan to protect what you determine is worth stealing. Establish an incident response plan that defines what you must protect, what would constitute a breach, and the roles and responsibilities of those who need to respond in the event a breach is uncovered.
- Implement security beyond anti-virus and firewall protection and test it regularly.While preventing breaches is optimal, hackers are experts at finding their way into networks. To prevent long-term damage caused by these intrusions going undetected, companies should install intrusion monitoring technology, such as endpoint threat monitoring, that continuously works in the background protecting your data. Also, firms should test all their protection methods at least once a year to ensure they are doing the intended job.
- Update protection against new technical and social engineering threats. Most breaches are the result of human error or a failure to update network protections. While it is not necessary for senior management to know all the details at a granular level, they must know what controls are in place and understand how they fit together in a holistic data protection plan. Critically, controls must go beyond technical threats and address intrusions that result when employees are duped into giving a hacker access to the network or other human mistake.
The unscrupulous are always looking for insider information they can use to their advantage for stock trades. Unfortunately, fraudsters are easily finding what they need in the networks of professional advisors. In order to protect their clients’ interests, as well as their own reputations and financial well-being, professional services firms should know they do indeed have data worth stealing, and take steps to protect it today.