Compliance & Technology

Cybersecurity: How to Proactively Outsmart Cyber Threats For Your Financial Services Firm

Share to:

Listen To The Podcast

We talked with Geoff about:
  • How cybersecurity is becoming a bigger topic for advisors to deal with 
  • Why advisors should “trust but verify” when communicating with clients
  • Getting back to the basics to ensure cyber safety

About Geoff Moore:

As Valmark Financial Group’s Chief Information Officer, Geoff Moore leads technology and cybersecurity for the home office and field advisors. Emphasizing the significance of staying proactive, Geoff advocates for staying ahead of cybersecurity challenges to avoid dealing with aftermaths like website hacks or data compromises. He shares tips for outsmarting cyber threats and discusses the importance of implementing key strategies, including setting up multi-factor authentication, ensuring regular system updates, and allowing for minimal permissions. 

Featured Resources & Shoutouts

Full Audio Transcript

Lauren (00:04):
Welcome, Geoff. It's great to see you.

Geoff (00:06):
Good to see you, Lauren.

Lauren (00:08):
Well, I appreciate you taking the time today and I'm really looking forward to talking about cybersecurity. I feel like this topic has in the last, I don't know, 15 or 20 years, just really completely changed, right? Technology is changing so much, it impacts all of us in so many different realms of technology, insurance, what have you. So before we get into all the nitty gritty of it, let's hear a little bit about your role, what you do on a day-to-day, and sort of set the stage there. So I'll hand the mic over to you, so to speak.

Geoff (00:39):
Yeah, sure. I’m Geoff Moore, Chief Information Officer for the Valmark Financial Group. We're an independent broker dealer, RIA, and insurance general agency. We've got about 350 producing advisors scattered across the country. And I'm responsible for technology at Valmark, and that includes cyber for our home office and all the advisors out in the field as well. So cyber—definitely near and dear to my heart—is just something we have to deal with. If you think about our industry, it's just mostly data and as the hackers have gotten more sophisticated and we've become even more connected to each other, it's just become a more and more important topic to deal with for advisors.

Lauren (01:19):
Can you share a little bit more about when you're looking at, I'll say tech stacks or what have you, all the importance of just being safe, right? I know we talk about all different platforms from your CRM to your website to I'm sure just training and that sort of thing. I'd love to hear a little bit more about the importance of cybersecurity and how you all see it from a big picture.

Geoff (01:40):
Yeah, so one of the things we require of our offices is that if they're looking at a new technology platform, cloud, whatever, we have to approve it. So I get to see a lot of different fintechs and what they're doing, and a couple of things we look for right out of the gate is multi-factor authentication. So whatever system they're using, it needs to have where you put in your user name and password and then you get a little push or a text on your phone to make sure you're safe to log in. And you'd be surprised, there's actually a number of systems in our industry that don't have multi-factor authentication enabled. But that's kind of the first thing on the checklist. The other thing I find interesting is that a lot of people, especially if they're using a really big name brand—it's got all the certifications—I think just because they purchase that tool, they think they're safe. And what's important to know is just because you're using that tool, it's also about how it's configured. So you can use the big name brand, SOC 2 certification, all the bells and whistles, but if you have it misconfigured or it's not configured correctly, you could be in a lot of trouble as well. So it's not just enough to have the name brand tool. You also have to have it configured correctly as well.

Lauren (02:59):
So identifying maybe a new tech stack to add to your portfolio, or even it might be in addition to, right? You're part of that process of then being able to say, okay, here's the teams, the data for their criteria, they've gotten to this point, and then you're going through the bells and whistles. What kind of things are you looking for in addition to two-factor authorization? Is there anything else in particular, if it's certain apps or integrations? I'd love to hear a little bit more on that side of things.

Geoff (03:31):
Yeah, I mean, I think the trickiest one is typically when it's a startup, when it's a newer fintech. I've seen a couple kind of like I described before, they might be using Azure or Amazon AWS. They're on that platform and they think, oh, that's enough to be safe. But well, it's just the tool set. You have to have it configured correctly to be safe. But I'd say the biggest thing to look out for is MFA, and then what kind of personally identifiable information is going into that system. So just thinking really clearly about what's going into that system. And then the other thing with the cloud is everything's connected, right? I'm using this system, it might connect to this other system. What data is getting shared between systems and is there private information I have about my client that might flow into another system as well?

Lauren (04:18):
With that, are there any kind of best practices you've seen that are just sort of general best practices as a takeaway for even cutting off parts of systems? Like this group can only have access to this information, or they can have full access to this personal information for X client or what have you. I'd love to hear if there's any kind of walls or things you have put into place or your lessons learned over the years when it applies to that.

Geoff (04:44):
I'd say generally speaking, you should have only the permissions you need to do your job. So sometimes I think what we see is people get over-permissioned or especially somebody maybe if they have their own business, maybe they're in a role like an advisor but they also own the practice so they have administrative rights to that system. Well, you may feel a sense of safety, I own that, but actually you might be less safe because you can accidentally do something or enable some other service to have access to your system that you didn't intend to. I could get super technical with it and explain maybe why but just as a general rule you just want to have enough permission to do your job day-to-day and not give yourself any extra permissions, because if your account gets compromised or you make a mistake inadvertently, it's easy to do if you have too many permissions.

Lauren (05:36):
Yes, that's absolutely fair. And then it creates checks and balances for everything that's going on. So I'd love to hear, shifting topics a little bit, what are some of the top challenges you're seeing within the cybersecurity space? It's evolved so much over the years to where we are today, as has technology, and what are some of those snags you're running into or perhaps opportunities in the market to help make this space even stronger?

Geoff (06:04):
I think the biggest hole I see, if we think about security as a chain, and that involves your end client, that involves the advisor, that involves the custodian, kind of the whole chain of people, I'd say right now I feel like the weakest chain is our clients. I think about my own mom, she's 73, God bless her, she's a super smart lady but I have to help her with some of her personal cyber. And I think a lot of advisors might work with people like her.

And oftentimes they're the ones who are going to get compromised. So if you're in a business, you're hiring smart third parties to help you, consultants, etc., you're pretty locked down. But if your end client gets compromised—so what we could see is something like an end client's email gets compromised, a bad guy gets in there, he starts emailing the advisor or something like that. And then the advisor, wanting to give good service, be helpful to their clients, inadvertently makes a mistake because maybe they didn't follow their firm's procedures or rules and they just didn't do what we call out of band—making sure you're checking outside of that email you received, that it’s actually your client that's giving you some sort of instruction. The other thing we're seeing is the bad guys know our procedures. They know what they are with firms, they're familiar with the types of procedures, things we'll do. So we're seeing things like this. They're very patient, and they might do something like, let's say you call your client on a certain phone number, right?

They'll understand the first step they need to do is change the phone number. So they'll put in a request maybe to change their phone number, and then they'll wait a couple days and then they'll send an email that says, Hey, let's do something. And then the person calls on that number that was just changed. Well, that's not actually the client's real number. They're aware of the procedure; they want to change it. So I think the biggest challenge overall is just making sure to not trust the client and have some outbound verification. In fact, there was a recent Wall Street Journal article I posted about where people are doing the deep fakes with client voices to try and sound like a client when they're calling and speaking to their advisor or their banks; it's getting much more sophisticated. So having some sort of mechanism you can share with your client, like a shared secret, like a code word or something like that, that you can put in your CRM and you can say, okay, Mr. and Mrs. Smith, what's the code word? And they can say pickle sauce, and you're dealing with them.

Lauren (08:40):
Yes, that makes sense. I know a lot of credit cards will have that four-digit code or something of that sort. So sort of similar procedures.

Geoff (08:49):
Schwab does that with their custodian. That's one of my good tips. They don't really advertise that a whole lot but if you want some extra protection on your account, you can request to use a code word with Schwab so even if you enter all your information, you still have to use your secret code word with them to talk to them about your account.

Lauren (09:06):
That's a good tip just for any of that. So crazy. I think sometimes you think cybersecurity and you think it's an automated sort of thing but what you're communicating, it's becoming much more sophisticated and much more.

Geoff (09:21):
Yeah, and you know what? I was on another podcast with somebody and they said, you know what I want with my cyber? I just want it to be something I don't think about. And I'm like, well, actually, I kind of want the opposite. We do monthly training, and the whole reason we do it monthly is it's always got to be a little bit top of mind for your team. So anybody in our network, they're getting monthly training. And then for our developers, we even do some additional training on top of that just to keep it top of mind and make sure we're staying current with what's happening in the industry.

Lauren (09:52):
We have some firms we work with where they actually offer cybersecurity training for their clients, and they'll send out emails with just reminder tips for certain times of the year or what have you. That's awesome. Annual piece, especially when you've talked about elder abuse and just different folks who are not as technology tech savvy and even folks who are, I mean, like you're saying, it's getting more and more sophisticated. So interesting. So with that, is there anything from the professional side of things? I know you said it's on the client side of things as well. Is there anything you think professionals should be doing to make sure they're doing the things they need to do to protect themselves? I mean, I guess that could go from the individual professional but even from the firm level, I'd love to hear a little bit more on that. You mentioned trainings, things to keep yourself and your clients safe.

Geoff (10:43):
So I think sometimes there's this idea that we have to do something really out there, cutting-edge or something when it comes to cybersecurity. And really a lot of times it comes down to just doing the boring basics unfortunately. So it's having—the first thing I talked about—MFA everywhere, make sure you've got MFA everywhere, whatever that means to you, your phone app, whatever training we talked about. The other one that I think is starting to change, I think everybody knows they're supposed to do patching and updates. Make sure your systems are updated. Now, years ago, kind of dating myself, 10 years ago if you patched within nine months, 12 months, you were fine. There were studies that would show most people who were compromised, their vulnerabilities were 12 to nine months older. We're not seeing that anymore at all. We're seeing a much shorter time frame between when a vulnerability is discovered and when someone's trying to take advantage of that. So if a provider's coming to you and they're telling you they want to do some new technology to help them patch faster, that's the reason why. Or even for yourself, even on your home system. I think it was like a month ago, Apple released an emergency update that was basically like, you need to update your iPhone today.

Lauren (12:04):
ASAP, yes.

Geoff (12:05):
ASAP. And that was really scary and no joke. So I think the biggest thing is just making sure you're doing automated updates wherever you can and making sure they're patched.

Lauren (12:15):
Yeah, I mean, that makes sense. And then are there any tools you see out there to help educate? So let's say your firm, you're looking to be able to educate your team about cybersecurity. Are there any kinds of trainings or third-party tools or things you feel are valuable? Of course there's Google, right, a wealth of knowledge into itself. 

Geoff (12:39):
There's a couple I've used before for years. One is KnowBe4; it’s a big industry player, and I think its training's really good. It's usually very short, and it incorporates phishing—trying to simulate an email compromise attack for you, and giving you reporting on top of it so you can see where your firm is, and then benchmark against the industry as well. So for specifics, that would be one I would look at for sure.

Lauren (13:09):
Okay, that's great to know. I mean, cybersecurity is scary, right? It's potentially one of the biggest threats for various companies.

Geoff (13:16):
It can be, especially in financial services. I mean, depending on how you interact with your clients. I mean, if you get it wrong, if you get it really, really wrong. I'm sure some people, firms, they're dealing with more than a billion dollars. They may have an individual client with $10 million plus, and if somehow one of their accounts gets compromised or messed up, and somehow you get yourself in the middle of that, it could be a death sentence. So I guess the other thing I would say is make sure you have cyber insurance and make sure you're doing everything in the policy that will cover and protect you. That would be the other thing too. I think most people know that by now but if you're running a business and you don't have cyber insurance and you're handling people's money, you absolutely need to get it.

Lauren (14:02):
I've also seen, I don't know if it's something your firm does, but I've also seen companies where they will send out, I think it's through a third-party tool, but they'll send out basically emails that look like they're phishing emails but they're not really phishing emails. And then individuals will get a score if they clicked on them or they didn’t, and how they sort of responded to it almost like it'll catch you off guard, right? You're not in the mindset of taking an exam. And I think that's kind of an interesting way to just make sure to remind people, to keep them on their feet. Is that something you have done?

Geoff (14:36):
Oh, yeah. And KnowBe4 that I talked about does the same thing. So yeah, really the phishing is kind of a way to, I'm sure you've maybe heard the phrase like trust, but verify. People are taking the training, they're seeing it but that's really kind of the proof in the pudding. And I've certainly found some people are better at it than others. So we've put in a couple escalation steps for those who might need additional training guidance or if it gets really bad, they get a one-on-one with me.

Lauren (15:06):
Yes. Just go through the basics and help to point it out. Sometimes you need that. We all need that in-person experience to talk through stuff sometimes.

Geoff (15:16):
And just to reiterate that it's important.

Lauren (15:22):
Yeah, that's key. And then just out of curiosity, so we just talked about email as a platform. Are you seeing this on text messages? Are you seeing it mostly in tools like Salesforce or other things like that? As in you seeing it aggregated in one particular medium?

Geoff (15:36):
I think from what I’ve seen and talking to others, I think business email compromise is probably the biggest, one of the biggest areas we see people trying to attack, especially if they're on a big platform like Office 365 because they've just got millions and millions and millions of users. So I guess one tip I would have is if you are using a system like Office 365, they have their web version. If you're not using the web version, you're using Outlook, I would just go ahead and shut off the web version, just shut it off. That's probably one of the biggest vectors attackers use. And also it's not perfect, but shutting down overseas access. So if you only deal with customers in the United States and there's no reason for anybody overseas to reach out or you don't travel internationally, you can restrict access to your account to only be logged in from the United States network.

Lauren (16:32):
How about VPNs?

Geoff (16:33):
They could bypass it. They could bypass it but I'm surprised how many people still try to log in or attack networks without a VPN. They're still coming from Africa, Europe, China, wherever.

Lauren (16:50):
That's fair. Super fascinating. Any other tips you think could be helpful to share or kind of insights you've seen over the years?

Geoff (16:59):
If you want to get really nerdy.

Lauren (17:01):
Let's do it.

Geoff (17:01):
You want to really nerd out. Okay. This thing is called a YubiKey.

Lauren (17:06):
Okay, tell me more.

Geoff (17:07):
So you have your two-factor authentication, so most people are familiar with your phone, you get a text number or whatever; this is next level. I can't actually log into certain accounts unless I have this physical key present on me.

Lauren (17:24):
So sort of like your government ID card, but a little bit different.

Geoff (17:28):
That's a great way to think of it. It's physical. I actually have two of them because if I lose one it’s game over, I can't access certain accounts. So I always keep one on me and one in another safe location in case something would happen. So that's like if you really want to go next level and you want to protect the nuclear codes, you can get what's called a YubiKey and there's a number of sites that support a YubiKey.

Lauren (17:56):
Then that's something a company would purchase. They would essentially authenticate it and they would distribute it across the board. And then that would basically be to log into what? Is it to your computer? Is it to Microsoft 365? 

Geoff (18:08):
It's the whole thing. You can use it for all of those. You can use it just for your laptop. It just kind of depends on where you want to configure it. There's a lot of people who'll work with a YubiKey mostly if they want to have a Google login, Microsoft 365 or password manager is a big one, where to use it if someone's using a password manager; that'd be another thing I guess I hadn't talked about yet at all, is making sure you use a password manager.

Lauren (18:32):
No Excel sheets, please.

Geoff (18:36):
No Excel sheets. And then I haven't dived into the nitty-gritty but a lot of my friends who are bigger nerds than me in the cybersecurity space, they really recommend against saving your password in the browser. So a lot of browsers will allow you to save, and most of them would recommend against doing that and use more of an official password manager.

Lauren (19:01):
That makes a lot of sense to be able to have that added layer of security. I know we've worked with some companies too where we've been issued laptops and stuff and there's a separate ID where you've got to log in through your phone and it's a face verification. It's a whole thing. So it's just part of it but it's a good thing. So crazy. It is a good thing. Extra layers like you said.

Geoff (19:24):
Yeah. Extra layers. Especially when you think about the kind of data our clients are entrusting to us. We have to put in the extra steps.

Lauren (19:33):
Even vendor management. I see that too. Just to throw that out there. I'm sure you all have formalities around that. And even issuing communications as reminders. We see that on our end too, just given the nature of our work. 

Geoff (19:46):
Yeah. I'd say the regulators too, this is definitely an area of interest for them as well. They're asking more about what firms’ processes are around vendors. How are you onboarding them? How are you checking to make sure they're still doing what you think they're doing? And then how are you properly offboarding vendors?

Lauren (20:02):
Yep. Makes sense. Just keep it clean. Well, thank you so much for your time today. I appreciate you sharing. Any final thoughts? I don't want to cut you off there too soon.

Geoff (20:15):
No, I'm great. Thank you. Thank you for letting me come on today, Lauren. It was great getting to talk to you.

Lauren (20:20):
Oh, it's fun. It's a great topic to talk about and it's super important, and I think it's one of those topics where if you don't get ahead of it, it will get ahead of you. And I feel like you've got to put those processes and procedures in place, and unfortunately we see them sometimes after the fact. So it's nice to have this conversation to start to think about those things and identify opportunities to be able to help do that education, put those processes in place, and I just also really appreciate hearing your expertise and lessons learned over the years. So thank you. Awesome.

Geoff (20:53):
Thank you, Lauren.

Catch this episode on our podcast