Why Firms Need Zero-Trust Cybersecurity, Especially Now
In the COVID- 19 era, incorporating zero-trust into cybersecurity strategies ismore important than ever for advisoryfirms, with so many financial advisorsand firm employees using a broaderrange of tools and working from more varied,remote locations.
In this new era,
the vulnerabilities
for cybercriminals
to exploit has
grown exponen-
tially, with two key
areas that should
be of particular con-
cern to advisory firms:
First, just like any company,
they must maintain the integrity of
their own corporate networks, adapting
to the new security environment in a
holistic way that keeps data secure with-
out compromising system performance.
Second, a huge cross-section of theusers that access a firm’s data are notwithin the network perimeters, nor dofirms own those users’ devices andnetworks. In normal times, this is adecentralized, varied landscape to protect. In today’s environment, with morenumerous and diverse threats to counteract, the need for robust defenses hasincreased in urgency.
Firms must establish dual strategiesto protect corporate networks whilesafeguarding a broader, more diffuse, butequally important constituency: Theirfinancial advisors.
Home Office and Corporate Networks
Prior to the pandemic, firm employees
and executives predominantly worked in
offices, a relatively straightforward set-
ting for cybersecurity experts to protect.
Now, these workers are using the sameapplications as before, but from multipleresidential locations.
To maintain a zero-trust approach
under these circumstances,
while also maintaining
system stability and per-
formance, firms should
rethink their network
architecture and the
deployment of their
cyber defenses to
more closely align
with how workers are
accessing data.
For example, one might think
that a way to keep data safe is to use
virtual private networking. By requiring all
remote users to use VPN when perform-
ing any work-related tasks, firms are rout-
ing all data traffic back to its own servers.
This keeps data securely within thefirm’s own network. But directing all thatdata back to the firm’s central networkrisks overwhelming and compromisingoverall system performance. The corporate network now has to accommodateall ordinary-course work activities, plusthe needs of bandwidth-consumingvideo platforms such as Zoom andMicrosoft Teams.
One solution is to split traffic betweenthe critical data that must be accessedvia the firm’s own networks and protected by its zero-trust defenses, and theless sensitive data flow to and from third-party applications, many of which arecloud-based and would be protected bythose providers’ cybersecurity measures.
This approach remains zero-trust with
respect to sensitive data, but it adapts
to the reality of the current moment in
a way that is less likely to compromise
overall network performance.
Protecting Advisors
Protecting the information networks of
individual financial advisors from cyber
attacks has technological and communi-
cation components that require a mix of
persuasion and top-down direction.
Some firms prior to the pandemic had
already invested in the tools, solutions and
platforms to implement a comprehensive
zero-trust approach to cybersecurity.
They had tools to monitor and collectdata on the users accessing their networks, and to analyze that data to build aholistic picture of each user’s cybersecurity posture.
Armed with those insights on potentialgaps in defenses, they could implementrisk mitigation approaches, some ofwhich may involve denying access tousers whose online behavior or deviceand system configurations were deemedtoo risky.
In the COVID- 19 era, cyber attacksmay not have changed in sophistication, but they have definitely surged involume. This dynamic speaks to the needfor more communication and educationfor advisors on the importance of keepingup to date with cyber defenses and howto leverage them most effectively.
As a tool to influence behavior, zero-trust is effective, but communicationsand education through webinars,newsletters and other channels,followed by more targeted, proactivecampaigns that are more consultativein tone than confrontational andpunitive are good solutions.
—Jason Lish is with Advisor Group
and Sid Yenamandra is with Entreda.
INVESTMENT ADVISOR (ISSN 1069-1731) is published monthly ALM Media, LLC, 4157 Olympic Blvd. Ste 225, Erlanger, KY 41018-3510. Periodical postage paid at Covington, KY and additional mailing offices. Subscription Rate is $79 per year.
POSTMASTER: Send all subscription orders, changes of address and correspondence to InvestmentAdvisor, PO Box 3136, Northbrook IL 60065. Allow four weeks completion of changes
12. 20
NEW THIS MONTH THINKADVISOR.COM TECHCENTER LIVE EVENTS WEB EXTRAS DIRECTORIES BLOGS
FOR ALL THIS AND MORE WEB EXCLUSIVE CONTENT PLEASE VISIT THINKADVISOR.COM
GoldenSikorka/Shutterstock
