|Print this Article|
Why Financial Advisors Need to Embrace Zero-Trust Cybersecurity
By Steven Ryder
“Never trust, always verify” is the premise behind zero-trust operating environments, which are considered by many to be the best-in-class approach to managing cybersecurity in today’s world. Because financial advisors are required to provide adequate cybersecurity controls to protect client data, it’s important to understand how zero trust differs from other approaches to safeguarding a firm’s technology and data.
Never Trust, Always Verify
Just as financial advisors are charged with looking after clients’ assets—actively managing upside opportunities and downside risks—zero trust actively manages risks to a firm’s data and technology environment instead of only responding to known cybersecurity threats.
A zero-trust strategy assumes the need for constant protection from risks that can potentially disrupt and destroy a firm’s network, data, and devices. Threats can be from inside and outside the network, so the zero-trust approach seeks to identify everyone on the firm’s network and those attempting to get on. Once authenticated, users are allowed the least amount of access and information necessary to do their jobs.
Zero-trust virtual private networks (VPNs) block anyone attempting to log in who is not using an authorized device. Single sign-on, biometrics, conditional access policies, and multifactor authentication verify the identity of individuals as part of zero trust. This level of active protection seeks to guarantee that the person trying to get access to the data is who they say they are.
Verifying identity before granting access ensures that the device and user making the request match the standards developed for access to the data or the environment. With zero trust, identity checks are not one-time events. Each posture check has an expiration date and is reassessed continually. In other words, users are regularly asked to verify their identity to gain and maintain access to the network.
Active Risk Management
The continuous checks before granting approval and access distinguish a zero-trust cybersecurity framework from others. They are done all the time to be sure that people and devices adhere to cybersecurity controls.
While zero trust sounds inconvenient, it is vital to embrace its significance and acknowledge that acceptance will follow in time—particularly with remote work setups making it more difficult to monitor and block network access. Financial advisors deal with high-net-worth individuals and large amounts of money, making them a potential goldmine of data and assets for bad actors.
It’s also a reality that firms are being pushed to move in this direction by outside forces. Insurance companies require certain levels of active cybersecurity protection for policies to be enforceable. And while they do not dictate any specific technology or cybersecurity strategy, regulators are signaling that this level of protection is necessary. With its forthcoming proposed Rule 10, the SEC is seeking more cybersecurity and cybersecurity disclosure from firms. Clients and prospects are also asking firms about how their assets are protected, how communications are protected, and, in some cases, specifically asking about zero trust.
Zero Trust Can Be a Culture Shift
The transition to a zero-trust environment can mean an organizational culture shift for firms that have been more permissive in allowing users to access data from any device. With zero trust, users are only permitted to work on firm-owned devices, which is counter to the bring-your-own-device (BYOD) policies many firms have adopted.
In a zero-trust construct, personal devices cannot be used without firm-authorized security on them. Firms that want to continue to allow users to work on personal devices with zero trust must have BYOD policies that mandate acceptance of the firm’s security terms and policies so that personal devices and users can be authenticated. Users who are unwilling or unable to comply cannot use their personal devices to work and access firm and client data.
To that end, firms need to supply their users with the technology they need to do their jobs. In many cases, that’s a laptop, a docking station for the office, and a monitor. Users working outside of the office can do so by connecting through the VPN from the firm-issued laptop.
It’s important to remember that by verifying the device and verifying the user, zero-trust environments enable people to work from anywhere securely. Though conditional access policies and protocols may feel inconvenient, they are important because they protect against bad actors trying to intercept log-ins and they block suspicious activity, including log-ins from unauthorized countries or locations.
Implementing Zero Trust
Most wealth management firms need some kind of team to manage a zero-trust environment. Just as professional financial advisors manage their assets, firms need experts to manage their security.
Though off-the-shelf zero-trust technology is available for download and installation, this is not zero trust. The approach requires configuration, management, and constant updating of the multiple layers of security required to check the permissions, devices, locations, and security posture of every connection. To work properly, zero-trust environments require dedicated oversight.
Regardless of whether they use in-house or external staff, firms need a seasoned team of professionals who have cybersecurity expertise and actively manage the technology. Typically, the levels of expertise and tools needed are not found in internal information technology departments, so firms look to managed service providers (MSPs) for this support. MSPs can offer enterprise-grade technology and expert support at a fraction of the cost of attempting to bring these resources in-house.
As threat actors continue to change their approach, scope, and methods for attack, firms need to change their defenses as well. Years ago, antivirus software and firewalls did the trick; then came the shift to endpoint detection. As firms continue to deal with remote workforces, remotely securing people and devices remains a challenge. Zero trust is not a requirement yet, but it is only a matter of time until the approach is a standard part of every firm’s cybersecurity stack.
Steven Ryder is the chief strategy officer of Visory, which provides cybersecurity, IT management, and hosting solutions to RIAs and other wealth managers, accounting firms, and other businesses. He can be reached at firstname.lastname@example.org.
image credit: istock.com/baranozdemir