Proactive Wake-Up
I spoke to a wealth management client last night. They have been a long-time client and incredibly loyal. Lately, in the wake of the Equifax breach, there has been an increased awareness and concern about cybersecurity. Now, mind you, in every previous discussion cybersecurity meant essentially buying something that worked in the background, but if it cost too much or slowed down the user then it was out. “We are so small that we aren’t really a target.”
In the wake of Equifax, they called a few months ago and asked, “How can we know that we are ready?” The answer was get a Penetration Test. A Pen Test is a where a “white-hat” hacker is paid to try to penetrate a network and show how a malicious hacker could do it. So, off the client went to get a Pen Test (a service that we don’t provide).
The result was two proposals, both oddly for $8,000. They included a Pen Test and regular vulnerability scanning (a service we do offer that scans a network for known vulnerabilities that a hacker can find on the internet). A conversation ensued. “Which should we buy?”
Well, the conversation led to a solid talk about what data they are trying to protect and the realization that all of that data was held on 3 websites and not on the client’s network at all. Should we do a pen test of the web services that hold the data? Don’t those services already have that? What is our responsibility?
The conclusion was that what really mattered was the usernames and passwords to those websites as well as the temporary files that may be a copy of the website data on local computers. MFA, Multi-Factor Authentication, which seemed like an annoying slow down turned out to be the key to making sure the person using a website or computer was truly the expected and authorized person. A pen test was meaningless, and a vulnerability scan would only show the patching state of the computers and the basics like antivirus. What was needed was thoughtful use of MFA and encryption of passwords that would slow users down a bit, but remind them of their mission of protection of client financial data every single day.
The client then asked, “why didn’t you tell me about this before?” I thought about saying, “you didn’t seem interested in anything that would slow you down.” Instead I realized that proactive isn’t just a term or a list of services. It is a way of life.
