Cybersecurity: The Stakes Couldn’t Be Higher

Voice over: The latest news, updates, and insights from LPL leaders on what's happening in the industry and at the firm. This is the LPL Share-Cast.

Matt Enyedi: Hello, and thanks for tuning in to this episode of the LPL Share-Cast series. I'm Matt Enyedi, and I'm joined here today with Alex Russell and Prasoon Vidyarthi. And we're gonna be talking about something really important and near and dear to your hearts, and that's cybersecurity. The growing need to protect your data and your clients has never been greater. As we think about what's going on in the world around us, and our business here at home it's become incredibly important for us to get better and better at protecting our data and protecting our clients Prasoon, Alex, good to see you guys.

Alex Russell: Hey, good seeing you, Matt.

Prasoon Vidyarthi: Hey, Matt. Thanks for having us.

Matt Enyedi: Okay, so we're gonna spend some time walking through, not just what's going on, but I think also what, Alex, you talk about all the time, perceived myths that come along with data security, with cybersecurity, and maybe an unwarranted feeling of security when it actually isn't there. Does that sound like a good plan?

Alex Russell: It sounds perfect.

Matt Enyedi: Okay, cool. Now, before we do that and dive into kind of how it's kind of cybersecurity is impacting our advisors and our business, maybe we start with a lens a little bit further out, and that's looking at the world around us because it's obviously not just kind of primetime with our business, but it's truly prime time. What's going on in Ukraine, North Korea, China, the stories of cyber attacks are ever growing every day. So let's talk about the world around us. Alex, what is going on?

Alex Russell: Yeah, it is a interesting time. It's always been interesting, at least over the last 10 years, related to these nation state actors that you talked about. But now with the conflict in Ukraine, it's much more highlighted in the news as you said, and getting a lot of guidance from the federal government on what businesses should do, what they must do to protect themselves against a potential cyber attack coming from Russia. So we take a step back and we think about how Russia could maybe attack the US. It would be interesting if they, they did, it would clearly escalate our involvement in the conflict. And I don't think either side wants to do that. So as we start to think about what Russia is really kind of up to in this space, they're really looking at other countries, like other Baltic countries like Finland.

Alex Russell: President Zelensky was giving an update to the Finish Parliament a couple weeks ago. And during that the Finish government websites were attacked. So they're really busy trying to, you know, kind of get into NATO and look around and see what's going on, maybe trying to attack Sweden because they're wanting to join NATO. So Russia's really busy focused on other countries in the Baltic states. And when we think about China they're very sophisticated as well but not on our radar right now as much as Russia is. So kind of the framework that we look at in terms of these nation state actors and very specifically the Russia, Ukraine is about intent, opportunity, and capability. So we talked a little bit about their capability. For sure they have it, there's no question about it, or the government wouldn't be asking us to get serious about, you know, watching for an event. But when we would think about intent. What is their intent? If they were to do a cyber attack, what would that look like? Is it a disruptive or is it destructive? So it's important to think of those two. If it's just disruptive, we would act in kind. I would suspect. But if it's destructive, I think that's when there could be an escalation that both sides probably don't want. So as I think about that, Prasoon, what about opportunity? What do you think about that?

Prasoon Vidyarthi: Yeah, so, and Alex, you brought up a very good framework about intent, capability, and opportunity. And the way to think about it, these hackers, like what we see in their routine life, they're running a business and they have intent and capability, and that's why they're in this business of hacking. But opportunity is really important to look at. And why is that? Because it's oftentimes we realize that victim created an opportunity and these people harvested that opportunity. And as a business owner themselves, what they are only doing is they're looking for high value, low entry opportunity. So if there is an opportunity, they're going to exploit it. So for anyone who's looking into this space or could be a potential target, let's not create an opportunity because intent and capability exists.

Matt Enyedi: So I think what I'm hearing is there's absolutely a lot of activity with the nation states, those rogue nation states but they're probably not targeting our advisors or our businesses. However, there are a multitude of hackers who are out there who very well may be targeting our advisors, their businesses, and ultimately their clients, which I think gets us to myth number one. And myth number one is, my business is too small to be attacked. Why is that a myth?

Alex Russell: Well, I think as Prasoon was talking earlier these folks are looking for, you know, soft targets with high values. And I think when you think about an advisor practice and you compare that potentially with LPL, where LPL might have a really robust cybersecurity control environment perhaps some of our advisors are not don't have as sophistication as as larger companies. So that actually makes them that soft target. And the high value, Matt, is the data that you talked about. That's the, that's what they're after, right? They're not after a stolen PC. They're after getting the data, and that's really what they can monetize. And the more of that they get the more money they can make. So I think when we start to think about what a ransomware attack might look like on an advisor, we have firsthand knowledge of what that is.

Alex Russell: In a couple of cases we had an advisor's office who did get ransomware. They were fortunate enough where they were doing backups, doing all the things that we've, you know, talked about and coached on, and they were able to recover pretty quickly. In another case, unfortunately they weren't, in fact they had to pay the ransom which was, which was unfortunate, but it did get them back up and running. It did get the data potentially off of the dark web and the monetization that they could have made on selling this large data set came in the way of paying them ransom.

Matt Enyedi: So would you say ransomware is the number one threat that our advisors face?

Alex Russell: It is. So if you, if we think about LPL geopolitically, as we were talking before, a threat to LPL from a nation state, as you said, is probably not likely. Ransomware is still our number one concern, and we put a lot of controls in place to, to guard against that. And for our advisors, again, who may not have that control environment, it's just one click, one bad click, and there's, there's trouble at the end of that click.

Matt Enyedi: So what would you say are some of the steps that advisors should and could take in order to be less likely fall victim to ransomware?

Alex Russell: I think similar stuff that we talk about a lot, and that is just be mindful of the emails that come in. There's somewhere, right, 94% of these ransomware attacks are from phishing emails. So just being aware. In fact, I got one today, humanitarian aid for Ukraine. So we're gonna see more of those, right? And it's gonna, it's gonna bait you. You know, I thought it was actually my team doing a phishing simulation. Fortunately it was not, cause that wouldn't have been right. But I hit the phishing button, it sends it, they send me a note back and said, yes, this is actually a credential harvesting piece of malware that could have been installed on your machine. So it's just one click. So be vigilant on email. Think about some next gen antivirus stuff, think about what that is, how that looks as well as just getting an incident response plan together, getting that. We have some templates for folks on Resource Center, but it's really important to kind of really stay diligent on email, look about NextGen antivirus and get some incident response plans in place.

Prasoon Vidyarthi: So and Alex, for our listeners, I really want to touch upon this NextGen antivirus because this is where we get of our second most important myth, which is antivirus protection is enough for my business. And I think what is important to understand, what is a NextGen antivirus and what is a typical antivirus. And I'll give a very simple example around it. What a typical antivirus does is it looks at all the programs that are running on a computer and looks at and reference it to a known list of potential harmful programs. So anything that's not there in the list is, is fine to run on a computer. But what a NextGen antivirus does it looks for behavioral anomalies that are detected either by humans and a combination of human intelligence and artificial intelligence. Two things are important here. Behavioral anomalies and human intelligence.

Prasoon Vidyarthi: I'll give you an example. I run my computer, I open a lot of programs, lot of files. There's no behavioral anomaly, but all of a sudden, 2:00 a.m. in the morning, my computer opens up and a lot of files, it starts opening up. That's a behavioral anomaly that artificial intelligence can detect and a human can be alerted and take preventive actions for any further cause. So, and that's where NextGen antivirus becomes very powerful and the way we think about our solutions, like we have a secure office solution and it has lot more things, but the most important things that I advise to advisors is that getting a NextGen antivirus is becoming a table stake. And that's what we need for all. So I think we do a lot of things, but NextGen antivirus is almost become a necessary.

Matt Enyedi: So just getting back to myth number two, antivirus being enough, are you saying the NextGen antivirus is what is enough?

Prasoon Vidyarthi: Not just so it is, it is the bare minimum today, but there are more things and Matt, the way we think about it, we, we create Secure Office thinking the same way. What we thought is that there is bare minimum that everyone should do the best practices, having password, having disc encryptions. Those are bare minimum. We have taken it to the next level. NextGen antivirus is the next thing that they should be. But nothing is fail proof. Things can fail. So we have taken it to a third step and how we are preventing for the failure. And how we are doing it, we take backups and in case nothing works, we have backups and also we have uplifted the errors and automation insurance. So we have really controlled the spectrum, doing absolutely necessary, having the best and best controls to prevent and detect any malicious activity. And third, if nothing works, then do we have everything backed up to resume back the advisor practice in the best in time.

Matt Enyedi: Okay. So if I understand this right, and correct me if I'm wrong because I'm clearly gonna get over my skis quickly here, but what I'm hearing you say is, look, NextGen antivirus is the next best thing you can do, but relying on your old antivirus probably isn't enough. And what you guys have developed is a program called Secure Office, which goes beyond that. And effectively what it says is no matter how well you protect, there's still possibility that something goes wrong. And that's where Secure Office comes in because it actually prepares if and when something does in fact go wrong, no matter how diligent you've been in putting the shields up around you.

Prasoon Vidyarthi: Exactly. And that's the whole point of any security framework. You prepare for all the unknowns and the knowns, but as at least have faith that if everything fails, what do we have to control for unimaginable?

Matt Enyedi: Great. What else are we doing to help advisors here?

Alex Russell: Yeah, so I'll take it. So of course we have the baseline security requirements in the box, right? So we have that. But we also have a lot of templates on the Resource Center. If you just go to the Resource Center and type information security, you'll get to our homepage. And there's just a lot of information there that I think will help advisors. We have a phishing button that we're rolling out to advisors. We have a lot of templates. We do risk assessments. We help with third party assessments as well. But I think those all are geared towards compliance. And I think keeping in the myth theme compliance is not security. And I think that's the important piece that folks forget. If you do security well, there's a really good chance you get compliance baked in, but just checking the box that you have antivirus is not enough. That's not security. So I think that's kind of from my team's perspective, is what we can offer. And I think Prasoon you all have some opportunity there too as well.

Prasoon Vidyarthi: Yeah, totally. And it's not like compliance just is the bare minimum and how we think about it, that if we are best in class on the security piece, compliance will be taken care. And we need to be ahead. Like, this is not a lagging game. We need to be ahead of others. And Matt, like we have even taken a similar approach. We have another solution called Secure Cloud because the way we think about it, advisors have the most important asset for the advisors is their data. And what we thought, why not create a solution to protect their data that is guarded and protected? And is always accessible. So what we have is a secure cloud product, which is not any typical cloud storage. What we have done is we have taken the best cloud storage solution and added at least two layers of security on top of it. The data is doubly encrypted and it has best in class data loss prevention tools on top of it, which are not commonly available anywhere. You can't go and get it out of the shelf because you have to have an enterprise mechanism to put those controls and procedures on top of the data. So the way we are thinking about it, we are protecting the computers and we are protecting the data.

Matt Enyedi: So if I think about this as a progression, it goes from effectively doing nothing to being compliant, to having a really kind of NextGen antivirus to then even moving further leveraging a tool like Secure Cloud or Secure Office. But not to worry gentlemen, because I don't have to think about anything, any of those things because I have an IT provider. Just kidding. That's myth number three. Help us through myth number three, which is I got an IT provider, everything's cool.

Alex Russell: Yeah. So we also see this as well, when we were traveling and getting on site and we would show up at an office, we would see the IT provider come in and they would meet with us as we're doing the assessment, and we would understand their capabilities. And when we would talk with them, we would quickly understand that their capability was really in fixing hardware and fixing software. Their capability related to security was very minimal. And they weren't, you know, as robust in that area as we thought they should be. So when you're thinking about an IT provider, we highly recommend that you interview them about how robust their cybersecurity programs are. And if you're not comfortable with that, for sure, reach out to my team. We'd love to sit down on those calls and help you get the right questions answered the right way so that you can make an educated decision on whether or not that's the right IT provider for you. But we're also seeing in the market too, is some niche organizations who are thinking about just being cybersecurity providers and breaking away from supporting hardware and software because that's a niche that of course we're talking about it, that we're seeing in the market that's needed.

Matt Enyedi: Yeah. So it's becoming such a big part of what our, what small businesses and large businesses alike are facing that it's becoming its own standalone business now. It is not bundled into IT And I think that's pretty cool what you're saying, Alex, is if folks are interviewing someone to help them, they wanna have their own onsite or kind of personal IT support, we'll help 'em make sure they're making a good choice.

Alex Russell: Absolutely.

Prasoon Vidyarthi: And Matt, just to add onto that point, what happens here is that this is a very common myth when you think about it. They are computers. So computers, IT security goes all together, but when you think deeply to it, IT and security, they have conflicting priorities. IT's for the convenience and security is not always convenient. And oftentimes the things and the procedures adopted for convenience make the system unsecure. And we see it every time. We implement our tools. And what we find is that IT has created unintentionally some gaps in the security system. So having someone who can very well think about security is very critical.

Matt Enyedi: Yep. So kind of takes us through the big three myths. I think there's definitely a challenge in front of our advisors, but I think there are many ways to solve it. Maybe I just ask both you as kind of wrapping things up, like, Alex, what would you advise our advisors to do and make sure that they're not leaving out of, you know, they're running, running a great business, they're helping their clients every single day. They have such a critical role in the foundation of America, quite honestly. How do we help protect them?

Alex Russell: Yeah, I think first and foremost is go to the Resource Center. There are a lot of tools that we've put out there, a lot of tips and tricks. More importantly, our email address is there, right? A phone number we actually have for advisor security, a phone number that they can dial gets directly through the IVR right to one of our agents' desks. And within an hour, if we're not there, we'll call you back and start to understand what your problems are and how we could help. So I think first and foremost, it's that and really use us to to help better your practice in this space, because as great as these folks are at financial planning, they may not be as good in cybersecurity. And that's where my team comes in.

Matt Enyedi: And Prasoon, your team has done a wonderful job of extending the work that Alex and his team have done and create some really, I think, outstanding premium services across Secure Office, Secure Cloud. How do folks engage with you and your team?

Prasoon Vidyarthi: The best way is go to the LPL Business Solutions website which is LPLBusinessSolutions.com. And in fact, we are also doing that same approach. We have recently published a blog on how advisors need to level up their IT security, and advisors can visit that, or they can reach out to us at LPL Business Solutions, and we are happy to help.

Matt Enyedi: Perfect. So what I've learned today - A: Prasoon and Alex are much smarter than I am. B: Your business isn't too small to be attacked. C: Antivirus protection is not enough. D: IT support isn't security. And E: It's highly unlikely that Russia is coming for me, but somebody else is.

Alex Russell: I think you nailed it.

Matt Enyedi: Nice. Hey gentlemen, thank you so much for joining us today. Appreciate everything shared and folks out there, if you get a chance, please check us out either on the Resource Center or at LPLBusinesssSolutions.com. We are really looking forward to helping you run a secure, compliant, and safe practice for you and your clients ultimately, so you can deliver fantastic financial advice to them. Gentlemen, have a great day.

Voice over: This podcast is for financial professional use only and not for distribution.