June 5 The most cutting-edge technology cannot contain one of the biggest cyber hacking threats on Wall Street: sloppy actions by brokers and other industry employees.
Brokerage firm workers have taped sensitive passwords to their computer monitors and stored them in binders labeled "passwords," according to officials from the Financial Industry Regulatory Authority (FINRA), Wall Street's industry-funded watchdog.
Some firms give login information to temporary workers and forget to cut them off after their assignment is complete. At the regulator's conference in May, examiners traded tales of brokerage firm behaviors they had found that could lead to security breaches.
One firm, for example, used the very-guessable "username" as the username and "password" for the password that gave access to the company's router, enabling access to the firm's sensitive data.
The problems are coming to light as major online security breaches in other industries are making Wall Street jittery and as financial services industry regulators are focusing on these issues.
Information security professionals said in an interview that Wall Street's demand for their expertise has exploded, especially among small brokerages that do not have safeguards in place. At the FINRA conference, the cyber-security session was so packed many professionals sat on the floor
Security breaches could trigger privacy law violations and trouble with financial regulators, which have noted a spate of breaches in other sectors and companies, including eBay Inc , Target Corp, Neiman Marcus Group LLC and other retailers.
FINRA and the U.S. Securities and Exchange Commission are looking into measures that brokerages and asset managers have put in place to safeguard against cyber attacks. On Tuesday, the top Massachusetts securities regulator announced cyber audits of state-registered financial advisers.
TRAIN, DON'T COMPLAIN
The heightened focus on cyber security is sparking change at smaller firms, which often do not have procedures or systems in place to prevent hacking, said Joseph Rivela, chief strategist for Breach Intelligence LLC, a Farmington, Connecticut information security firm. "Many firms are far behind the curve," Rivela said.
Large brokerages typically have more established procedures and technology in place to prevent hacking, Rivela said. But even their employees can be duped. For example, firms have been facing a rash of incidents in which scam artists pose as customers and make wire transfer requests. FINRA has disciplined numerous sales assistants who transferred funds without first verifying those requests with the actual customers.
Educating employees about scams is a key step, said Rocco Grillo, who heads a global information security unit at Protiviti, a division of California-based Robert Half, in an interview.
Other security threats include "phishing" emails that purport to be from clients and ask for personal data, as well as fake wireless hot spots that scam artists set up in public spaces to invade firms' systems, Grillo said.
Some companies hold employees accountable for information security breaches by withholding bonuses or even firing them, Grillo said. (Reporting by Suzanne Barlyn; Editing by Linda Stern and Steve Orlofsky)