In this episode of ‘Conversations on Wealth’, host Sarah Widmeyer speaks with Scott Stennett, SVP & Chief Operating Officer at Richardson Wealth about cybersecurity and the importance of taking significant security measures to protect your finances from cyber threats as our lives move more and more online.
Sarah Widmeyer 0:16
Welcome to ‘Conversations on Wealth’, a podcast dedicated to helping Canadians navigate the complexities of wealth with a multi-dimensional approach to planning and wealth management. I’m Sarah Widmeyer, SVP and head of wealth strategies at Richardson Wealth. Joining me today is my colleague Scott Stennett, SVP and Chief Operating Officer at our firm. Welcome, Scott.
Scott Stennett 0:39
Thanks for having me.
Sarah Widmeyer 0:40
Great to see you today. So, Scott, we’ve had this conversation before, we’ve talked about cybersecurity. It’s an important topic that is a deep concern for many individuals, especially when it comes to our financial and personal security online. We do everything online these days. During the COVID pandemic, many of us became even more reliant on online services living our life, it would seem through the computer, we often hear in the news, the reality of cyber threats and the effects this has had on companies and individuals alike. I know that at Richardson wealth, we understand these risks, and are extremely diligent and proactive to protect our operations, as well as helping our clients avoid online risks. We take personal security very seriously. So Scott, perhaps we start with your view on cybersecurity, and the exponential growth in phishing attacks and similar malware attempts.
Scott Stennett 1:42
Well, Sarah, you’re correct. And that this continues to be a real concern for all folks, whether you’re Canadian American worldwide, this isn’t a geographically specific issue. It’s a worldwide issue. So we’re not alone. In that regard. COVID really turned the dial up on how many attempts are being made against vulnerable individuals, or just individuals in general, people were frankly ripe for the picking when COVID put us all into work from home environments, it made it a lot more accessible for bad actors to send emails to individuals who may not be in a corporate office environment where they could ask for help more readily. And we see that there are many more compromises happening, which also leads to a lot more money flowing from the pockets of innocent victims to bad actors, in the form of paying for ransomware are similar. So at a very high level, I would simply say that the attempts to compromise individuals has climbed exponentially various statistics are quoted by multiple publications, but they deem that it’s possibly in and around 400% increase over the last couple of years. So the pandemic is certainly heightened this whole incident.
Sarah Widmeyer 2:49
I almost even think that’s probably understated. Because always even in my own device, I noticed I got these these texts from TD, I don’t have a bank account at TD and saying, you know, my, my security code has been compromised, and you know, weird emails saying redeem your your gift card here. It certainly has increased and I think you have to be constantly diligent and constantly aware.
Scott Stennett 3:14
Yeah, in fact, even on my drive in today, on the radio, they were commenting on how the city of Toronto does not use email or text messages to advise people of parking tickets. And in that was just, it was just pure coincidence that I knew we were going to be having this chat today. And on the radio, they were warning people because there’s apparently a large scale attack going after individuals in the GTA or Greater Toronto Area, suggesting that click here to pay your parking ticket and innocent people are clicking and feeling it must be legitimate. And they’re in there sending money, not to the city, actually, but to bad actors. And that’s just this morning.
Sarah Widmeyer 3:51
So what advice what precautions Would you tell us to take when we are online or reading email?
Scott Stennett 3:58
Yeah, there’s definitely some really easy things we can do. You know, there’s, there’s lots of complicated things. But I find that going down any complicated rabbit hole means that it never gets followed, it never gets done. So if you keep it simple, and you alluded to get an email from a place that you don’t normally do business with, that’s a great example of a telltale sign, that’s one of the first things we tell people is if you don’t recognize that center, or you don’t have a business relationship with the organization that seems to be branded behind that email, immediately. Take note. Another thing that’s commonly done is bad actors make the email look like a legitimate note from somebody else. Yeah. But if you look closely at the exact email address that was used to send you the note, it’ll often be something very garbled, possibly from a Gmail account. Definitely not from let’s say, one of the Canadian banks. Yeah. And so with a quick scrutiny, you can say, You know what, this doesn’t look legitimate. When in doubt, never open it. Another great example is, most reputable organizations would not send you Anything that would require you to log in or ask for your user credentials. A lot of what people are trying to do with phishing emails is get you to share your login and password for something. And then they’re going to use that login and password and try and break into all sorts of other accounts you might have. So be very vigilant, take the extra attention and care to look at email that looks suspicious, verify who actually sent it. And if in doubt, simply don’t open it or don’t click on it. So if there’s attachment, don’t open it. If there’s a link, don’t click on it. If the organization that wanted you need you bad enough, they’re going to call you back or send you another note.
Sarah Widmeyer 5:36
So the garbled email address is the piece of advice that I’ve gotten from you that I’ve used the most personally and professionally. Looking at that. I think that’s the best piece of advice, because, as you said, like even with the Toronto City of Toronto email, it would seem plausible to me that okay, yeah, no, I got a ticket. Okay. Yeah. Okay, now I need to pay it online. But you need to check the email address. So I’m sure the email address was one of those garbled kind of UX sell.ca dot something. I have a follow up question then. So if I do get that city of Toronto email, for example, and I open it, have I now exposed my system to bad actors? Or is it the clicking on something embedded? That that does that?
Scott Stennett 6:30
Great question. So opening an email by itself is generally innocuous, meaning it wouldn’t put you at risk. Okay, it’s attachments that might be connected to the email, because within an attachment, there might be a virus. And there’s the links that are often accompanying some of those emails, like a URL hyperlink that takes you to a site. It may have embedded malware in that link, but more likely than not the links taking you somewhere to try and steal your login credentials. So the email itself is okay. It’s when you go into, so you still get a chance to review it, look at it, check the email sender and say, You know what, this doesn’t look legit pocket, but if it looks legit, and there’s attachments, I’d still second guess that reputable organizations generally wouldn’t send you that. But, but so long as you’re aware that you have a relationship, let’s say with such and such a firm, it’s not unusual for them to send you a statement, let’s say, fair game to go ahead and open it.
Sarah Widmeyer 7:26
Okay. Perfect. Okay, because I was sitting here starting to panic, because I opened up a Costco email last night, and it wasn’t Costco, and I’m thinking, Oh, my gosh. Okay. So moving on, then many online services now use something called a multi factor authentication, or two step verification, what is it? And why is that important? It seems awfully annoying.
Scott Stennett 7:48
You know, there’s there’s no easy way sometimes around protecting yourself. The silver bullet answer to have it work easily, unfortunately, hasn’t yet been found. I will, though, say that segwaying a bit into the multifactor authentication question is that more and more firms such as Microsoft, Apple, are going after biometrics. So anyone that’s using a modern day, Apple phone would probably be using the facial recognition to unlock their phone. And that takes away a whole need to have a login and password that could be exposed through some of these phishing schemes we’ve talked about. Similarly, Windows uses Hello. So you can use facial recognition if you have a supported camera. And that’s likely going to be a growth field for a lot of our personal devices, meaning that instead of passwords, we’ll be starting to rely more on biometrics or things like the facial recognition fingerprints, that’s going to help but in the meantime, until some of those things become more mainstream across all sorts of applications. Multifactor a two step verification is something you have and something you know, the something you know, and it’s very similar to how a bank card works. When you’re at an ATM machine, there’s something you have is the bank card itself, you insert the bank card in the machine and you have a pin to unlock it. So to have is the card and the know is the pin and multifactor authentication, you would log in with a login and password and then you would be prompted to enter a pin that comes from something else generally an application on your phone, it’s considered a gold standard, because for a bad actor to now get into your account, they wouldn’t just have to have your login and password, they’d also have had to have stolen your phone, and have the ability to unlock your phone with your facial recognition would be very challenging in order to get it and so it’s an extra precaution to get in that front door.
Sarah Widmeyer 9:31
Okay. Okay. So that’s both scary and reassuring, all at the same time at the same time. So let’s now talk about protecting our financial dealings here at the firm. I know we’ve invested a lot of energy and frankly, money into safeguarding our clients wealth in terms of our protocols and in terms of our firewalls and things that we’ve put up. So can you talk briefly then about what does your Our team do to boost cybersecurity across our firm.
Scott Stennett 10:03
Yes, it’s something that I would suggest all industries, but particularly ours, financial services sector is seeing continuous and increasing investment in cyber resilience and cyber protection, we tend to be a vulnerable sector, bad actors like to go after financial services for the relatively obvious reasons that this is where cash flow happens. And so it’s an easy way to perhaps get access to money, which is their ultimate objective. We have a very robust and multifaceted what we call perimeter defense. So the ring fence we put around our organization is extremely resilient. And one of the newer examples of what we’ve deployed is a form of advanced analytics that looks for anomalous behaviors. And I’ll give you a for example, just literally, within the last week, we had a case where one of our advisors, online mail accounts was being attempted to be logged in by somebody, the geo code, or the geographic location of that individual attempt was coming from somewhere overseas, okay, our system knew that within the last few hours, that same individual had logged in from Ontario. So the system’s very smart. It’s like artificial intelligence, it starts to go, Well, wait a minute, you couldn’t possibly have been in Ontario, and then two hours later be in Bogota. So it generates a red flag saying, there’s an anomalous behavior that does not jive with how past behaviors have been done for this person? Do you want to shut the account down? And then our cyber staff would shut that account down, reach out to the individual verify, hey, by chance? Did you just take a supersonic jet across the world? Find out they didn’t and say, Okay, well, somebody’s trying to hack your account. So you we’ve changed their password, harden the password and move on. So we’ve got some really interesting and very robust defenses. That has worked for us because we actually, to this day, still have not had a corporate breach that’s put any of our overall client information at risk. Yeah. Where are we? Where are we in most firms, I would suggest still struggle is back down to the human factor. It’s not the technologies, it’s not all the investments you can make. It’s the behaviors similar to our opening comments around just paying attention and being vigilant, you wouldn’t, you likely wouldn’t leave your front door unlocked. Especially if you saw a lot of people you’ve never seen before walking around your neighborhood and suspiciously staring or maybe taking pictures of your house, you probably go you know what that’s suspicious, I’m going to be a little bit more careful. Ironically, we don’t do those same things when it comes to just something as simple as double checking an email. And that’s the kind of vigilance we’re talking about. Take that extra 30 seconds.
Sarah Widmeyer 12:33
Yeah, I think that’s the like I said, The best piece of advice is just looking at that email address from the sender. And sometimes, you know, with Windows, it wraps up the name, so you actually don’t see it. And sometimes you have to, like expand on the address so that you can see actually, what the full address of that person sender is. But it’s fascinating to me that there’s a geo code. So being a complete, you know, innocent in this, it’s fascinating that you can see that geocode.
Scott Stennett 13:02
Yeah, we find that that’s a lot of how we establish in advance that something suspicious is going on is the location of where that web browser or that individual was coming, trying to access into our systems, tells us a lot and gives us a leg up on because most of the attacks are coming from outside of Canada. For us at least.
Sarah Widmeyer 13:22
Okay, so I’m gonna switch gears now on you. Let’s talk about something brighter and happier. Can you expand? Because I know you’re so busy working on this, can you expand on how we at Richardson Wealth are attempting to make our clients lives easier through innovative technologies?
Scott Stennett 13:41
Yeah, and I would answer this twofold. First, I would say that we’re under a massive transformation and commencing this year, and our whole organization and Sarah, I know you’re well involved in your own deployments of some really sophisticated and new technologies. Our whole firm is on a mission to rebase line and set the foundation for very aggressive and continuous improvements in our digital tool sets. For this year, My comment would be that out of respect for the fact that we believe advice matters, and we want our advisors to be able to spend maximum amount of time with their end clients. We’re focusing on immediately offering them efficiencies in this first release so that they can unencumbered themselves from manual processes use digital technologies like digital signatures, so that they have more hours in the day to serve as our valued clients. There’s so much opportunity to continue to engage with clients. We know our clients have sophisticated and complex needs. So this year is going to be a year of trying to make that time were available to our advisory communities and then going into the next fiscal year and beyond. You can expect to see our online experience expand for clients. I think we’ve got some great ideas of how to bring the financial planning information or portfolio information or performance information into a portal that’s continues to be secure, because we’re talking about cyber that continues to be secure, but also allows them to do business on their terms. So if it’s about reporting or tracking your progress against goals, our overall opinion would be clients deserve to be able to do business when and where and how they want, right? Not disintermediating the advice from advisors just giving them the authority and the empowerment to go and see information perhaps at 10 o’clock at night, because that’s what it’s convenient for them. So we’ll continue to make that an improved opportunity for our clients. And hopefully, that will allow again, that relationship with advisor and client to to really focus on what matters not on administration.
Sarah Widmeyer 15:39
Yeah, love that.
Sarah Widmeyer 15:51
Before we close out this conversation, which I find absolutely fascinating, and I could hold you here for another hour, I’m sure our listeners would love that too. What are some key takeaways that you’d like to impart?
Scott Stennett 16:05
Certainly, we’ve talked a lot about making sure that you’re paying careful attention to mail that’s coming in especially suspicious looking mail in it’s just the easiest way that people are falling victim. And that’s why the mail factor comes up all the time. Another thing that people can do is make sure you’re locking all your devices, it still shocks me to find that some people feel that the inconvenience of having to unlock their phone is more important than having the security of their phone held behind a facial recognition or a PIN number. Because they’re optional. You don’t have to lock your devices. But if you ever leave it at a coffee shop, there’s so much vulnerable information on there. So always have your devices locked. And my favorite in a way of all and I’ve talked about this on our prior podcast is the password itself. Yeah, is one of the most important parts in a traditional login password combination, the password, it’s all about the length. It’s about how long and how many characters not about special characters and some of those other things. It’s just a mathematical equation at the end of the day. So we believe in passphrases. And so instead of, you know, welcome 01, because that happens to be one of the most commonly used passwords, you want to do something like my second child’s middle name is Bob. Yeah. And it actually is easier to remember a phrase that you reuse time and again, but that is 10,000 times harder to crack. Yeah, welcome 01. So in your important sites, consider passphrases, which is a longer multi word phrase, you could even use an uppercase at the beginning and a period at the end and make it a whole sentence. So there’s another easy example of how go through your sites and update your passwords to something that I would that would be considered, you know, very strong.
Sarah Widmeyer 17:47
Okay, so I have one last question for you. So you know, when Apple says use this password, and it’s like 16 letters and numbers of gobbledygook, or it says Create Your Own, do you suggest using a strong password that Apple generates for you,
Scott Stennett 18:03
My personal advice is that people will find that they’re having to go in and reset their passwords too often, because it is such a random string of characters that if you don’t remember it, or don’t write it down, you’ll never, you’ll never recall and last thing you want to do in essence, is write down passwords. Also, another way a lot of people get hacked is if someone gets onto your computer files, and you do write all this stuff down somewhere or save it somewhere on your PC, then it’s vulnerable. So I would still like the notion of something that really is personal to you that you remember, and it’ll be easier for you to always reuse that password versus having all these random strings of weird characters and mathematically, they’re the same strength.
Sarah Widmeyer 18:41
Okay. Okay. Very good. Well, thank you so much. At Richardson Wealth, we believe in protecting your information and your assets. In fact, it’s our top priority. That’s why we continually improve our security safeguards, so we can always stay one step ahead of cyber threats. And, as Scott said, bad actors. We know that cybersecurity is a critical component of our trusted relationship with our clients, and we’re dedicated to protecting that trust. If you have any questions regarding cybersecurity, please reach out to your advisor. ‘Conversations on Wealth’ is available wherever you get your podcasts. Remember to follow us on LinkedIn or Facebook for the latest on wealth strategies. Thank you all for listening, and join me again next time.