From the October 2010 issue of Investment Advisor • Subscribe!

Four Security Best Practices That All Advisors Should Implement

Common sense security will make your firm a tough target for hackers

When you think about the security around your technology systems and your firm's data, what level of confidence do you have? Are your computers protected from intruders? Is your client data safely guarded? Unfortunately, the bad guys are out there, and they are working overtime to find ways to break in and grab your precious information. Chances are your own list of security concerns covers only a small fraction of the current potential threats to your technology systems and data. You might also be surprised at how unfamiliar your staff is with security threats related to technology. For example, they might believe that if the virus software is up to date and running on their computer it will take care of everything and that there is nothing they need to worry about. We all get comfortable when we use technology every day, and we sometimes (if not often) forget or simply ignore important security best practices. Education in this area is critical, and it is important that everyone at your firm understands their role in protecting your technology systems and data.

It would be best for most advisors to hire an IT professional--someone who worries about data security 24/7--to be responsible for protecting your systems. However, not all advisors have this option. Whether you have an IT professional or not, there are a number of best practices that you and your staff should follow in order to better protect your systems and your client data. A number of the best practical steps you can take are simple and basically common sense, but they need to be adopted across an entire firm.

One of the more common security oversights with advisors and their associates is transmitting personally identifiable information through e-mail. Standard e-mail is not secure and the information transmitted can be intercepted by a hacker. This includes information in the body of an e-mail, as well as any attachments (Excel files, Word docs, PDFs, etc.). If you must send an e-mail with personally identifiable information, it is best to encrypt it and assign a password to the attached file. In regard to passwords, include numbers and letters, or unique characters to increase the security of the password. I know that many of us get frustrated trying to remember all of our passwords--and we therefore create very basic and simple ones to make it easier. However, there are a number of password recovery software programs available that essentially try different combinations over and over until the password is identified. In the very rare case that your e-mail is intercepted by a hacker, you certainly don't want to make it easy for them by creating a password that is simple and quick to identify. The word "password" is unfortunately probably the first word that they will try, because it is the most commonly used password.

[Read more about why you should enable passwords on your mobile devices.]

Another important security best practice is to have a strict policy that prohibits your staff from using computers that they do not own or control for accessing networks that contain confidential client information. For example, you should not use the computer provided by a hotel's business center to access your custodian's website. The risk is simply not worth taking that the hotel computer could contain a malware program, specifically a "keystroke logger," that tracks every keystroke and page visited on the computer. With these programs, it is possible for a hacker to obtain your user name and password and the exact Web address that the credentials are used for. Of course, the hacker could then use this information and log in as you. This risk is magnified when you consider the number of accounts that you could have access to when using your log-in credentials on the sites that house your clients' account information. Again, the best policy is to make sure that your staff is aware of the risks, and instruct them not to access any important sites on a computer that they don't control. That's why I always like to say that the best use of hotel computers is to find good restaurants, check the weather, sports scores, and confirm if your flight home is on-time.

As you read this article, do you know the level of access each member of your firm has to your technology systems, as well as to the external technology systems used by your firm? As firms add new employees, the tendency is to give each associate the same level of access. However, the security best practice is to only give each associate the level of access that they truly require for their position. As an example, the associates who are responsible for trading at your firm should be the only ones that have the ability to place trades with their log-in credentials. The other associates should simply not have trading as an option when they log-in. Additional examples along this vein include money movement requests (requesting checks, wires, etc.), management fee processing, and even which accounts an associate can view.

It is worth the initial time to set up different access profiles in order to better control and further secure your firm's client information. Make sure that you have a well-defined process to disable an associate's access when they are no longer employed by the firm. This process should be implemented on the same day that the associate leaves the firm.

[Read about the benefits of using a server rack to protect your physical investments.]

Another key security practice for your firm revolves around understanding how your systems are protected from virus attacks. Everyone at your firm must understand what virus software is installed on the computers they use and how the software behaves. One of the easiest ways for a hacker to infect your systems is through a counterfeit "alert" message. What generally happens is this: While you are navigating the Internet a pop-up message appears on your screen and says, "Warning! Your computer is infected by a virus. Click here to correct." Then, when you click on the "OK" button, instead of solving the problem, you are actually downloading the virus. But if your staff is familiar with the way your virus software works, they will know that the fraudulent alert message is very different from the one they would receive from the real anti-virus program. You might hope that your anti-virus software would alert the user of the potential threat, but there is no guarantee. Unfortunately, it is very difficult for anti-virus programs to remain up-to-date with the latest information on all potential virus attacks. Anti-virus programs are constantly being updated, but the challenge is keeping up with the introduction of new viruses. Therefore, instruct your staff to be suspicious, and to become familiar with the anti-virus program operating on their computer, especially the alert messages.

Overall, following security best practices needs to be part of the DNA of your firm. It is important that your staff does not have the false impression that technology security is not one of their job responsibilities. Or, perhaps worse, that they think nothing bad will happen to your firm, so they don't take your security admonitions seriously. Therefore, you must make security procedures a part of your regular training, and practice them until they become habits. Security problems by themselves can create a tremendous amount of work, and of course they carry potential financial and reputational risk, as well. Therefore, it is worth the effort to ensure that your firm is doing everything possible to protect your clients and your overall business. It is an ongoing challenge, and unfortunately there is no silver bullet to prevent every attack, whether it be a virus or another type of security breach. At a minimum, implementing common sense security practices will assist in making sure that your firm is not an easy target.

Page 1 of 2
Single page view Reprints Discuss this story
This is where the comments go.