October 11, 2010

At FPA Denver, How to Protect Client Information From Hackers

Outlines threats, best practices to protect firms

Matthew Sarrel, executive director of the Sarrel Group, addressed attendees at the Financial Planning Association's annual conference on Monday, stressing that no single line of defense was sufficient to block threats to advisors' sensitive data. Web-based "blended attacks," when hackers attack users, networks, operating systems and browsers, are increasing, he said.

"The bad guys are getting smarter. No one product can stop a threat," he suggested. To counter these multi-level threats, advisors need to implement "active protection," which uses software with behavior-based scanning on processes as they occur. Advisors need to use a combination of firewalls, including network and software firewalls, and anti-virus software. He cautioned advisors not to overlook physical security.

"If you can't secure an area," he warned, "don't leave data there. Store all data on the server, not on the workstation." He suggested advisors maintain a database of physical assets, including the manufacturer, model number and serial number.

Sarrel noted that in the past it was easy to see when a computer was infected with a virus. Not so today. "It used to be an ego thing," he told the audience. But now, "this is big business, and it's in their best interest for you not to know."

Sarrel noted an April 2010 survey from the Ponemon Institute, an information security research firm, which found the cost of a data breach to be over $6 million. The direct costs, such as complying with notification laws or setting up hotlines to address client concerns, are expensive, but, as Sarrel noted, the indirect costs of loss of trust and reputation are a "greater cost to people here than to, say, a big bank."

Advisors who use wireless networks need to make sure their SSID is either nondescript or isn't being broadcast at all. Furthermore, the signal should be encrypted with WPA2, or WPA. WEP encryption, Sarrel said, is "barely acceptable."

It's also important for advisors to implement protections against their staff. Sarrel cited a CSI/FBI survey that found 80% of breaches can be traced back to someone within the company, either through accidental loss of data or malicious attacks.

Sarrel addressed the difference between technology solutions designed for businesses and those designed for consumers. While advisors with small practices may be tempted to save money on consumer products, Sarrel suggested any firm with more than five employees seriously consider business solutions. While more expensive, these programs allow security to be centrally managed, and require no user interaction. They also provide centralized reporting, with more detail than is available in consumer products, as well as guaranteed support, which is not always available on cheaper products.

Reprints Discuss this story
This is where the comments go.