When you think about the security around your technology systems and your firm’s data, what level of confidence do you have? Are your computers protected from intruders? Is your client data safely guarded? Unfortunately, the bad guys are out there, and they are working overtime to find ways to break in and grab your precious information. Chances are your own list of security concerns covers only a small fraction of the current potential threats to your technology systems and data. You might also be surprised at how unfamiliar your staff is with security threats related to technology. For example, they might believe that if the virus software is up to date and running on their computer it will take care of everything and that there is nothing they need to worry about. We all get comfortable when we use technology every day, and we sometimes (if not often) forget or simply ignore important security best practices. Education in this area is critical, and it is important that everyone at your firm understands their role in protecting your technology systems and data.
It would be best for most advisors to hire an IT professional–someone who worries about data security 24/7–to be responsible for protecting your systems. However, not all advisors have this option. Whether you have an IT professional or not, there are a number of best practices that you and your staff should follow in order to better protect your systems and your client data. A number of the best practical steps you can take are simple and basically common sense, but they need to be adopted across an entire firm.
One of the more common security oversights with advisors and their associates is transmitting personally identifiable information through e-mail. Standard e-mail is not secure and the information transmitted can be intercepted by a hacker. This includes information in the body of an e-mail, as well as any attachments (Excel files, Word docs, PDFs, etc.). If you must send an e-mail with personally identifiable information, it is best to encrypt it and assign a password to the attached file. In regard to passwords, include numbers and letters, or unique characters to increase the security of the password. I know that many of us get frustrated trying to remember all of our passwords–and we therefore create very basic and simple ones to make it easier. However, there are a number of password recovery software programs available that essentially try different combinations over and over until the password is identified. In the very rare case that your e-mail is intercepted by a hacker, you certainly don’t want to make it easy for them by creating a password that is simple and quick to identify. The word “password” is unfortunately probably the first word that they will try, because it is the most commonly used password.
Another important security best practice is to have a strict policy that prohibits your staff from using computers that they do not own or control for accessing networks that contain confidential client information. For example, you should not use the computer provided by a hotel’s business center to access your custodian’s website. The risk is simply not worth taking that the hotel computer could contain a malware program, specifically a “keystroke logger,” that tracks every keystroke and page visited on the computer. With these programs, it is possible for a hacker to obtain your user name and password and the exact Web address that the credentials are used for. Of course, the hacker could then use this information and log in as you. This risk is magnified when you consider the number of accounts that you could have access to when using your log-in credentials on the sites that house your clients’ account information. Again, the best policy is to make sure that your staff is aware of the risks, and instruct them not to access any important sites on a computer that they don’t control. That’s why I always like to say that the best use of hotel computers is to find good restaurants, check the weather, sports scores, and confirm if your flight home is on-time.