Cybersecurity should be on every advisor’s mind. The unfortunate byproduct of advances in technology is that cybercriminals have new opportunities to commit their crimes. Some cyberattacks are very sophisticated, but many are still fairly basic attempts that, with 20/20 hindsight, you can clearly see how you could have better protected your firm and your clients. So how do you ensure that your firm is on guard for the cybersecurity battle before an event?
If the responsibility for your firm’s overall cybersecurity efforts resides with the IT company that supports your firm, you need to rethink your approach. Your IT provider can never be close enough to the business to be the primary leader of your cybersecurity efforts. Your IT provider may fulfill a significant role in cybersecurity, but you should have someone on staff to lead your cybersecurity program. This individual needs to be committed and passionate about serving in this role. It can’t be a “when I have time” type of job. Staying on top of the latest cyberattack news and sharing this information with your firm’s employees requires consistent effort and focused time. It is very unlikely that your firm will be the first victim of any specific type of cyberattack. Awareness is one of your first lines of defense.
It is probably a safe assumption that you know who has keys to your house or the code to your security system. Do you have the same level of knowledge of your IT systems and network? For example, who is allowed to log in to your network remotely? Ideally, the remote group should be a select group of employees. The more remote employees you have, the more attention this area requires.
Furthermore, your firewall should produce audit reports that detail when and how often certain users are logged in to your network. This is critical information, especially if it identifies unusual activity.
Another important area includes the permissions employees have on your network and on their own computers. Do they have administrator access? If they do, it means they or anyone who gains access to their computer can essentially do whatever they want on the computer and possibly on your network. Be sure there are some levels of controls in place.
Another critical defense against cyberattacks is being on guard and suspicious of any email that doesn’t appear right. We are all well aware of cyberattacks that use email spoofs from a variety of domain names. Cybercriminals know they are more successful when they use an address that is familiar to their victim. The challenge here is making sure your employees understand that a domain name in an email may look as though it is from a familiar source or even your own email network. Every single email that includes an attachment or link — regardless of the source — requires thorough evaluation prior to clicking the link or opening the attachment. I know that you have heard this before, but unfortunately, successful spoofing attacks still occur every day. If that happens to you, your next best defense is your anti-virus software, so be sure it is up to date.
At its 2016 OneVoice conference, FSI reported that only 59% of the broker-dealers it surveyed have written response plans for cybersecurity. This is way too low! Furthermore, you need to conduct regular cybersecurity training for all of your employees. After each training session, consider testing everyone’s knowledge. Example questions could include the types of requests your firm will process that are received via email, how you verify the authenticity of a request, what work employees are permitted to do outside the office on non-company owned devices and understanding when it is okay to use different types of Wi-Fi networks.
The cybersecurity battle is an ongoing challenge, and it is also a moving target. It requires regular attention. The good news is there are lots of resources available to help your firm. Don’t go it alone. Ultimately, it is possible to greatly minimize the risk to your firm and to your clients.
Complex Passwords: Just Like Wearing a Seatbelt
Having complex passwords and changing them often is really a no-brainer in today’s technology world. An example of a complex password would include upper and lowercase letters, numbers and special characters.
I know it can be very frustrating to adhere to this requirement. The reality is that a complex password dramatically increases your defense against a brute force attack, which is a very common method to crack a password and gain access. Having a simple password is not worth the risk when you consider what someone might be able to do when they have your credentials.
— Read “How to Protect Clients’ 401(k)s in Messy Markets” on ThinkAdvisor.