Corporate security breaches are becoming ever more common each year, and firms ranging from the highest echelons of the Fortune 500 roster to small RIAs have proven vulnerable.
Frequent headlines of hacks and data leakages are increasingly hard to ignore. Many financial advisors have seen those stories and sought a better understanding of cybersecurity. It’s an encouraging sign that wealth management firms of all sizes are making the concept central to their value proposition.
By now you’ve probably heard about the most obvious cybersecurity precautions – cloud-based platforms that facilitate firewalls, data encryption and multi-factor authentication. But many firms have still not come to grips with one of the most prevalent sources of data breaches: employees.
Hackers routinely target workers who are dangerously oblivious to proper cybersecurity practices. Managers who care about protecting their clients, their firms and themselves must prioritize educating employees of all levels on how breaches occur.
Whether rank-and-file or C-suite, employees can fall prey to malicious agents in numerous ways. Typical scenarios involve social engineering, insecure remote access and unauthorized access.
- Social engineering involves criminals who use emails, text messages, phone calls and websites to impersonate legitimate sources. They then dupe staffers into revealing confidential information or clicking links that hijack the firm’s operating system.
- Insecure remote access is rampant. Hackers can easily infiltrate systems that use public wifi such as that available at libraries, parks or coffee shops. Similarly, employees who share laptops or smartphones with anyone else puts private data at risk.
- Unauthorized access is when staffers use applications to view files or change data they should not be able to touch. This usually requires another employee, such as a system administrator, to be lax with system access controls. Data theft or destruction can follow.
Employees have been responsible for data breaches in both the private and public sectors.
In June, the Securities and Exchange Commission fined Morgan Stanley $1 million after a former advisor accessed confidential data on thousands of clients belonging to other advisors, and transferred them to his personal server, only for him to become the victim of a hacker who then posted some of the data online.
And in July, Republican members of the House Committee on Science, Space and Technology released a report criticizing the Federal Deposit Insurance Corporation for failing to prevent employees of the agency from storing private data about banks and individuals on unauthorized portable drives – on several occasions.
Any RIA without a rigorous cybersecurity employee-training program should fix that oversight immediately. Executives should announce the program in writing, to foster clarity. The message should highlight steps everyone can take now to improve cybersecurity:
- Passwords should be long enough and intricate enough to incorporate letters, numbers, symbols, upper case and lower case characters. Employees should vary passwords across applications, and avoid using sentimental clues like birthdays or family names that hackers might guess.
- Staff should log onto the firm’s servers only from approved locations such as the office or home, and only from devices either provided by the firm or that belong solely to the staffer.
- If unverified sources seek firm data, electronically or otherwise, workers should alert their supervisor before doing anything else.
Effective employee-training programs are ongoing endeavors characterized by structure and buy-in at all levels. The best way to prevent data breaches is to implement written policies and procedures addressing how to handle digital information, software usage and user access. Firms should implement strict controls on which employees can access specific applications, including whether an individual employee can only read certain files or also edit them. In order to do so, operating systems must be able to automatically track all user activity and produce regular audit logs that managers review.
Proper training includes scenario analysis. What if a hacker obtains a client’s social security number? What if an advisor loses an office-supplied smartphone or laptop? What if the firm’s data encryption, firewall and multi-factor authentication tools are outdated? What if a staffer is suspicious of a colleague’s activities on the operating system?
All employees must know how to respond in each scenario, based on their specific role at the firm and their place in the chain of command. That’s why training guidelines should be written, tailored for relevant positions, and stored in easily accessible places. Furthermore, qualified cybersecurity professionals should be available to answer staff questions or help conduct training.
Delay No Longer
Yes, it is a major commitment to upgrade your firm’s cybersecurity precautions to account for employee-related vulnerabilities. RIAs must research the most appropriate software to use and the technology partners best suited to provide educational resources. As firms increasingly rely on technology, the potential for data breaches will also increase. Therefore, the wisest course of action is to prepare now for tomorrow’s security risks.