How safe is your data?
It’s a question that financial services regulators are asking advisors more frequently, and it’s not just a compliance issue. If your clients’ data files are breached, they could become identify theft victims, as could your employees if their personnel records are hacked. A significant data theft can damage your business’s reputation, as well.
An effective cybersecurity program requires constant diligence. Two steps you should consider are encrypting your data, and managing user permissions more actively. These actions can help improve your cybersecurity quickly and inexpensively.
Cracking the code?
Many financial services firms use a hybrid data storage model in which data are stored both in the cloud and on-site, depending on the application and the data. Even with the growing shift to cloud-based storage and software as a service (SaaS), however, it’s likely that some sensitive data still resides locally in your office network. These records could include clients’ health records, financial information, or Social Security numbers and you may be storing employees’ personnel records locally, as well. There’s also other confidential information about your business: financial and tax information, client lists, correspondence and marketing plans, for instance.
Local data are at risk from internal sources — think disgruntled employee who wants to start his own firm — and external sources who are trying to penetrate your network. Encrypting your local data adds a layer of protection, says Ryan Castle, executive vice president with Trace Security in Baton Rouge, Louisiana. “Even if they are able to steal the data, they aren’t going to be able to read it unless they can decrypt it.”
The mathematics behind encryption technology is complex, but the result is straightforward. Encryption uses a formula to scramble (encrypt) data so they look like random characters. Unscrambling (decrypting) the data requires the use of an alphanumeric key; without the key, unauthorized persons can’t decrypt the underlying files.
Encryption uses a formula to scramble (encrypt) data so they look like random characters. (Photo: iStock)
You can take multiple approaches to encryption. At the hard disk level, users must enter a password or key to decrypt the device before they can use it. This method protects the disk’s data in case the hard drive is stolen, says Castle, and he typically recommends this method for organizations with laptops or other take-home devices. David Damiani, CFA, chief financial officer with wealth managers Balentine LLC in Atlanta, Georgia, says that his firm generally avoids storing data locally. As a safeguard, though, the firm’s laptops use BitLocker encryption software that is included in Microsoft Windows 10.
Another protective measure is to additionally protect specific files, a method known as encryption at rest, says Castle. This provides two layers of protection: Users must first decrypt the hard disk when logging in and then provide the file-specific password or key to open the file. “If you left your computer on and unlocked and someone walked into your office and said, ‘I want to open up this file that has customer information,’ it would prompt them for a password or some way to have to decrypt it,” Castle explains. “Or if someone was to hack your system and get remote access and the hard disk was unlocked, they still couldn’t read that specific file.”
Running through the complicated mathematics to provide encryption does decrease a computer’s performance, but the impact usually isn’t significant with today’s processors, Castle notes. For example, when an encrypted laptop drive is unlocked, it functions as an unencrypted drive.
Don’t get permissive
A second good practice is to actively track user permissions on your network. This involves deciding which staff members should have access to which files and then monitoring and reviewing their usage. Castle recommends adopting the principle of least privilege. If a user needs access to data or some other elevated privilege, what is the minimum level of privilege required to do the tasks and how long will they need that privilege?
Castle cites the example a network administrator or other IT staff member who requires permissions to modify routers, firewalls or other networking equipment. But that person probably doesn’t need the ability to install software on a user’s workstation or access details in the human resources database, for instance. Applying that approach to each staff member’s access permissions for local and cloud-based data can help block attempts — both internal and external — to steal sensitive data.
This approach integrates well with encryption. Even if an unauthorized user gains access to sensitive data files at the system level, if the files are encrypted, that access will be worthless unless the user also has the decryption key. For example, network administrators can need the ability to move files around the system but they don’t need to decrypt those files.
One school of thought on integrating encryption and permissions is to limit privileged users’ access to only encrypted data. That tactic isn’t intended as a judgement on the user’s integrity — it’s a recognition that hackers regularly target privileged accounts because they are the golden ticket for undetected network access. Should an unauthorized user gain access to a privileged user’s account, an encrypted-file-only access policy can mitigate the breach damage.
Should an unauthorized user gain access to a privileged user’s account, an encrypted-file-only access policy can mitigate the breach damage. (Photo: iStock)
The second part of permissions management is to regularly monitor and audit user accounts to determine who is accessing privileged accounts and how they are using them. If an employee changes jobs within the organization, does she still need the same level of permissions or can it be scaled back? Firms should regularly “conduct these audits of these privileged accounts to make sure that not only are they only providing the least amount of privilege necessary, but that they’re actually assigned to people who actually have a need for that access,” says Castle.
Balentine LLC implements the least privilege approach through compartmentalization, says Damiani. Employees’ network access is limited to what they need and the firm uses software to monitor usage. If an employee downloads an amount of data significantly greater than her normal volume, for instance, management receives an automated alert.
If an employee “has been here three years and has never once downloaded more than six megabytes of data in a given day to do her work, (and) all of a sudden there’s 17 gigs going out overnight, we’re going to be alerted… there’s an outlier,” Damiani explains.
Doing it right
Castle shares two other suggestions for better encryption and privileged account management. The first is to ensure that all users, and especially privileged accounts, maintain strong passwords and change them regularly. He also cautions against do-it-yourself encryption programs, maintaining that it is “really hard to do right.” Stick with trusted IT vendors to implement encryption, he suggests, otherwise its use can convey a false sense of security.
We’re on Facebook, are you?