How safe is your data?
It’s a question that financial services regulators are asking advisors more frequently, and it’s not just a compliance issue. If your clients’ data files are breached, they could become identify theft victims, as could your employees if their personnel records are hacked. A significant data theft can damage your business’s reputation, as well.
An effective cybersecurity program requires constant diligence. Two steps you should consider are encrypting your data, and managing user permissions more actively. These actions can help improve your cybersecurity quickly and inexpensively.
What Your Peers Are Reading
Cracking the code?
Many financial services firms use a hybrid data storage model in which data are stored both in the cloud and on-site, depending on the application and the data. Even with the growing shift to cloud-based storage and software as a service (SaaS), however, it’s likely that some sensitive data still resides locally in your office network. These records could include clients’ health records, financial information, or Social Security numbers and you may be storing employees’ personnel records locally, as well. There’s also other confidential information about your business: financial and tax information, client lists, correspondence and marketing plans, for instance.
Local data are at risk from internal sources — think disgruntled employee who wants to start his own firm — and external sources who are trying to penetrate your network. Encrypting your local data adds a layer of protection, says Ryan Castle, executive vice president with Trace Security in Baton Rouge, Louisiana. “Even if they are able to steal the data, they aren’t going to be able to read it unless they can decrypt it.”
The mathematics behind encryption technology is complex, but the result is straightforward. Encryption uses a formula to scramble (encrypt) data so they look like random characters. Unscrambling (decrypting) the data requires the use of an alphanumeric key; without the key, unauthorized persons can’t decrypt the underlying files.
Encryption uses a formula to scramble (encrypt) data so they look like random characters. (Photo: iStock)
You can take multiple approaches to encryption. At the hard disk level, users must enter a password or key to decrypt the device before they can use it. This method protects the disk’s data in case the hard drive is stolen, says Castle, and he typically recommends this method for organizations with laptops or other take-home devices. David Damiani, CFA, chief financial officer with wealth managers Balentine LLC in Atlanta, Georgia, says that his firm generally avoids storing data locally. As a safeguard, though, the firm’s laptops use BitLocker encryption software that is included in Microsoft Windows 10.
Another protective measure is to additionally protect specific files, a method known as encryption at rest, says Castle. This provides two layers of protection: Users must first decrypt the hard disk when logging in and then provide the file-specific password or key to open the file. “If you left your computer on and unlocked and someone walked into your office and said, ‘I want to open up this file that has customer information,’ it would prompt them for a password or some way to have to decrypt it,” Castle explains. “Or if someone was to hack your system and get remote access and the hard disk was unlocked, they still couldn’t read that specific file.”
Running through the complicated mathematics to provide encryption does decrease a computer’s performance, but the impact usually isn’t significant with today’s processors, Castle notes. For example, when an encrypted laptop drive is unlocked, it functions as an unencrypted drive.
Don’t get permissive
A second good practice is to actively track user permissions on your network. This involves deciding which staff members should have access to which files and then monitoring and reviewing their usage. Castle recommends adopting the principle of least privilege. If a user needs access to data or some other elevated privilege, what is the minimum level of privilege required to do the tasks and how long will they need that privilege?