Cyber security is certainly on the mind of advisors today. According to at least one industry survey, cyber security is the number one technology concern among independent advisors. I recently had an opportunity to speak with executives from two firms that provide cybersecurity help to advisors: Sid Yenamandra, CEO of Entreda (www.Entreda.com), and Brian Edelman, CEO of Financial Computer (www.FinancialComputer.com). Both provided useful tips on steps advisors can take to better protect themselves and their clients.
Yenamandra, believes that most firms do not have a culture of compliance and cyber security in place. There are three components necessary for developing the proper culture:
Yenamandra says that people (employees and clients) often do things that they should not do. For example, people often log in to accounts that contain sensitive information on an open Wi-Fi network at a hotel or coffee shop. “If you log on to a financial account on an open network at a Starbucks, you are looking for trouble,” he says.
Education is the key to good people compliance, says Yenamandra. He thinks that newer techniques including gamification and predictive analytics will improve cyber security compliance in the future. Gamification can make learning more fun and predictive analytics can help anticipate potential issues before they become serious problems.
“Most firms don’t have a handle on policy,” he says. Where is personally identifiable information (PII) stored? If you don’t know where it is, how can you secure it? Have you conducted a risk classification of assets? Do you have a map of your network? Are your firewalls configured properly? These are just a few of the questions that a security specialist can help you with.
Even firms that create good policies often do it once and think that they are done. Policies need to be reviewed and updated regularly.
ENFORCING GOOD POLICIES
One way technology can help is to enforce good policies. Devices, networks and users can be configured in such a way that they enforce compliance automatically.
Edelman believes that the greatest cyber threat to advisory firms today is email hacking. Edelman suggests using secure email to prevent this. “The technology today is much better than it was a few years ago,” he says. “We use App River Secure E-Mail, but there are other good solutions in the marketplace.” Another good tool is multi-factor authentication. Many users, including clients have access to it, but they choose not to use it. New device notifications are yet another helpful tool. Many email providers will allow you to receive notifications if someone logs into your account from a new device or an unusual location. This type of notification is available from many financial institutions as well. They allow users to set notifications if a charge to a card or a withdrawal over a specified amount has occurred.
Another major threat is computer hijacking. “Almost every computer we see has some vulnerabilities or hijacks,” Edelman says. His firm, and others, offer 24/7 network and device monitoring to address potential attacks and vulnerabilities before they become serious.
“Every firm should have a vulnerability scan done regularly as a preventive measure by an independent third party,”, Edelman says. When a scan is complete, you receive a report listing all potential issues so that you can remediate. The report, as well as any remediation taken should be documented and stored in a file that can be made available to regulators.
Stolen passwords are yet another threat. “This is an epidemic,” says Edelman. Passwords are commonly shared among employees. Firms often store all their passwords on an Excel spreadsheet. “The instructions on how to hack these password protected spreadsheets is readily available on the web,” he says. “Just go and Google it or search You Tube for instructions on how to do it.”
To store passwords securely, Edelman suggests creating strong passwords and storing them in a password manager. His current favorite is LastPass. For added protection, add two factor authentication. Duo is just one firm that can provide multi factor authentication.
THIRD PARTY VETTING
Finally, Edelman says that firms need to do more when vetting third party vendors. While admittedly this can be a challenge for firms that lack the technical expertise, Edelman’s firm, Financial Computer, will soon be releasing a guide that can help. In addition, he suggests working with best-of-breed providers that have a reputation of technical excellence and customer service. Your broker/dealer or custodian is also a good source of information regarding third party vendors.
The sad truth is that cyber security issues are going to be with us for the foreseeable future. Advisory firms have both a legal and moral obligation to stay current on cyber threats and to take prudent measures to ensure the safety of their firm’s data. If your firm does not have the in-house expertise to deal with cyber security threats, and most don’t, the help of an independent expert is essential.
According to both Edelman and Yenamandra, pro-active cyber security measures are very affordable. For example, Financial Computer charges as little as $25 per month per computer for anti-malware protection with 24/7 monitoring. Given that the cost of remediation after a successful hack starts at $50,000 and can easily exceed $1 million depending upon the size of the firm and the nature of the attack, the lesson is clear: A little prevention can save you a great deal of pain in the future.