Generally speaking, financial advisors and the firms that serve them have done a tremendous job of responding to the COVID-19 crisis. Although many of us are currently working from home, cloud-based software, high speed Internet connectivity, video conferencing and other tools have empowered employees to still be productive from a WFH (stands for “working from home” or “work from home) environment. That’s the good news.
Still, some advisors are putting themselves and their firms at risk.
The bad news is that in their rush to set up a WFH environment as quickly as possible, and in an effort to make the transition as seamlessly as possible, some advisors have taken shortcuts that put them, their firms and their clients at risk. With the heavy emphasis upon getting operational and serving clients, some firms understandably have focused less on other issues, and one of those issues is cybersecurity.
According to Aaron Spradlin, co-founder of cleverDome and CIO of United Planners Financial Services: “It’s very important to remind advisors that they are stewards of their clients’ personal information and the first line of defense (and the most effective). Working from home requires higher levels of vigilance”.
Here’s what I’ve learned in talking with a number if industry experts to learn what types of risks they have identified across the advisor population and what you need to do to avoid those mistakes and stay safe while working from home:
Mistake #1: Sharing Passwords
In this day and age, it is incredible that this still goes on, but many firms still have password books and share passwords across firm members. Some people share passwords to avoid paying a per user fee for each user, but this is type of behavior has risks, especially in a WFH environment. If multiple employees have access to the same log in credentials, you have no way of knowing who accessed what should a breech occur. Also, if you have multiple people using a set of log-in credentials, you can’t use two factor authentication when working from home. What typically happens in this case is that users disable multi-factor authentication, which in turn, leaves your firm more vulnerable to hackers.
Mistake #2: Using a Shared Computer
Brian Edelman, CEO at FCI, a cybersecurity firm that serves advisors, advised against using a shared home computer if at all possible: “If you often work from home, you should have a dedicated computer at home that has been professionally configured, or, you should have a laptop provisioned by the firm with all of the proper safeguards in place.”
The risks of using a home computer are many. It is likely that the hard drive is not encrypted. It is likely that if you are connected to the default home network that enables you to share a printer or other peripheral, your computer might not be secure. To save time, users often save usernames and passwords in a browser such as Chrome. If you are on a shared computer, other users have access to your usernames and passwords on a shared account. If you must use a shared home computer, make sure you have your own dedicated account with your own username and password, and that you have the account set to lock automatically after a short period of inactivity.
Mistake #3: Using a Less Secure Wi-Fi Network
Most better-quality home routers today allow you to set up multiple Wi-Fi networks. At a minimum, you can usually set up a trusted network and a guest network. We recommend that you conduct your business on the trusted network and put everyone else on the guest network. The problem with this approach is that often other family members are offended if you limit them to the guest network. An effective solution that we have found is to rename the guest network to something like “secure family network.” That tends to get better acceptance from spouses and kids.
Mistake #4: Not Using a Professional Firewall
A firewall is a tool that “monitors and controls incoming and outgoing network traffic” (Wikipedia). A firewall is meant to block unauthorized access to your system. It is the first line of defense for your network. It’s often a piece of hardware, but a firewall can also be software, or a combination of both hardware and software.
Most home users have a basic firewall built into their router, and they use a software firewall that is built into Windows or some third-party software firewall. Firewalls that are built for home use provide good basic protection, but there are trade-offs. Because they are built for consumers, they must be easy to use, and they emphasize speed.
Firewalls designed for business do more. For example, they include intrusion protection. An intrusion prevention system (IPS) is a form of network security that works to detect and prevent identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents and capturing information about them. Professional systems also include logging of security events. Security Event Monitoring provides real-time monitoring, correlation and expert analysis of activity in your environment, detecting and alerting on valid threats to your data and devices.
Edelman and Spradlin both emphasized the importance of active device monitoring and protection. This is a capability well worth the investment. Business devices also include gateway VPN capabilities. A VPN gateway is a type of networking device that connects two or more devices or networks together in a VPN infrastructure. It is designed to bridge the connection or communication between two or more remote sites, networks or devices and/or to connect multiple VPNs together.
Mistake #5: Not Connecting Securely
There are several ways to connect remotely to your office or others. If connecting to a web service, make sure you’re a on a secure network, that the site is secure and encrypted (HTTPS), and that you use two factor authentication. If you are connecting to your office, use a VPN or other facility as recommended by your IT department. A newer, unique solution available to advisory firms is cleverDome. With cleverDome, data is protected by a private internet where the data goes through a specially configured cloud directly to the destination point using real Military Grade Cybersecurity. The data is fractionalized and dispersed over multiple channels. The result is a private network that is safe, reliable and ten times faster than a VPN connection. Entry to “the Dome” is restricted to devices with end point protection in place with 24/7 monitoring, so only secure devices can enter the network.
Mistake #6: Overlooking Physical Security
As is the case when you are in the office, a clean desk policy should be enforced. Do not leave any work-related documents on your desk unattended. Keep everything under lock and key. Shred all paper documents before disposal If you store confidential information of an external hard drive make sure the device is encrypted, and lock anything not in use away. Until the current crisis runs its course, working from home will be the new normal for advisors, but a change in venue should not lead to a letdown in your cybersecurity preparedness. We have received numerous reports that hackers are taking advantage of the crisis to attack those that may have let their guard down. You owe it to your clients and to yourselves to stay as safe working from home as you do when you are working from your office.