5 Cybersecurity Best Practices
Regulators want to ensure advisors safeguard client and business information online. Implement these best practices to reduce the risk of your data being compromised.
As advisors, an ever increasing amount of the work we do is conducted using technology. While this trend has benefited both our clients and our businesses, it demands we take steps to prevent unauthorized access to sensitive information.
The following best practices will help you secure important data and demonstrate to clients and regulators that you consider cybersecurity a top priority.
Optimize Password Management When it comes to passwords, remember RULE: random, unique, long, and encrypted. The passwords you use to access each website or digital asset within your business and personal life should be randomly generated, with as many characters and as much complexity as the specific service allows. Each password should also be unique; you should never use the same password for multiple sites or services. Lastly, passwords should be stored in a safe place and encrypted, with the ability for other key personnel to access them only in the event of an emergency.
Recent updates to the National Institute of Standards and Technology password guidelines actually recommend that services do away with password complexity and expiration rules. This is due to the fact that most users will simply add a number or special character to their existing passwords when creating new ones, since it's admittedly difficult to remember countless login credentials composed of randomly generated characters. Since password length is more important than complexity, the institute and others recommend long passphrases (such as a sentence or series of random words) that are easier to remember, rather than complex passwords.
The optimal solution, however, is to make use of a password manager such as LastPass or 1Password to both create and securely store lengthy, complex, unique, and randomly generated passwords for you and your employees. While a long passphrase known only to you is ideal for the one "master" password you use to access your password manager, the combination of length and random complexity will beat out an equally long passphrase that may be easier to guess. Most popular password management applications have enterprise licenses for multiple employees, as well as optional provisions for accessing another employee's account without knowing their master password (under certain conditions).
Use Multifactor Authentication Multifactor authentication takes digital access security to another order of magnitude by requiring more than just a password to log into a site or service. Imagine someone has obtained the password to one of your highly sensitive services (e.g. cloud document storage). Without multifactor authentication, he or she can log in as if they were you and gain access to all client data stored there. With multifactor authentication enabled, however, would-be intruders are out of luck, unless they have one or more separate "factors" (commonly a temporary code or notification sent to your mobile device).
When one of your service providers or cloud solutions offers multifactor authentication, strongly consider enabling it for all users. Though it may seem like a cumbersome step for employees, it quickly becomes routine and is one of the best ways to protect access to sensitive information. It can also serve as a tool to alert users when someone might be trying to access their account(s), and an indication it's time to change their passwords. Be sure that if you or your employees are receiving authentication codes via text message that text previews are disabled when your device is locked, and that all devices used with multifactor authentication have strong passcodes. That way if unauthorized users obtain both your password and mobile device, they still won't be able to log in without also having the ability to unlock the mobile device.
Use the Right Tools In addition to an enterprise-level password manager, it's imperative that you deploy the right tools to defend against common attacks. Make sure all company devices are running up-to-date software and firmware that include the most recent security patches for new threats.
Have all employees use an ad blocker such as AdBlock or Adblock Plus in each browser they use to prevent sites from loading malicious code, particularly on Windows machines. Enable firewalls and deploy an antivirus solution such as Bitdefender on all company devices, and consider using a virtual private network, particularly if you or employees ever work remotely or might connect to public networks while traveling.
Services such as Citrix ShareFile or Microsoft Office 365 Message Encryption will allow you to securely send sensitive or personal identifying information to clients. Be sure to provide clients with a way to securely send you information (such as a file drop or financial planning software "vault"). Lastly, always back up your data in the cloud and in a physical format, using a service or software like CrashPlan Pro that encrypts backups.
Create a Written Data Security Program Organizing your digital life and assessing risk is a useful exercise both personally and as part of your business compliance program. Start by taking an account of all digital assets and user permissions. Where is sensitive or personal identifiable information stored? What services do you use online? Which devices are used to access your data? And who has access?
Once your IT assets are mapped out, identify internal and external threats, as well as vulnerabilities of your and your firm's information technology systems. Create written policies and procedures to prevent, detect, and respond to cyber threats. These policies should dictate who should have access to sensitive information, the tools and methods you use to backup and encrypt data, and a plan to respond to cybersecurity incidents as they occur.
Strengthen Your Weakest Link No matter how robust your cybersecurity strategy may be, your weakest link remains the same: human beings. Invest time in educating your employees to help them recognize phishing attempts and use email best practices. Never accept third-party or unusual transfer requests via email, or click on any suspicious links or attachments. Be sure they are trained to use secure methods to send and receive sensitive client information electronically. If employees use personal devices to access business and client information, make sure those devices are sufficiently password protected and encrypted. Additionally, only grant access to sensitive or high-risk data and services on an as-needed basis. (Start with the fewest possible permissions, and increase as necessary.) Be sure to go over your data security program with each new employee as part of your onboarding process, and schedule time throughout the year to review it with all employees.
With the combination of increased employee awareness, the right digital tools, and a well-crafted written plan to mitigate and respond to cybersecurity threats, you'll quickly establish security habits that can significantly decrease the chances of your firm or clients' information falling into the wrong hands.
Ben Brown is a certified financial planner and an IRS enrolled agent. He is the founder of Entelechy, a fee-only financial planning and investment management firm based in Bethesda, Maryland, serving clients in the Washington, D.C., area and nationally.
The author is a freelance contributor to Morningstar.com. The views expressed in this article may or may not reflect the views of Morningstar.