When we’re all still stuck at home due to the COVID 19 pandemic, the last thing we need to add to our anxiety is a hacker sneaking off with clients’ data – along with those clients’ confidence in their advisors and wealth management firms of choice.
Cybersecurity experts have been able to hack into RIA networks using a variety of common workplace mistakes that are even more likely to be committed when we’re working at home.
The good news is most security problems could be prevented by following a few basic rules and buying affordable security software.
Here are 7 simple and inexpensive steps wealth managers can take to securely and efficiently do home-based work during the COVID 19 outbreak:
1. Use a dedicated work computer.
“I’m working remotely with a laptop that has never seen one personal email on it,” says Michael Goodman, President of Wealthstream Advisors. Opening up websites for personal use – even in limited circumstances – adds a potential security risk.
It’s also easier to focus when working from home if you make a habit of using separate computers for work and personal use.
2. Update your computer, internet browser and software of all kinds regularly.
“Your browser will warn you if you are going to a site that is not https, the standard for internet security, as long as it’s been updated within the last two years,” says Brian Hahn, an ethical hacker who uses his skillset to help RIA firms avoid data breaches due to poor cybersecurity protocols.
Your computer shouldn’t be 10 years old, says Goodman. Buy a new computer as needed and keep Microsoft Office and other software updated, especially your cybersecurity software, he says. Lack of updates can lead to security software and other protections not being able to work properly.
3. Own your modem.
It is much easier to break into a system if you use a modem from an internet provider as opposed to your own modem, says Hahn. This is partly because most people just use the password and settings that come with the equipment, he says.
Spend $100 to $200 for a good quality modem and skip the $10 monthly rental fee your internet provider most likely charges. Always reset the password. 10 minutes of time to reset the password can save you from a very pricey cybersecurity breach.
4. Store passwords securely.
Hahn has successfully penetrated 70 percent of RIA networks he’s tested for reasons as simple as professionals using passwords like ‘password123’. “Sometimes it’s not even password123. It’s that they may be using the same password on five different systems even if it is secure,” says Hahn. “I can go to the dark web and easily find the one password they’re using, [then login to all systems using that password].”
If your computer isn’t set up with two-factor authentication, it’s not a good idea to keep passwords in a note or file on your computer. It’s also like putting your extra set of keys in the same pocket. Instead use LastPass, Keypass or other cloud-based software to remember passwords. You can add an extra layer of protection by using two-factor authentication with your password software.
5. Educate your clients on simple cybersecurity measures.
Your clients should not transmit their data to you through Gmail, Office365 or other mail servers, says Kelly Long, AICPA consumer advocate and financial wellness coach. Instead, have clients send personal information through a secure client portal. Hahn adds that everyone should use two-factor authentication and avoid passwords that are simple to figure out. Hacking is easy when simple security rules aren’t followed.
A helpful service you can offer your clients is to introduce them to your cloud-based password software of choice, along with basic instructions on how to get started using it. You can offer the same type of service by reminding your clients to update their operating systems, software and browsers and giving them easy-to-follow instructions on how to do it.
6. Educate your staff.
It’s not enough for a few people to practice good security measures. “There’s generally one weak link in any company,” Hahn says. “That’s how I find my way in when ethical hacking.”
Unfortunately, one of the easiest hacks is someone phishing in a very personal way. For instance, a hacker might email a malware link that claims to be photos of a spousal affair, and your staff member panics and opens it, says Hahn.
7. Document your actions.
The SEC and state regulators have a keen interest in your cybersecurity policies and procedures. You can do the first 7 recommended in this article and still fail in the eyes of regulators if you haven’t documented what you’ve done. Regulators can’t see your actions and don’t have the inclination to wait for you to cobble together evidence at audit time. Remember: “If you don’t document it, it never happened.”
Cybersecurity compliance software such as SmartRIA Data Governance can help you to manage this process with minimal effort.
5 to 10 years ago, good cybersecurity compliance software was unaffordable for independent RIAs, says Goodman. That isn’t the case anymore. Buy a good quality cloud-based security software that alerts you to security breaches, Hahn recommends. High-quality cybersecurity compliance software alerts you to vendor breaches quickly, as well as compiles compliance documents for reporting to the SEC.
I’ll close with this quote from Brian Hahn that says it all: “Cybersecurity is the biggest threat that we can’t control 100 percent.”
But if you take the above 7 precautions, you’re less likely for a hacker to steal your clients’ data, and more likely to be prepared for cybersecurity compliance questions during an audit – regardless of whether your work is completed in the office or from home.
This article was originally published by Mac Bartine on Nasdaq.com.
