Thursday, October 28, 2010

Four Security Best Practices That All Advisors Should Implement

Common sense security will make your firm a tough target for hackers

Advisor One
October 1, 2010 | By Dan Skiles
When you think about the security around your technology systems and your firm's data, what level of confidence do you have? … Unfortunately, the bad guys are out there, and they are working overtime to find ways to break in and grab your precious information. … You might also be surprised at how unfamiliar your staff is with security threats related to technology. … We all get comfortable when we use technology every day, and we sometimes (if not often) forget or simply ignore important security best practices. Education in this area is critical, and it is important that everyone at your firm understands their role in protecting your technology systems and data.
It would be best for most advisors to hire an IT professional--someone who worries about data security 24/7--to be responsible for protecting your systems. … Whether you have an IT professional or not, there are a number of best practices that you and your staff should follow in order to better protect your systems and your client data. A number of the best practical steps you can take are simple and basically common sense, but they need to be adopted across an entire firm.
This is a screenshot of windows password unloc...Image via WikipediaOne of the more common security oversights with advisors and their associates is transmitting personally identifiable information through e-mail. Standard e-mail is not secure and the information transmitted can be intercepted by a hacker. This includes information in the body of an e-mail, as well as any attachments (Excel files, Word docs, PDFs, etc.). If you must send an e-mail with personally identifiable information, it is best to encrypt it and assign a password to the attached file. …[There] are a number of password recovery software programs available that essentially try different combinations over and over until the password is identified. In the very rare case that your e-mail is intercepted by a hacker, you certainly don't want to make it easy for them by creating a password that is simple and quick to identify. The word "password" is unfortunately probably the first word that they will try, because it is the most commonly used password.
[Read more about why you should enable passwords on your mobile devices.]
Another important security best practice is to have a strict policy that prohibits your staff from using computers that they do not own or control for accessing networks that contain confidential client information. For example, … a hotel's business center … computer could contain a malware program, specifically a "keystroke logger," that tracks every keystroke and page visited on the computer. With these programs, it is possible for a hacker to obtain your user name and password and the exact Web address that the credentials are used for. Of course, the hacker could then use this information and log in as you. This risk is magnified when you consider the number of accounts that you could have access to when using your log-in credentials on the sites that house your clients' account information. …
…[Do] you know the level of access each member of your firm has to your technology systems, as well as to the external technology systems used by your firm? … [The] security best practice is to only give each associate the level of access that they truly require for their position. …
It is worth the initial time to set up different access profiles in order to better control and further secure your firm's client information. Make sure that you have a well-defined process to disable an associate's access when they are no longer employed by the firm. This process should be implemented on the same day that the associate leaves the firm.
[Read about the benefits of using a server rack to protect your physical investments.]
Another key security practice for your firm revolves around understanding how your systems are protected from virus attacks. Everyone at your firm must understand what virus software is installed on the computers they use and how the software behaves. One of the easiest ways for a hacker to infect your systems is through a counterfeit "alert" message. What generally happens is this: While you are navigating the Internet a pop-up message appears on your screen and says, "Warning! Your computer is infected by a virus. Click here to correct." Then, when you click on the "OK" button, instead of solving the problem, you are actually downloading the virus. But if your staff is familiar with the way your virus software works, they will know that the fraudulent alert message is very different from the one they would receive from the real anti-virus program. … Anti-virus programs are constantly being updated, but the challenge is keeping up with the introduction of new viruses. Therefore, instruct your staff to be suspicious, and to become familiar with the anti-virus program operating on their computer, especially the alert messages.
Overall, following security best practices needs to be part of the DNA of your firm. It is important that your staff does not have the false impression that technology security is not one of their job responsibilities. … Therefore, you must make security procedures a part of your regular training, and practice them until they become habits. Security problems by themselves can create a tremendous amount of work, and of course they carry potential financial and reputational risk, as well. Therefore, it is worth the effort to ensure that your firm is doing everything possible to protect your clients and your overall business. …
Enhanced by Zemanta