The Five Critical Cybersecurity Protection Measures
Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
Several weeks ago, a financial planner came to me for advice. Hackers had been attempting to compromise his RIA firm’s QuickBooks online package, even though he had text and SMS authentication in place. The attacker was able to log in and was attempting to send out invoices to customers to steal money. Fortunately, he was able to change passwords before any damage was done.
But it got him worried about next time.
Keeping up with cybersecurity feels like a game of cat and mouse. Unsuspecting users get lured into traps by hackers seeking to gain access to vital information. As hackers get better, security technology gets better, so the hackers get better. The game keeps going in a circle from which none of us will ever escape.
Cybersecurity threats become exponentially serious for RIA firms, especially when there’s hundreds of millions of dollars at stake. As a RIA, it’s pivotal to protect yourself, your employees and your firm. One wrong move by anyone in your firm could lead to crucial data getting dropped into the wrong hands.
Even if you made decisions about your security as recently as 12 months ago, you need to refresh. There are new cybersecurity protection features being added, which you may not know are readily available. I’ll name a few new features that are very applicable to RIA firms.
1. Stay IT compliant! One of the most heavily regulated industries is financial services. There are plenty of laws and policies to ensure that everyone operates legally and fairly. For example, RIAs have to abide by SEC rule 17a-4(f), which defines the requirements and standards for storing books and records electronically to be IT compliant. Very few of the RIAs that I meet are aware that email archiving on the Microsoft platform meets all the SEC requirements. This also goes for Microsoft Teams instant messaging and files and folders storage. They meet the SEC compliance requirement, so you don’t need a third-party tool.
There is a myriad of requirements, but Microsoft tools such as Azure and Office 365 make it easier to improve and maintain compliance. Make sure your IT provider is adhering to all of them.
2. Get set up with the latest data loss prevention tools. I see a lot of RIAs using Microsoft platform products, but they aren’t tapping into data loss prevention (DLP) tools. Configured properly, DLP prevents accidental or intentional data loss, and minimizes the risk of a data breach. The DLP tool is geared by policies and conditions that determine how certain information, including emails, files and attachments, is regulated and stored. For example, if someone in your RIA sends an email with Social Security or account numbers, Microsoft DLP can automatically block the email and encrypt it before it leaves your domain. Or it can get forwarded to your RIA’s chief compliance officer. DLP tools look for anything suspicious looking – email, instant messaging and files – and treat it the way you designate.
3. What’s your RIA’s security score? Very few RIAs know theirs. You can get it from security.microsoft.com. It requires administrative level access to a Microsoft account; usually, your firm’s chief compliance officer (CCO) will have this type of access. It’s an objective score no matter who your IT provider is. Try it. Hopefully, you’ll receive validation that you’re doing everything right.
4. For multi-factor authentication, ditch the text messaging. Use Microsoft Authenticator. I mentioned the RIA who recently sought my advice after a hacking attempt using text and SMS authentication. While text messaging has been the most popular form of authentication, it’s no longer the most secure. Hackers have found ways to intercept text messages and use them to access accounts. I recommend the Microsoft Authenticator app. You can download it for free on your phone or tablet from the App Store or Google Play.
Microsoft Authenticator is more secure than SMS text because it uses a time-based one-time password (TOTP) instead of a simple text message. TOTP is a computer algorithm that generates a unique code at set intervals, such as every 30 seconds. Each code can be used only once and expires after a short period, so even if a hacker manages to intercept a code, they can’t use it to log in if the code has expired.
5. Beware of tricky questions on RIA insurance renewal forms. I cannot stress enough the importance of staying IT compliant. I see a lot of RIAs coming to me with their cybersecurity insurance renewal forms. These contain a lot of technical questions on IT compliance and cybersecurity. Some of the smaller financial advisors and RIAs may be “winging it” by answering yes when in fact, it’s not the correct answer. Not answering these questions correctly could compromise your RIA’s IT insurance.
Protecting client data is crucial to a RIA’s customer and supplier trust and loyalty. Running an investment advisory firm means you handle important financial information and customer data all the time – and it’s pivotal that you protect it. Be sure your IT provider is maximizing security tools with the highest level of protection.
Share your best practices for keeping your RIA secure! Leave your comments on APViewpoint.
David Kakish is CEO of RIA WorkSpace, a provider of Cloud and managed IT services for RIA firms most often with five to 25 employees. As an author, entrepreneur and IT expert, David is committed to helping RIAs navigate their way through the world of ever-changing technology and complex IT environments. For more information, visit RIAWorkspace.com or connect with David at [email protected].com.