Regulators want to ensure advisors safeguard client and business information online. Implement these best practices to reduce the risk of your data being compromised.
As advisors, an ever increasing amount of the work we do is conducted using technology. While this trend has benefited both our clients and our businesses, it demands we take steps to prevent unauthorized access to sensitive information.
The following best practices will help you secure important data and demonstrate to clients and regulators that you consider cybersecurity a top priority.
Optimize Password Management
When it comes to passwords, remember RULE: random, unique, long, and encrypted. The passwords you use to access each website or digital asset within your business and personal life should be randomly generated, with as many characters and as much complexity as the specific service allows. Each password should also be unique; you should never use the same password for multiple sites or services. Lastly, passwords should be stored in a safe place and encrypted, with the ability for other key personnel to access them only in the event of an emergency.
Recent updates to the National Institute of Standards and Technology password guidelines actually recommend that services do away with password complexity and expiration rules. This is due to the fact that most users will simply add a number or special character to their existing passwords when creating new ones, since it's admittedly difficult to remember countless login credentials composed of randomly generated characters. Since password length is more important than complexity, the institute and others recommend long passphrases (such as a sentence or series of random words) that are easier to remember, rather than complex passwords.
The optimal solution, however, is to make use of a password manager such as LastPass or 1Password to both create and securely store lengthy, complex, unique, and randomly generated passwords for you and your employees. While a long passphrase known only to you is ideal for the one "master" password you use to access your password manager, the combination of length and random complexity will beat out an equally long passphrase that may be easier to guess. Most popular password management applications have enterprise licenses for multiple employees, as well as optional provisions for accessing another employee's account without knowing their master password (under certain conditions).
Use Multifactor Authentication
Multifactor authentication takes digital access security to another order of magnitude by requiring more than just a password to log into a site or service. Imagine someone has obtained the password to one of your highly sensitive services (e.g. cloud document storage). Without multifactor authentication, he or she can log in as if they were you and gain access to all client data stored there. With multifactor authentication enabled, however, would-be intruders are out of luck, unless they have one or more separate "factors" (commonly a temporary code or notification sent to your mobile device).
When one of your service providers or cloud solutions offers multifactor authentication, strongly consider enabling it for all users. Though it may seem like a cumbersome step for employees, it quickly becomes routine and is one of the best ways to protect access to sensitive information. It can also serve as a tool to alert users when someone might be trying to access their account(s), and an indication it's time to change their passwords. Be sure that if you or your employees are receiving authentication codes via text message that text previews are disabled when your device is locked, and that all devices used with multifactor authentication have strong passcodes. That way if unauthorized users obtain both your password and mobile device, they still won't be able to log in without also having the ability to unlock the mobile device.
Use the Right Tools
In addition to an enterprise-level password manager, it's imperative that you deploy the right tools to defend against common attacks. Make sure all company devices are running up-to-date software and firmware that include the most recent security patches for new threats.