The RIA Tech podcast, presented by RIA WorkSpace, is on a mission to simplify the complex world of technology for Registered Investment Advisors (RIAs). Watch Episode 1 here:
In this episode, hosts Todd Darroca and David Kakish discuss seven key Microsoft features that can empower RIAs in terms of security and compliance. These features are often underutilized by RIAs and implementing them can enhance cybersecurity and ensure regulatory compliance.
Here’s the list we cover in this podcast:
- Multi-Factor Authentication (MFA). MFA adds an extra layer of security by requiring users to provide two or more forms of authentication before granting access. It’s a fundamental security measure that every RIA should implement.
- Email Encryption. Microsoft offers a user-friendly email encryption feature that enables users to easily encrypt sensitive emails on demand, ensuring the secure transmission of confidential information.
- Email Archiving. Many RIAs are already paying for third-party tools like Smarsh or Global Relay for email archiving, but Microsoft’s email archiving option can save money and provide a seamless solution that meets SEC compliance requirements.
- Microsoft Teams Archiving. RIAs using Microsoft Teams for communication can efficiently archive their Teams chats and conversations without the need for third-party tools.
- File Archiving. For RIAs using OneDrive or SharePoint, Microsoft offers file archiving options that meet SEC compliance requirements. This feature allows you to keep records of previous document versions.
- Data Loss Prevention (DLP). DLP helps prevent accidental data leaks by automatically detecting and protecting sensitive data, such as social security numbers or client information in emails.
- Secure Single Sign-On for web-based applications. This feature enhances productivity and security by allowing employees to access various web applications with a single sign-on tied to their Microsoft Active Directory account.
These Microsoft features are fundamental to improve security and compliance, particularly in the context of remote work. These features are user-friendly and accessible, making it easy for RIAs to safeguard their sensitive data and ensure the security of their operations. RIAs are encouraged to take action, whether by configuring these features themselves, reaching out to their technology provider, or contacting RIA WorkSpace for assistance.
Don’t be a sitting duck; take action to protect your business and client information.
Listen To The Audio:
Read The Transcript:
Todd Darroca (00:00):
Hello and welcome to the RIA Tech Talk podcast, brought to you by RIA Workspace. I’m Todd Darroca, and alongside me is David Kakish. Together we’re on a mission to simplify the complex world of technology for RIAs just like yours. Now in this podcast, we’ll be your tech guides breaking down those often confusing tech topics into plain and practical terms. So we hope you join us for each episode as we dive into the latest tech trends, we’ll share expert insights and help you navigate the ever-changing world of RIA technology. So let’s get started. David, what are we talking about today?
David Kakish (00:36):
Sure. Well listen, thanks Todd. I want to welcome you and I want to welcome the listener. The title of the session that we’re talking about today is seven Microsoft Gems, and that’s empowering your RIA for security and compliance. And actually the subtitle that I like to use is these are seven security and IT compliance features that are probably part of your Microsoft subscription that your R I H just doesn’t know about that. And here’s why this is important for the RIA that’s listening to us. Number one is a lot of RIAs are paying for third party tools that they’re already part of their subscription. It’s kind of like throwing money out of the window. So why pay for something that I’m already paying for? And then the other thing is every RIA we work with or we talk to, we want to make sure that you’re able to maximize your cybersecurity and your IT compliance.
(01:28):
And so from my perspective, the really big problem that I see is a lot of RIAs don’t know that this is part of their subscription. And the worst part is a lot of, and you and I talked briefly about this before the session, a lot of IT providers don’t know that it’s part of their Microsoft subscription either. And there’s so much that you can do. And the analogy that I keep coming back to is that people have this airplane, these RIAs have this airplane, and they don’t need a new airplane, they just need a better pilot, somebody that can sit in the cockpit and know what to do. So we’re going to talk about seven things that are part of your Microsoft subscription that you’re probably not using. And I can assure you, even if you think you’re using everything, there’s probably two or three that you’re not using. And from our experience, once we start talking with RIAs, most of them, they’re only using 20% of their Microsoft subscription.
Todd Darroca (02:19):
And I guess it’s not abnormal, not using everything in your subscription for any product. And when I think about the IT pros out there and anybody else, sometimes there’s so much that they have to do every single day and hundreds of tickets coming through, different equipment problems, software and infrastructure, all that stuff. So you can’t blame ’em for just kind of missing out on this. So this is great that hopefully when you talk about these seven things will be some cool tidbits in there for them. Yeah,
David Kakish (02:46):
And what I’ll do is to be clear, we really target when we’re working with RIAs, we’re working with the managing partner or the chief compliance officer or the chief operating officer. Most RIAs don’t have an in-house IT person. So that’s another really big challenge. So our messaging, we’re not really, as much as I’d like to geek out and get into the details of the technology, I’ll keep it really high level so that we don’t lose the chief compliance officer or the managing partner. And so we we’re going to share these seven things with you, and by the end of the session, you’re really going to, I think most RIAs, if they’re, I mean, I can assure you they’re probably not using five of these seven things that I’m talking about. Maybe they’re using one or two. But by the end of the session, A C C O, as a managing partner, you can walk away with this and either do it yourself. That is an option. You can contact your IT provider and say, Hey, I was listening to David and Todd and these are three, four things that we want to have in place that we’re not. Or you can contact us, we’d love to help you. But I think my goal is I don’t want you to be listening to this and then walk away and not do anything. Because again, we want help you increase your cybersecurity posture and help you increase your IT compliance.
Todd Darroca (04:03):
Yeah, absolutely. Alright, so I think what I want to hear from you more David, is the costs that people may be throwing out the window when they’re using this subscription, but not really knowing what it’s supposed to be used for. Can you kind dive into that just a bit to tell some real world stories or what you’ve seen so far in the world right now?
David Kakish (04:26):
Yeah, yeah. So I first heard this story by Dan Kennedy who’s like the godfather of direct response marketing. I’m sure you’re probably familiar with them, but I can’t remember if he said, take $20 and throw it out the window or take $20 and flush it down the toilet. And he goes, do that and then do it every day and then do it every day. And how does that make you feel, right? And you’re like, well, I feel stupid. I feel like an idiot. And he goes, and so I’m taking that same analogy and I’m challenging that RIA, that person that’s listening to us today, I’m challenging you and telling you every single day in your business you’re taking a lot more than $20 and you’re flushing it down the toilet and you’re doing it every single day, every single week, every single month. And so personally I feel, I don’t know, I feel stupid when I do that. I’m like, oh my goodness, I didn’t know that that’s an option. So I guess Todd and maybe the listener, some people might feel angry, they might feel, I don’t know what the feeling is, but I’m
Todd Darroca (05:22):
Here to
David Kakish (05:24):
From, yeah,
Todd Darroca (05:24):
I don’t like throwing out 20 bucks a day. We’re on a budget over here. So yeah, anything to save me 20 bucks a day, times that with 365 days, I’ll take it. That’s
David Kakish (05:34):
Right. That’s a lot of happy meals. That’s how I measure things sometimes. All right, so again, so just a little bit of context. We don’t really work with very large financial institutions. Vast majority of RIAs we work with typically have, let’s just say between five and 25 employees. And we even have smaller ones and bigger ones and things like that. But I think what happens is because we work with these RIAs so much, we understand some of the unique challenges that they have. And the fundamental challenge that you as an RIA have that’s different than that business across the street is you’ve got millions of dollars in a u m. That business across the street does not. So your requirements for IT compliance for cybersecurity are exponentially higher than that business across the street. And again, it’s not that the current IT provider you work with doesn’t care about you, or they’re used to working with smaller clients. And so some of these enterprise, big business security, it’s really difficult for ’em to take it and apply it to an RIA with employees. And so we tend to see that quite a bit. So I just wanted to give some context for the story to why we see that. And then I’m just ready to go down the list one by one, let’s do it and then talk about that. Yeah. Okay.
Todd Darroca (06:55):
Cool. So we’ve got seven lists, or excuse me, seven tips to keep in mind. So David, start us out with number one. Sure.
David Kakish (07:02):
Well listen, everybody should be doing this if they’re not, get this done by the end of day tomorrow, right? Multifactor authentication for every single person on your team. So actually Todd, let me rewind a little bit. This would apply whether you’re using Google or Microsoft or Amazon or whatever, but I’m really going to focus in and talk about the people that are using the Microsoft subscription because Microsoft in this space, they’re kind of like they’re the 800 pound gorilla. That’s kind of like the defacto standard over 80 if not 90% of RIAs. That’s what they’re using. They’re using the Microsoft platform. So I’m going to really focus in on that. But again, it applies to other platforms. So number one, multi-factor authentication for every single person on your team. And ideally, I would encourage you to use the authenticator app, the authenticator application on your smartphone rather than getting the text messages.
Todd Darroca (07:58):
So I have three different types of authenticators. So is there any one that you recommend over the other, or is it just to have an M F A just so you can make sure that, again, you’re adding that extra layer of security?
David Kakish (08:14):
Yeah, it’s really having that M F A to have that extra layer of security. At the end of the day, it doesn’t really matter whether it’s Google or Microsoft or whatever, but that’s just a higher level of security rather than getting that over text messages. So if you don’t have, listen, if you don’t have multifactor authentication enabled for everybody, you definitely want to have that enabled for every single person on your team. And ideally you’re using the authenticator app, don’t care if it’s a Google, Microsoft or whatever. We like the Microsoft ecosystem, but you can really use anything. So this is the easy one. This is the easy one. A lot of people are doing it. We kind of put an easy one in the beginning. The second one, and I am amazed at how many RIAs are paying for a third party tool that’s clunky, that’s cumbersome, is email encryption.
(09:04):
And what I mean by that, when it comes to email encryption, and maybe I’ll just kind of open up my email for those of us that are watching the demo of this. So the really beautiful thing about the Microsoft email encryption is you can encrypt it on demand. There are people that are using a lot of third party tools where you have to type the word encrypt, where you have to put it in brackets, and if you don’t do it, it doesn’t encrypt it and so on. And so they’re paying for a third party tool that’s clunky. That’s a pain in the butt here. I’m going to open up.
Todd Darroca (09:38):
Yeah, I use Microsoft and I’ve never, that’s a new thing I’ve learned here is the encrypt part. I’ve never seen that the bracketing done. That’s really helpful. You’re going to walk us through. I’d love to see too, how do I even set that up? Is it easy? Is it difficult? You
David Kakish (09:55):
Know what? So let me share my screen here really quick and I’ll share that. I usually don’t do it on these things, but it’s so easy that I want to go ahead and I want to share that. So I’m going to go ahead and I’m going to share my screen,
Todd Darroca (10:11):
And for those of you listening, we’ll make sure to walk you through as close as we can. Thanks Todd. But yeah, we’re on video, so join us over here on YouTube and we’ll get to watch us there.
David Kakish (10:21):
Sounds good. Todd, you see my screen right now, right?
Todd Darroca (10:24):
Yeah. I see you got your email open, all that good stuff,
David Kakish (10:27):
All that I have to do, all that I have to do to send out an encrypted email is just click on this button right here, encrypt and it sends it out. That’s it. It’s that simple. I don’t have to type encrypt in brackets or anything like that. Yeah, exactly. That is really it. It’s that simple. And you can send it on demand, a lot of other solutions, third party solutions you have to type in, come in here and type in encrypt. And if you don’t put it in brackets or if you don’t type it or whatever, it doesn’t do that. And here it’s really nice, you can encrypt it on demand. Now the other really nice, well, so yes, so Todd, you want to explain to the person that’s listening to us?
Todd Darroca (11:03):
Yeah, and I’m like you ladies and gents listening in, I’m learning this stuff as I go in the encryption part. So what he actually did is he went inside of his email inbox and right above the email body copy, there is a button that says encrypt. And he simply just pressed that and it automatically does it. And you don’t have to do the other bracketing and all that stuff. Make your life harder. It just looks like you just press a button. So I’m definitely going to be using that in my own instance as well.
David Kakish (11:34):
Yeah, exactly. And this is part of the Microsoft 365, like the E three subscription or the E five subscription. And if you don’t have that, you need to upgrade that. And again, it’s a nominal cost for that, and I don’t want to get into pricing too much, but yes, you might have the package where you might need to upgrade a little bit, but you get so many more features that it’s just absolutely worth it. So again, it’s the Microsoft 365 subscription, either the E three or the E five, not the Office 365 subscription.
Todd Darroca (12:08):
Got it. Okay. Yeah. Nice, nice. Cool. So what’s the third one here?
David Kakish (12:13):
Alright, so the third one, and this is a really big one, A lot of people do not know that this exists.
Todd Darroca (12:18):
Don’t, I’ve never
David Kakish (12:20):
Heard of it. Email archiving is the email archiving. And so in the financial advisory world, there’s two big players, the Pepsi and the Coke, it’s Smarsh and Global Relay. So if you’re archiving, 90% of you are using either Smarsh or Global Relay. Nothing wrong with that. Those are two really good platforms. But if you’re already paying Microsoft for the email archiving and you don’t know it, you might as well use that. And I would even go out and I would argue that it’s even a better solution than those third party tools because your email’s already sitting at Microsoft, and so it’s archiving your emails. You don’t have to pay for that third party tools, and it’s really phenomenal.
Todd Darroca (12:58):
What is it? So why is it beneficial?
David Kakish (13:03):
So a lot of RIAs, they’re required financial advisors, a lot of ’em are required to archive their emails in the future, if there’s an S e C audit or they get sued by a client or anything like that, they need to be able to produce that.
Todd Darroca (13:21):
Got it. Alright, cool.
David Kakish (13:22):
Yeah. And again, I know Todd, you don’t necessarily work in this space. I work a lot in this space. The Pepsi and the Coke, the two big players. What’s the economic term? Duopoly or
Todd Darroca (13:37):
Duopoly?
David Kakish (13:39):
It’s Smarsh and Global Relay. And historically that’s what it’s been. And Microsoft and Microsoft solution is actually a really, really, really good solution too. But anyways, I don’t want to get too much into weeds on that.
Todd Darroca (13:51):
Alright, what’s number four?
David Kakish (13:52):
All right. Number four is Microsoft Teams archiving. So you and I at the beginning were joking, I was having issues with Zoom because I’ve been using teams for so long and I’m recording on Zoom today for various reasons. But anyways, if you’re using Microsoft Teams, you can actually go ahead and you can archive that too. A lot of people are paying for a third party tool to do that. You do not need to pay for a third party tool to do that. We can set that up. And again, to be fair, I should say these are not things that are configured out of the box. You need to either go in and set that up or you need to work with your IT provider to set this up, or you can contact us and we’re happy to help you set that up.
Todd Darroca (14:32):
Got it. And so number five on the list here is file archiving. Lots of archiving going on. So let’s talk about file archiving.
David Kakish (14:40):
So a lot of clients are using OneDrive or SharePoint. And one of the things that we do by default during our clients when we onboard them, we do a seven year archive and then 500 revisions of a document. So you know how if you accidentally override a document, you can quickly go to a previous version of that document. So we do that by default. Very few clients know that you can actually do the archiving. Now people will talk about backup and disaster recovery and things like that. And yes, you want to do that, but this is actually file archiving that meets the S E C compliance requirements. It’s really fantastic. Very few people know that that’s even an option that you can actually do within the Microsoft ecosystem. Again, this is if you’re using SharePoint or OneDrive.
Todd Darroca (15:25):
Yeah. Okay. So let’s talk about number six on the list as data loss prevention.
David Kakish (15:32):
Yes, data loss prevention. I love talking about this or D L P because in my previous lifetime, and this was probably, well, I was going to say 10 years ago, but it’s a lot more than 10 years ago,
Todd Darroca (15:43):
It’s,
David Kakish (15:45):
It’s more like 20. So I used to work at a security specialist where we provided security for really Fortune 1000 type of companies and data loss prevention. I kid you had to buy all this gear from Cisco and then just the initial setup, the configure, it was like the initial implementation was over a hundred thousand dollars.
Todd Darroca (16:06):
I was going to say that’s pricey. That’s a pricey infrastructure build.
David Kakish (16:09):
And today, if you’re an RIA with 10 employees, you have access to that same technology. We can provide that. And it’s even better than what it was 20 years ago where these big enterprises were paying all this money. So all that, that means data loss prevention is if I work for your RIA and I send out an email with a social security number or an account number or a passport number for that matter, whatever, it can automatically detect that, encrypt it, and send it out. Wow. It can also notify your chief compliance officer, Hey, you know what, David just sent out an email with this. The other nice thing about data loss prevention is you can actually put in specific keywords. We have clients, for example, that’ll go in and say, Hey, look, every time the word illegal or guaranteed returns sent out from one of our financial advisors, I just want to get notified.
(17:03):
Let that email go. That’s okay, but I just want to get notified so I can just go ahead and take a look at that. So if I were to break out data loss prevention, there’s two levels. There’s stuff that, oh my goodness, this. And usually it’s not intentional. It’s a mistake. Somebody will send out a p d that has a social security number or account number, so it’ll automatically detect it, encrypt it, and send it out. And then there’s another category. The second category is where your C C O, from a compliance perspective, chief compliance officer wants to know that, hey, the reps that are sending out things like, Hey, you know what? Invest in this. You’re going to get guaranteed returns. That’s not compliant. And so they need to have the ability to do it. And this is actually this tool that we set up for our clients, phenomenal, very sophisticated. And we set up our clients with a baseline, but then they can really tweak it and they can go deep into it. Again, very, very, very few RIAs and financial advisors know that this is something that they can go ahead and they can set up.
Todd Darroca (18:11):
So on data loss prevention, I know, and I have taken so many courses working for companies that bring me through a data loss prevention training exercise, how much of the D D L P is even before things are placed in your infrastructure or in your email outlook, all that stuff. So how much training should somebody dedicate to this in person with the team members? Or is it simply just how often do we need to train people, I guess is my question. I remember taking it every quarter.
David Kakish (18:45):
So you’re touching on a couple of things. I think your question to me is like, Hey, how often do we train our financial advisors or employees? That’s what you’re asking me. Yeah. So that’s part of, I would say a broader, we have something, and again, we provide that for our clients. A lot of RIAs have something in place is security awareness training, right? So if we do security awareness training and simulated phishing campaigns for our clients, but D L P is sort of part of that. And then every RIA to meet the S E C compliance requirements needs to make sure that they have security awareness training. We’ve actually done it for our clients where we use a third party tool. And it’s really fantastic, just very short three to five minute videos where, hey, how to better secure yourself when you’re traveling, how to better secure the elderly. And it’s a training, and we’ve gamified it in the sense of all your employees get a score, and then you don’t want to be the team member with the lowest score.
Todd Darroca (19:44):
A little bit of shaming there, huh?
David Kakish (19:47):
It works.
Todd Darroca (19:48):
Yeah, it does. Sure it does. Brene Brown would probably be like, no, we don’t need to shame people. That’s right.
David Kakish (19:54):
Well, there’s two categories of people, people that want to be at the top and then people that just like, I don’t want to be the last one. I could be second to last, but I don’t want to be last.
Todd Darroca (20:03):
That’s right.
David Kakish (20:05):
Yeah. So each RIA is a little bit different in terms of how often they have that, but we have a really nice security awareness training, and that’s really part of that.
Todd Darroca (20:15):
And so now we’re going to move on to the last part of the list. Number seven, it is the always helpful s s o or secure single sign on. And so I know I have done this quite a bit lately where either I sign in through a program like Okta or I sign in. I think even Google now has single sign on in many cases. So tell us about this and why has it taken off so strong more in recent time?
David Kakish (20:47):
So yeah, secure single sign-on for web-based applications, A lot of people might confuse that with a password manager, or I would even say a consumer grade version of secure single sign-on for your web-based applications. But if you don’t know what that is, let me just kind of maybe briefly talk to the listener. So imagine you come into a dashboard and then now you see in there, you see e-money, you see Orion, you see Redtail, you see Salesforce, you see QuickBooks online. Me as an employee, I can just click on Redtail or Orion and it automatically logs me in. So as an employee at that RIA am a lot more productive because I could just go ahead and do that. Now, on the backend, it’s a lot more secure because it’s tied into my Microsoft Active directory account. So from a productivity perspective, we hire Mary.
(21:39):
Mary starts working at this RIA, she logs into her computer, she goes to that web dashboard. Now she has access to all these web-based applications. I don’t know, three years from now, Mary leaves, we disable her main account and she can’t access her computer, she can’t access the web-based application, she can’t access her email or anything like that. So again, much more productive and much more secure. A lot of people are familiar with the consumer grade that Chrome provides, right? And that’s okay, but this is more enterprise grade. This is kind of like the consumer versions on steroids where you can actually do a lot more with that. And so again, we do this during our onboarding process with our clients, but a lot of RIAs don’t know that you can actually do that. And it’s really a phenomenal productivity tool. I use it every single day, but it’s also, it really, really helps from better securing your web-based applications.
(22:41):
And so there’s a couple of ways to set this up. You can set it up for your employees so they don’t know what their credentials are, or you can allow employees to set that up. I guess I don’t want to get too much into the weeds. It’s easy for me to do it. But again, I want to keep in mind that as a listener listening to us, they’re not an IT person. They’re an executive that wants to know, Hey, how can I apply and use that technology? So I would say, Todd, out of the seven things that I mentioned, I kind of put the multifactor authentications like easy number one. I think a lot of people are doing that, but two through seven. So the six other things that I mentioned, the very few RIAs are using all that. If you are pat yourself on the back because you’re in the minority. If you’re not gold star, yeah, exactly. If not, these are things that you could really use in your practice.
Todd Darroca (23:33):
I guess too, just real quick to wrap that up, since a lot of it is now remote work too, and so these executives are dealing with employees who may not be in the building, so to speak. And so I would think all of these steps, probably they need to follow those now as a best practice. But now even more so because of the increased cyber attacks. I mean, you saw in Vegas those cyber attacks recently and even in other countries. So I’m assuming this is all pretty best practice stuff that we should start doing now, and if you’re not, get on it quickly.
David Kakish (24:07):
Yeah, absolutely. And I’ve mentioned seven. I mean, there’s a lot more that we do for our clients. People have a computer, they’re working in the office, they’re working at home, they’re working from a hotel room when they’re traveling. So how do you sort of secure that endpoint? And again, we can have separate sessions, we can talk, there’s a lot of other things that we can do, but these are like seven. I don’t want to say that they’re easy. I mean, these are seven quick things. I’m like, look, every RIA can and should take advantage of these things. That’s kind of how I’m thinking about that. There are other things that kind of gets a little bit more complicated in the weeds, but these are things that I just wanted to mention. So multi-factor authentication, email encryption, email archiving, teams archiving, file archiving, data loss prevention, and secure single sign-on for web-based applications. Those are the seven. As a recap, if you’re doing all seven, congratulations. If not, go for it.
Todd Darroca (25:03):
So all this information, how do we enable or activate these RIAs to do? What are the next steps that they can take when they leave the podcast? Yeah,
David Kakish (25:15):
So there’s three things you can do, right? Number one is you can do it yourself, right? If you are tech savvy and you want to go in, absolutely go do it yourself. If not, reach out to your IT provider and say, Hey, David and Todd, we’re talking about these things. We’d like to get these things set up in place. And so that’s the second option. The third option is contact us. We’re happy to help. Just go to www.riaworkspace.com and contact us, and we’re happy to help. I guess what I don’t want you to do is I don’t want you to be complacent, because again, you don’t want to be a sitting duck. You’ve got millions of dollars in AUM M you want to go ahead and you want to protect that. So that’s probably the call to action, the C T A that we like to, it’s like look, either do it yourself, contact your IT provider so they can help you with this or contact us. We’re happy to help.
Todd Darroca (26:06):
Big takeaway, don’t be a sitting duck, folks. Just take one of those steps, really easy steps. Well, hey, we want to thank you for listening to the RIA Tech podcast, brought to you by RIA Workspace. And so for more resources and even more podcasts as we make these, go to ria workspace.com and check out the learning center. Now, we always want you to be a part of this conversation, and so as we’re building new stories and new shows for the podcast, we’d love to hear from you. What do you want us to talk about? What questions do you have that you’d like to be answered? Or maybe myths that you want demystified? So feel free to reach out to us with any questions. You can either fill it in the YouTube comments or just simply email us and stay tuned for more of our RIA Tech Insights on our next episode. So I’m Todd Rocha for David Kakish. Thanks so much for listening and we’ll see you next time. Thank you.