9 cyber security best practices every RIA firm should have in place
Cybercrime is at an all-time high, and hackers are setting their sights on small and midsized RIA firms who are “low hanging fruit.”
Don’t be a sitting duck?
Don’t think you’re in danger because you’re not a big target like a J.P. Morgan or Home Depot? Think again. 82,000 NEW malware threats are released every day and half of the cyber-attacks occurring are aimed at small businesses. In fact, small and midsized RIAs are perfect targets for cybercriminals because you have a wealth of information on your clients and their finances. In fact, the SEC reported that 74% of advisors experienced some sort of cyber threat. It wasn’t so long ago that the SEC actually announced a fine for a St. Louis-based RIA because they didn’t properly protect their customer information.
The number of SMBs being targeted is growing rapidly as more businesses utilize cloud computing, mobile devices and store more information online. Because of all of this, it’s critical that you consider some of these best practices for your RIA firm to keep you data and systems protected.
1. Train employees on security best practices.
The #1 vulnerability for business networks are the employees using them. It’s not uncommon for an employee to infect an entire network by opening and clicking a phishing e-mail. If they don’t know how to spot infected e-mails or online scams, they could compromise your entire network.
Want some tips and resources for employee security training, check out our blog Can Employee Training Help Prevent Security Nightmares?
2. Create an Acceptable Use Policy (AUP) – and enforce it.
An AUP outlines how employees are permitted to use company-owned PCs, devices, software, Internet access and e-mail. We strongly recommend putting a policy in place that limits the web sites employees can access with work devices and Internet connectivity.
You have to enforce your policy with content-filtering software and firewalls. Your IT department can easily set up permissions and rules that will regulate what web sites your employees access and what they do online during company hours and with company-owned devices, giving certain users more “freedom” than others.
Having this type of policy is particularly important if your employees are using their own personal devices to access company e-mail and data. If that employee is checking unregulated, personal e-mail on their own laptop that infects that laptop, it can be a gateway for a hacker to enter your network. If that employee leaves, are you allowed to erase company data from their phone? If their phone is lost or stolen, are you permitted to remotely wipe the device – which would delete all of that employee’s photos, videos, texts, etc. – to ensure your clients’ information isn’t compromised?
The data an RIA firm collects is highly sensitive, and you shouldn’t allow employees to access it on devices that are not secured; but that doesn’t mean an employee might not innocently “take work home.” If it’s a company-owned device, you need to detail what an employee can or cannot do with that device, including “rooting” or “jailbreaking” the device to circumvent security mechanisms you put in place.
3. Require strong passwords and passcodes to lock mobile devices.
Passwords should be at least 8 characters and contain lowercase and uppercase letters, symbols and at least one number. On a cell phone, requiring a passcode to be entered will go a long way toward preventing a stolen device from being compromised. Again, this can be enforced by your network administrator so employees don’t get lazy and choose easy-to-guess passwords, putting your organization at risk.
4. Keep your network up to date.
New vulnerabilities are frequently found in common software programs you are using, such as Microsoft Office; therefore it’s critical you patch and update your systems frequently. If you’re under a managed IT plan, this can all be automated for you so you don’t have to worry about missing an important update.
Check out our blog “Install Now” or “Remind Me Later”: The importance of Software Updates.
5. Have an excellent backup and disaster recovery plan
This can foil the most aggressive (and new) ransomware attacks, where a hacker locks up your files and holds them ransom until you pay a fee. If your files are backed up, you don’t have to pay a crook to get them back. A good backup will also protect you against an employee accidentally (or intentionally!) deleting or overwriting files, natural disasters, fire, water damage, hardware failures and a host of other data-erasing disasters. Again, your backups should be automated and monitored because the worst time to test your backup is when you desperately need it to work!
6. Don’t allow employees to download unauthorized software or files.
One of the fastest ways cybercriminals access networks is by duping unsuspecting users to willfully download malicious software by embedding it within downloadable files, games or other “innocent”- looking apps. This can largely be prevented with a good firewall and employee training and monitoring.
7. Don’t scrimp on a good firewall
A firewall acts as the frontline defense against hackers blocking everything you haven’t specifically allowed to enter (or leave) your computer network. But all firewalls need monitoring and maintenance, just like all devices on your network. This too should be done by your IT person or company as part of their regular, routine maintenance.
8. Remote access.
In this day and age, the convenience of anytime, anywhere access to data poses new security threats that firms need to consider and address. Keeping your data secure now extends far beyond the walls of the office and staff in the field. It includes employees’ homes and cell phones as well. It’s a good idea to develop a written policy for remote access and invest in technologies that provide remote wipe, mobile phone lock, and password complexity enforcement. A great way to avoid data loss on remote devices is to use remote access technologies such as Citrix and Terminal Services. In these remote computing environments, data is not stored on the device, rather it is left on the server where it can be controlled and is less likely to be left on the train or stolen from your backset.
9. Don’t publish your email addresses on your website.
Another thing to consider is what information you post on your website. RIA firms love to publish their teams names, phone numbers and email addresses. This is helpful for the general public, but makes it one step easier for someone to get into your network. Consider including a contact number and a generic email address for each department or having a contact form rather than advertising each team members email address. This will add one more layer of protection for your firm.