Data breaches are on the rise, especially in the financial services industry. From large organizations like BlackRock to smaller state-registered advisors, everyone is vulnerable.
All RIAs need to establish and follow cybersecurity policies, but as a small business you likely don’t have a dedicated IT manager who can constantly monitor threats.
If you want to limit your exposure and be reasonably certain that you’re doing what is necessary to keep client data safe, follow these four cybersecurity best practices.
1. Manage Your Passwords
Many data hacks occur because of the use of repeat passwords. The best practice is to switch up your passwords. This will help ensure that if one password is compromised, that breach can be isolated. It’s a good idea to remind your clients about password best practices whenever you give them a new login, like to your client portal.
Of course, many RIAs have a plethora of technology that they use internally as well, so remembering all of those different passwords can seem daunting.
Using another piece of technology called a password manager will help you remember them all without burdening your memory.
Password managers securely store usernames and passwords, as well as URL links, to help you stay organized. They also will generate strong passwords for you. No more “password123” or “ihatepasswords”.
Some of the most popular and highly rated password managers according to PCWorld and G2Crowd are:
- 1Password
- Keeper Password Manager
- LastPass
- RoboForm
- Zoho Vault
2. Know Your Vendors
Your technology stack is in place to help you work more efficiently. But without the right security in place, your tech vendors can be a huge security risk for you.
As part of the due diligence process, contact your vendor(s) to obtain information on their security practices. Information security policy, business continuity plan, cyber-security insurance are the most important items to consider.
Security certifications provide additional confidence. Your fintech partners should be SSAE16 certified and PCI-DSS compliant just like Kwanti. These are essential security designations every fintech company should have.
SSAE16 is short for Statement on Standards for Attestation Engagements No. 16, which was created by the Auditing Standards Board of the American Institute of Certified Public Accountants. It is a set of standards and guidelines to be used when auditing how service companies report on their compliance controls. To be SSAE16 certified, vendors have to have a program in place for making sure their security processes and procedures are working and sensitive information is being safeguarded.
Payment Card Industry Data Security Standard (PCI-DSS) is a set of standards and requirements for companies that store, process, or personal information. To be compliant, a vendor security environment is audited by a third-party company.
Check in with your current vendors to see what security measures they have in place, and be sure to include cybersecurity as a part of your vetting process going forward.
3. Set Up Two-Factor Authentication
Even with strong passwords saved securely in a password manager, it is best practice to also set up two-factor authentication. This additional layer of security is becoming increasingly widespread as we use our devices more and data breaches keep rising.
Most of us are familiar with two-factor authentication even if we don’t know the name for it. For example, you use a username and password to sign into your bank’s website. Before you can access your account, you have to enter a code that was sent to you via text message or answer a personal security question, such as the first name of your oldest niece or the street you lived on in third grade.
The first factor is your password; the second is the code or security answer. More advanced two-factor authentication can call for a fingerprint or a security badge with a chip to be inserted into a device that hooks up to your computer.
Conduct an audit of all of the systems you are signing into and turn on two-factor authentication where you can.
4. Train Your Staff
All of the other cybersecurity measures can be rendered useless if you don’t properly train your staff.
Here are a few best practices to follow:
- Annual training: At a minimum, you should hold annual training sessions to go through policies, procedures, and anything new. Be sure to take attendance to ensure everyone is trained. Challenge yourself to switch things up so that people don’t get bored, tune out, and miss important information.
- Post reminders: Posters outlining cybersecurity best practices—like these ones from the Department of Homeland Security—can serve as good reminders for your staff on a daily basis. They also can also be a good tool for demonstrating compliance efforts.
- Run some tests: IT professionals like Align or fintech companies like RIA in a Box offer training and services that can help you run a test to see if your employees are staying vigilant, especially for phishing. Phishing occurs when an email that looks like it is from a reputable source is sent to individuals or a whole group of people in your company to entice someone to share their personal information (such as passwords, credit card numbers, etc.) or to click on a link that allows someone else to gain access to your network. Tests can help you identify employees who need retraining.
Getting Started
Financial advisors are especially big targets for cybersecurity criminals because of the amount of financial and personal information you handle and store. Protect your business and your clients by establishing and maintaining cybersecurity best practices today.