Advisor Guide to Online Security

Hackers are regularly in the news these days for attacks on large business and government websites. However, it’s not just large organizations that are being targeted. Financial advisors – and their clients – are the targets of regular hacking attacks as well.

According to a 2014 cybersecurity examination program by the SEC in the US, 88 percent of broker-dealers (of a total of 57 firms examined) and 74 percent of advisors (of a total of 49 individuals examined) have been targets of online attacks. Most of the attacks took the form of fraudulent emails and 25% of the respondents reported losses of more than $5,000 with none exceeding $75,000.

Despite the relatively small losses that resulted, the dangers of these attacks cannot be ignored. Potential impacts include: loss of data, breaches of privacy, compliance infractions and potentially significant financial losses to you and your firm. Perhaps most concerning, these attacks could result in the loss of your clients’ trust.

While some advisors and organizations are technically sophisticated and implement appropriate security precautions, many of us feel that online security is complicated and we rely on others to take care of it for us. Worse still, many of us hope we don’t get targeted. Hope, however, is not a reliable security strategy.

If technology intimidates you, this guide is for you. We’ve compiled some security best practices in simple non-technical language to help you increase your security awareness and adopt practices that protect your security – and, just as importantly, the security of your clients.

This guide will cover four basic types of security:

  • Password security
  • Device security
  • Data security
  • Social engineering

For each of the above areas, we will explain why it’s important and offer some simple strategies and actions you can take to improve your security.

 

Securing Your Passwords

Passwords are the foundation of online security and the easiest way you can strengthen your security because of one simple fact: strong passwords provide considerably more security than weak ones.

One of the most common ways hacker get access to an account is to “guess” the password. However, hackers are not typically guessing passwords in the way you or I might. Instead, they are using software tools that can try out thousands of passwords per second until they find one that works. This approach is referred to as a brute force or dictionary attack.

You should never use passwords such as “123456” or “password” or even “letmein” because these are among the most common passwords

Strong passwords are better than weak ones

So, what makes a password strong? A combination of randomness and length makes passwords harder for hackers to crack with brute force attacks.

Many of us have been led to believe incorrectly that mixing case and substituting characters makes passwords stronger. This illustration explains why this is not always true:

 Credit: XKCD – https://xkcd.com/936/

Credit: XKCD – https://xkcd.com/936/

The example above captures the essence of a strong password: four common words randomly put together. No kids or pet names. No postal codes or phone numbers. Nothing that is easily guessable.

Managing many passwords

In this increasingly online world, we all have to access many online sites and services that require a password. Chances are, we have dozens if not hundreds of places where we need to enter a password.

That’s where password manager software such as LastPass, Dashlane and others can come in handy. These applications allow you to safely store and manage many passwords using one tool. You can even customize these password management tools to automatically log you into sites and help you choose strong passwords. And all you need to remember is one strong password to access your password manager and all your other passwords.

Advanced user authentication methods

A new generation of user authentication methods is starting to appear on web-based and mobile applications and devices. Multifactor authentication requires the user to enter a password as well as a code that is transmitted to your mobile device. Embedded biometric sensors, such as the fingerprint recognition capability that currently exists on some Apple mobile devices, bypasses the password altogether. Other advanced authentication methods, as well as uniform guidelines for digital IDs and authentication, are either in use or under development.

Password security tips

To summarize, here are a few tips to increase your password security:

  1. Always use a strong password. A random string of common words makes a very strong password that is easier to remember.
  2. Start using a password manager if you need to keep track of dozens of passwords.
  3. Don’t write passwords on paper or store them in unprotected files on your computer.
  4. Change your password(s) as regularly as possible.

 

Securing Your Devices

Mobile devices, like phones, tablets, and laptop computers, can pose significant security risks if they are lost or stolen. The very mobility of these devices makes them more vulnerable.

The first line of defence in securing your devices is to avoid storing any private client data on them. Of course, this is not that practical since the benefit of having a mobile phone is precisely having access to this contact information at our fingertips. So most of us will need to store names, phone numbers and basic contact information, but you should avoid storing any other electronic documents of a personal nature on your mobile devices.

The next line of defence is to secure the device itself with a strong password.  If you use an iPhone, you can change the simple 4-digit passcode to a strong passcode. Go to Settings > Touch ID & Passcode to change your phone’s settings.

 

There are also apps for locating and remotely wiping a lost or stolen device. For iPhones, you can use Find my iPhone. For Blackberry, use Blackberry Protect. And for Android phones, use the Android Device Manager. There are also some third-party apps out there for securing mobile devices.

If you’re thinking that this will make your digital life less convenient, you’re right. Unfortunately, that’s part of the security process. You don’t want to make it too easy to get access to your devices.

Tips for securing your device:

  1. Never store personal, confidential and/or private client data on your mobile devices or laptop computers.
  2. Secure all your mobile devices with strong passwords
  3. Use software to wipe your device if lost or stolen.

 

Securing Data Sharing

The most important thing to realize about sharing personal data is that email is not secure.

Email was not designed with any security in mind and it was never intended to be the centre of our digital lives. Email has many security vulnerabilities, including:

  • If your device is not secured and someone gets access to it, then your email is available to that person.
  • Emails you receive are stored on your email provider’s server in plain text. Same with the emails you send – they are stored on the server of the recipient’s email provider. This means that if someone hacks into the email provider’s server, your emails can be read.
  • Emails typically travel over the public internet, routed through various servers and network connections between you and the recipient. In most cases, there is no way to know if one of those servers has been compromised and someone is viewing your email in transit.

For these reasons, you should avoid sending any private information via email. No financial statements. No insurance applications. No government issued ID numbers (i.e., birth certificates, social insurance numbers, etc.). And certainly don’t send passwords. You can password-protect PDF files, and Word or Excel documents. So, if you absolutely must send a private document as an email attachment, make sure you use a strong password to protect it.

Secure file exchange services such as Sharefile and Box offer an increasingly popular alternative to email transfer for sensitive files and documents. These services store files in an encrypted format on their server and then protect sharing of files through secure socket layer (SSL) to and from the server. (You know a site is protected with SSL when the site URL starts with “https” not just “http”.) 

Secure portal sites, such as your online banking site or the Ticoon platform, also offer protected messaging and document transfer using similar encryption and SSL technologies.

Tips for sharing data securely:

  1. Avoid transmitting private information or files via email.
  2. Only use secure file exchange services or secure portals for transmitting personal or private data.

 

Securing Yourself

Perhaps the greatest security vulnerability you have to deal with is yourself. That’s right, despite all of the precautions you should take to use strong passwords and secure your devices and data, smart hackers are targeting YOU because they know that people can be the most vulnerable links in any security chain.

Hacking people is called social engineering and there are many techniques that you need to be aware of in order to protect yourself and your clients. Here are a few of the most common:

  • Phishing: Hackers carefully craft an email that appears to come from a trusted source, such as your bank or credit card company, but contains links to websites that capture your personal and confidential information. See: How to Spot a Phish.
  • Spoofing: Hackers impersonate a close friend, relative or client and attempt to get you to disclose personal information. Once someone hacks an email account, they can send messages from that account, so this can be a very difficult exploit to detect.
  • Curiosity: Attackers leave USB thumb drives with enticing labels in business parking lots or public areas hoping you will pick them up and plug them into your corporate computers. Once inserted into the USB drive, the hacker’s malware is installed inside the corporate firewall.
 Source: Inspired eLearning - http://www.inspiredelearning.com/phishing_training/phishing-infographic

Source: Inspired eLearning - http://www.inspiredelearning.com/phishing_training/phishing-infographic

These can be very difficult exploits to combat because they play on our trust. However, there are some important best practices you can and must follow to protect yourself from social engineering attacks:

  1. Be suspicious of unusual messages. For instance, if you get an email from someone to check out this cool website link, but that person doesn’t usually send those types of emails, don’t rush to click the link.
  2. Avoid acting urgently. Before clicking anything unusual, take your time to investigate. You can move your mouse over the link and see where it will go if you were to click it. If you are not familiar with the site, perhaps it’s better to not click and investigate further.
  3. Keep updated. Always update your software because new versions often fix older vulnerabilities. Update your own knowledge of hacker exploits so that you won’t be easily fooled.

Finally, you need to be developing best practices and procedures for preventing digital fraud in your business. For instance, if your client’s email account is hacked you could receive messages that appear to come from your client with instructions to take some actions. Do you have a process or procedure for verifying such instructions? Is your administrative staff aware of this procedure?

 

Conclusion

Security threats will only grow with the increased digitization of our business interactions. The best defense is to build your knowledge and awareness of the threats and put in place good policies and procedures for responding if and when an attack occurs.

 

Additional Resources