Security Tip: Advisors Keep Client Data On Their Computers And Need A Policy For Protecting Client Data From Malware

Tuesday, July 19, 2011 13:33
edit
Security Tip: Advisors Keep Client Data On Their Computers And Need A Policy For Protecting Client Data From Malware

With social engineering scams becoming much more clever, it’s wise to avoid downloading from just anywhere. You need a policy.
 
Even if you’re a sole proprietor, this goes for you.  But it goes double for you if you have staff.
 
I recently reported on a social engineering scam that fakes victims into downloading an antivirus program is actually a Trojan and sends sensitive personal information to digital crooks. The crooks are more crafty.
 
Financial advisors store on their computers some valuable personal data on their clients. Social security numbers might be there, for instance, and maybe credit cards. You are obliged to protect client data, especially if you’re holding yourself out as a fiduciary.  
 
Under the current inspection regime, RIAs are examined on average only once every decade. So there’s not much risk of being caught for being sloppy with security. My guess is that examiners do little to make a determination as to whether you are properly protecting client data from malware. It’s probably not even on a state of federal examiner’s checklist.
 
However, getting client data hacked nonetheless poses a serious risk to RIAs. If a hacker gets hold of client social, credit card or other personally identifiable information, state and federal laws come into play with mandatory notifitcation requirements. That could be costly and embarrassing.
 
Here are some ideas for limiting your risk.
 
Company Download Policy
 
Set a policy in your company on downloading software. Maybe owners are allowed to download but not staff. Or maybe only your IT director can download programs.
 
If you’re an owner, the policy should put you on alert whenever you download anything. But it must prevent computer novices from downloading malware.
 
The policy does not mean that you cannot download from Google, Microsoft, and your tech vendors. While making it much harder to succeed for phishing scams and other social engineering schemes, the policy has to be practical.
 
Download.com
 
Most of the programs advisors download are brand names. Still, for a website to make itself look like Google or Bank of America is not impossible.
 
So when you do need a program, try www.download.com. I’ve been using this site for over a decade and trust it.
 
The site hosts downloads for thousands of apps. If you need a picture editor, password management app, or a driver for your printer, this is a safe place. CNET screens all downloads for common viruses and spyware and looks for other threats that might interfere with user security, privacy, and control. While nothing is guaranteed, it’s safer than hitting a random site on the Web and downloading a pram fromt here.
 
Keep in mind, only the downloads on downlowd.com are screened for malware. Ads posted on download.com that take you to other sites to download programs could be risky.
 

 

This Website Is For Financial Professionals Only


Comments (4)

...
timknotts
Thanks Andy. Very good advice. An easy policy to create, and educate staff on. I'm wondering how to test on an annual basis for compiance purposes...any ideas?
timknotts , July 19, 2011
...
Micah McCann
I second that. Great advice Andy! From my perspective, I don't think advisors are placing security high enough on the priority list. Creating a policy is a good start but making sure it is being followed and building awareness around security is just as important.

For those looking for more information, NIST has published a great document catered to small businesses that provides some security best practices: http://csrc.nist.gov/publicati...r-7621.pdf
Micah McCann , July 19, 2011
...
BrianEdelman
There is only one way to make sure your computers are not infected with viruses and or malware and that is to have your system checking in. For larger firms that means a corporate version of Antivirus / Antispy with a full time IT professional watching over the server(which rarely happens) and for smaller firms using something like ProtectIT works best. http://www.financialcomputer.c...protect-it
BrianEdelman , July 23, 2011
...
BrianEdelman
We have seen a significant jump in Viruses recently, one in particular called "antispyware 2012", which is nasty and very disruptive. Please make sure you are properly protected and have a good policy in place.
BrianEdelman , January 12, 2012

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.

busy