Three Data Security Best Practices For Financial Advisors

Thursday, January 31, 2013 20:13
edit
Three Data Security Best Practices For Financial Advisors

Tags: privacy; security

Here are three important data security tips for financial advisors. They could save your butt.

This Website Is For Financial Professionals Only


 

Security Policies. Advisors must have written security policies signed by employees annually. Policies will include minimum password complexity that your firm will use, whether employees can log in to your network or web-based apps with their own devices,  prohibiting employees from looking at porn and social media sites that often are used to pass viruses, trojans, and other malware, and procedures to be followed when employees are terminated. Brian Edelman, a blogger on A4A and owner of Financial Computer Services, provided a sample security policy document to advisors that advisors can use as a template. (It’s available to A4A members in the "Rewards" section of your profile if you have paid the $60 annual fee for full access to our content.)
 
Buy A Password Manager. Roboform, LastPass and 1Password are good choices of password managers. Passwords managers protect against key loggers, which are malware programs that track every keystroke you make. When you use a password manager, you’re not keying in your passwords or your user names. They’re filled in for you without keystrokes. And that’s only one thing these programs do.
 
I have about accumulated about 200 passwords to different sites in Roboform over the last 14 years or so that I’ve used the program. How could I possibly remember all of them? Most people use one or two passwords for all their secure sites. That’s just not smart for a fiduciary who’s reposnible for protecting client data.
 
When you use a password manager, not only do they remember all your passwords but they also remember the URL of the site where the password must be entered. So you don’t have to key in the password. Just point and click to a password on a list in the password manager. Again, that defeats key loggers. In addition, all the passwords are encrypted on your computer and can be stored in the cloud by these password manager apps. That’s good because you can synch your passwords with your mobile devices easily.
 
To use any of your passwords, you must submit your “master” password. Roboform actually lets you use your fingerprint reader instead of inputting your master password. These apps also have virtual keyboards for inputting your master password, so you’re inputting your master password using keystrokes that a key logger will pick up. These programs will also generate strong passwords for you.
 
WPA2 Encryption For Wireless Networks. If you’re not using any encryption security on your WiFi access point (or router), you’re just asking to be hacked.  Anyone can drive up to your office and join your network.  
 
All of your wireless access points should be secured and if your devices support it, you should always use WPA2 encryotion. WEP is an older technology and can be cracked in minutes. Although WEP is better than nothing, you should avoid using WEP.  WPA is a much better option, but was it only created as an interim solution until the finalization of the WPA2 standard was released. 
 
Some older devices may only support WEP and WPA and in that case. See if you cold update the devices or get rid of them. WPA2 is the best choice for wireless security as it includes the robust AES encryption algorithm. As always, a strong password is critical.  A weak password can be cracked with software in as little as 1 minute no matter what wireless security you use.
 
These security tips were complied by me with the help of security experts, Brian Edelman of Financial Computer Services and Jason Fogelson, IT Manager at Advisor Products.I am indebted to them and other security experts who provided me with best practices for advisor data security. 
 
Brian Edelman and Andy Gluck will be hosting a webinar for A4A members Friday, Feb. 8 at 4 ET on Security Best Practices For Advisors.

 

Comments (6)

...
hilarymartincfp
My IT is a pro, and he is firmly against a Password manager. I know enough only to be dangerous, so I'm left curious about the discrepancy in "expert" recommendations. I'll look around on the site for the security policy. Any tips on where to find it?
hilarymartincfp , February 01, 2013
...
agluck
It guys have been known to advise against using a password manager. Not all doctors think taking vitamins is a good for you. A password manager is not a perfect solution. There is no perfect solution. But it is the best solution.

And if you're IT "pro"is telling you not use a password manager but not giving you an alternative, then that tells you something right there.

To access the security policies, you must be a paying member ($60 a year) of A4A. It can be downloaded from the Rewards tab of your profile.
agluck , February 01, 2013
...
BrianEdelman
I to would be interested in hearing why an IT professional would suggest using a password manager was not secure.

I would also contend that a password manager with multifactor authentication is by far the safest place to store passwords.

Alternatives we see ranging from sticky notes, storing passwords in browser, shared excel files and outlook are considerably less secure than using a password manager.
Furthermore, typing in a website, username and password is susceptible to key loggers and is certainly the least secure and the easiest for hackers to gain access to your accounts.
BrianEdelman , February 01, 2013
...
justruck
I need to remember 2 logins/passwords.
One for my Master Password on Firefox. One for a password protected Word document where I keep all my other logins. Is that not safe?
justruck , February 04, 2013
...
agluck
It's easy to hack into password-protected Word, Excel and other documents. (See http://bit.ly/WUuUbG).
The new version of Office is supposed to be better and allow encryption.
agluck , February 04, 2013
...
justruck
Thanks!
justruck , February 04, 2013

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.

busy