Advisors Putting Client Data At Risk

Monday, March 22, 2010 23:22
edit
Advisors Putting Client Data At Risk

To save money, some advisors are putting client data in jeopardy, and the trade press isn’t helping matters.


I’m talking about two incidents in the past few weeks, one involving Google Docs and the other involving a CRM called Zoho.

This Website Is For Financial Professionals Only



I was hosting a webinar on February 12 about CRM systems for advisors when the Google Docs platform came up during the Q&A period, and I mentioned that Google Docs was not secure. An advisor chatted telling me it indeed was secure.

Without verifying it myself, I hesitated telling attendees at the webinar that Google Docs was secure. But I felt obliged to report what he said. So I told attendees an advisor had chatted in to say Google Docs was indeed secure.

After the webinar, I emailed the advisor and asked if he had any substantiation that Google Docs was secure, and I also did some research. Within minutes, I found a Google forum
post that said documents to Google Docs could not be protected with their own password. I sent another email to the advisor with that link. He never responded.

To get the facts, I asked two seasoned engineers from Advisor Products to check into Google Apps’ security.

Google Apps offers a Standard and Premier Edition. Their findings, which pertain to the Premier Edition targeted to businesses, show that it would be reckless for an advisor to store client data on Google Docs.

It may be okay for an advisor to use Google’s calendar and other features. But if you want secure document storage and sharing, be aware of the following limitations: 

  • You can’t force users to create “strong passwords.” Google has a tool that rates the strength of a password when you create it. The tool’s requirements are not up to professional standards. A strong password requires using non-alphanumeric characters (i.e., !, @, #,$, etc.). It is also at least eight characters and preferably 12. By default, Google Docs requires only six-character passwords, and it allows you to create a password as short as four characters. As long as your password contains a combination of four letters and numbers, Google’s password-strength rating tool will tell you your password is “strong.”
  • Google does not automatically force expiration of passwords. Some broker/dealers now require that vendors automatically kill passwords after three months and require users to create new passwords.
  • The way Google Docs passes access to documents via email is inherently flawed. If you use Google Docs to share a document with a client or another professional, Google enables you to send the link by email. Email is not secure. Moreover, anyone who receives the email with the link can open the document—without a password.
  • Documents on Google’s servers are not stored encrypted. They’re encrypted when you upload them and when you download, but not stored encrypted. This could be an issue if a Google’s server storing your document is breached.
  • Google Docs doesn’t accommodate the hierarchy of users with different permissions that advisors need. Document-sharing vendors in the financial services business enable different roles and rights for their staff, advisors, advisory firm staff, a B/D’s compliance department, outside professionals an advisor works with, and clients of advisors. Google Apps has just two levels of authorization.
  • Google Docs does not have bulk upload capabilities, enabling you to upload performance reports, financial plans, rebalancing reports, and other documents in batches.
  • Google Docs and Apps do not integrate with financial planning, portfolio management or other practice management apps used by advisors.
Google is a remarkable company and it could address these issues. But with its vast audience and potential, it has priorities other than serving the tiny independent financial advisor market.

Google Apps Marketplace enables third-party vendors to leverage web interfaces. Third-party apps are likely to address some of the security issues posed by Google Apps and provide features and integration needed by advisors. But it will take months—probably years—for an advisor to pull together an integrated suite of professional apps that leverages Google Apps. It will require stitching together specialized components from different vendors in the App Store, which would complicate matters for advisors significantly. Anyone who tells you advisors can use Google Docs today is reckless.

Which brings me to Zoho CRM, the subject of a rave review in one of the trade magazines for independent advisors.

Zoho is a web-based CRM that is integrated with Outlook, Facebook, and several other popular consumer applications. In addition to CRM, Zoho also offers an extensive suite of web-based software for word processing, spreadsheets, invoicing, online meetings, calendaring, sharing documents, and more. 

“Combining Zoho CRM with Zoho email and Zoho Docs gives you robust CRM, integrated email that includes email storage, plus an integrated online entry-level document management solution at an unbeatable price,” the article says.  

“Perhaps the greatest differentiator for many potential purchasers is security,” says the article. “Overall, the security capabilities of the  application are impressive.”

Zoho is indeed an impressive application but documents are not stored in encrypted format. Zoho’s website says passwords are encrypted but says nothing about whether documents you save on its servers are stored encrypted.

Since the security information on Zoho’s site was vague, I called Zoho to ask about its encryption.

I could not understand everything the salesman said because of his thick Indian accent (despite the fact that I've grown pretty good at understanding Indian accents because my company outsources many development projects to India). Initially, the Zoho salesman told me all documents were indeed encrypted. But when I questioned him further, he suggested a security specialist call me back.

The security specialist called back the next day. While he was polite, I had difficulty understanding everything he, too, said because of his accent. He confirmed that documents stored on Zoho Docs are not encrypted.
 
An April 2007 post on a Zoho forum said the company “may consider encrypting the entire Zoho server.” Apparently, Zoho has not gotten to that yet.

Encrypting passwords is important but inadequate for most advisors who took the time to learn about security. Not encrypting the documents means a hacker who breaches Zoho’s servers would be unable to read the users’ passwords, but he could read the documents stored on its servers. It’s an obvious risk. In addition, some Zoho employees have access to the files stored on Zoho Docs and could read them. That would not meet the standard advisors should insist upon, standards that are now required in some states and that are likely to become federal law in the months ahead. Zoho Docs security may be fine for most businesses but not for financial advisors who are responsible for protecting client data.

Moreover, financial institutions are putting advisor vendors through security audits and requiring that they have documented security policies and procedures in place. One large B/D, for instance, requires documentation on 20 policies, and each policy is a multi-page document covering how a vendor handles passwords, back-ups, security incidents, and business continuity. Another requirement: All new hires at tech vendors must be given a criminal background check. Some B/Ds also now require vendor systems to detect and stop intrusions.

(Interestingly, RIAs shrewd enough to use the web-based apps approved by large BDs get all of these security benefits for free, while reps are paying for them.)

Like Google Apps, Zoho Docs doesn’t allow advisors the role-management and user hierarchy features that advisors need. Nor is it integrated with advisor systems. It would take months for Zoho to address these and other shortcomings, assuming Zoho wants to specialize in the independent advisor market.

To be sure, Zoho and Google Docs cost less than applications that are created for advisors. That’s because Google and Zoho are not specializing in advisors. If they did, you’d pay more for all the features. Advisors who move to these apps as they are constitute]d now are risking a lot more than they realize and are paying for it in the long run by not getting the right features to handle their needs.

In running a technology company that has served independent advisors since 1996 and that provides secure document sharing between advisors and their clients, I’ve been humbled in trying to meet the demands of the profession. (Writing about technology for advisors is easy; making technology for advisors is difficult.)

While you may want to believe that some inexpensive application is going to be a panacea, use your common sense.

Be as skeptical as you are when you read an article in a consumer personal finance magazine about an investment that promises returns of 10% annually through good and bad times.

If an app for advisors sounds too good to be true, it probably is.



Comments (3)

...
billwinterberg
Zoho Docs' FAQ addresses security of documents on this page:

http://www.zoho.com/online-doc...s-faq.html

While it says credentials (login & password) are encrypted, it says nothing about documents and their contents.

Compare this with Dropbox's security policy:

https://www.dropbox.com/help/27

It says "All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password."
billwinterberg , March 24, 2010
...
agluck
Doing security reviews is a serious responsibility.

More standards are needed to create transparency becuase so much is unknown.

Redundancy, intrusion detection, back up procedures, and other details are critical but undisclosed.

I'm working on a checklist of questions for advisors to ask vendors.

RIAs and IA reps are at a disadvantage versus registered reps because RRs have staff asking the right questions and setting standards.
agluck , March 24, 2010
...
bwarrene
Every shift in technology brings these discussions - as was the shift from the mainframe to data being stored on local workstations, when we began using VPN's and extranets and now in the "cloud" - using services like Google, Zoho, Dropbox as well as the many vendors (including you Andy) who cater specific to financial services but are in the cloud at least in part.

One of the shifts in development has been to put prototype style apps out in beta for assessment, feature development and interaction with users. While this is positive - it also begets risks due to components being "not completely built out".

One of the great things about Advisors4Advisors is the ability to bring these discussions into the light and determine what is working and what is not - and to also get feedback from real world users.

The biggest challenge with security is often its implementation and not the measures themselves. I.e. you can lock down a system and make it unusable as well. Ideally - those vendors that survive will be those who have the broad coverage on redundancy, intrusion detection, backup and attention to server-based operating system patches that close vulnerabilities - and do it in a way that preserves a user friendly user interface and features.
bwarrene , March 24, 2010

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.

busy