Smart mobile devices have revolutionized the wealth management business, transforming the way advisors connect with clients and manage day-to-day firm operations. Today it is more common than not for registered investment advisors (RIAs) to use their mobile phones, tablets and other devices like computers. Without the right security in place, advisors who relish their "office anywhere" mobile environment may pay a hefty price for this convenience.
Advisors who would never think of using their CRM or other core business applications via an unprotected computer in the office balk when the talk turns to protecting mobile devices that access the same applications. The rationale for resistance tends to be that securing a mobile device will compromise the convenience of the device by slowing down access, which can be frustrating.
Web-based applications may help the business of wealth management be more efficient, but they are not secure. This means that the RIA is responsible for ensuring security on every device through which the application is accessed—desktop computers, laptops, smart phones, tablets, whatever. In the wrong hands, an unsecure tablet or smart phone has the potential to be the gateway into the financial lives of all the RIA's clients.
Though mobile device security is a must-have, advisors have a couple of options on how to go about protecting firm and client data.
Dumb-Down The Devices
Mobile phones in particular are easy to lose, consequently, they are most likely to get hacked. In fact, Consumer Reports found that 3.1 million people had smartphones stolen in 2013 and an additional 1.4 million phones were lost and never recovered. That is why simply having the mobile phone password protected is not enough. Loaded up with the firm's web-based applications, the lost device is a potential goldmine for cybertheives.
It can be extremely difficult for the RIA to protect every mobile device used to access the firm's data. Consider the advisor who borrows their spouse's mobile phone just to check on a client account because their device is out of juice. And then there's the employee who is at home unexpectedly but is logging onto web-based applications from their personal laptop. In each of these instances, the user may be accessing firm data from an unprotected and unsecure device.
The RIA's best safeguard is to remove all the firm's web-based applications from all mobile devices. This means that the devices have only one application—the one that gets the user to the firm's protected smart platform. The mobile device user goes through a secure connection protected with multi-factor authentication to log into the RIA's secure platform. Once on the platform, they can get to any application they need through a centrally managed password vault and do not need to know the centralized credentials to do so.
By keeping their devices as dumb as possible, RIAs force staff to use the secured smart platform and protect themselves in the event devices are lost or stolen. Think of the difference between a remote control and a television set. The television set has the channels for the programs you want. The remote control allows you to operate the television set to get to those channels and programs, but you can't use the remote control without access to a signal from the television. In other words, dumbed-down mobile devices (the "remote controls") do not provide advisors and employees access to the needed applications ("channels and programs") unless they are logged into the firm's smart platform ("the television set").
Mobile Device Management
Advisors who are set on having their devices be as "smart" as possible may want to consider other options to protect them, including mobile device management (MDM). Generally speaking, MDM software offers data leakage protection similar to what might go on a personal computer in the office.
Microsoft, Research in Motion (RIM) and Good Technology are three of the biggest MDM providers, but they are all based on a similar concept: protect the device by creating an isolated computing environment, often referred to as a sandbox, for business applications, files and emails. The user is also able to go outside the sandbox to get to their personal web-based applications. In one regard, it is similar to centralized platform access discussed above, however, MDM allows for web-based applications to be accessed directly from the device.
With MDM, mobile devices must be registered and encrypted before the RIA allows access to the applications. This prevents unregistered devices from being able to access applications. In the event the device is lost or stolen, the RIA can wipe the sandbox.
The difference between going the smart platform route versus using MDM lies in who manages the platform. With a smart platform, the advisory firm typically relies on its IT managed services provider. The RIA's in-house IT staff might be able to oversee its MDM; however, the firm should also consider whether an outside vendor can provide this oversight more cost effectively.
The Basics
Deciding upon the right mobile security solution can take time, but there are a few steps advisors can take now to lend some interim protection to the data and applications on their devices. Here are three best-practice suggestions to employ immediately, and a quick google search on "self-protect mobile device" can yield others.
First, mobile devices should be set up to be erased through your provider. This way, in the event a tablet or smart phone is lost or stolen, the device can be wiped and reset immediately.
Second, all devices should be password protected and encrypted. Though the data is not necessarily protected if a hacker breaks through, the device will now have a minimum level of security in place to prevent this from happening.
Finally, never save passwords or log-ins on mobile devices. In the event a smart phone is stolen and ultimately unlocked, passwords for web-based applications are the last line of defense.
Protect The Data
When data and applications can be accessed anywhere, it is at risk of being tapped at anytime. This is why RIAs should focus on protecting access to their applications and data, and worry less about protecting individual devices. A lost or stolen "dumbed down" phone or tablet can be replaced with minimal business disruption, but this cannot be said of clients whose data or assets can be accessed from any device at anytime. RIAs should consider mobile device security as part of their firm risk management strategy, and put into place appropriate measures to sidestep the potential fallout from cybersecurity breaches.
Wes Stillman is CEO of RightSize Solutions, a provider of intelligent cloud technology and business management solutions for advisors. Stillman can be reached at [email protected].