Small RIAs are more susceptible to cyberattacks than their owners would like to believe. In fact, with smaller technology budgets and insufficient controls, small firms may be the perfect targets for hackers.
According to a recent report by Symantec on Internet security, personal financial information was the second most common form of data stolen in 2016, behind personally identifiable information.
Implementing and enforcing cybersecurity measures properly should not break the bank. Even without deep pockets to invest in cybersecurity, RIAs should have policies and measures in place to prevent fraud. There are plenty of bells and whistles to choose from, which can make it hard for an advisor to discern what is really necessary. To help, here are six basic elements that should be the foundation for every small RIA's cybersecurity program.
Use Password Vaults
Passcards hold the authentication credentials to access specific applications and automatically log the user into their assigned applications. Password vaults are a secure solution for storing passcards for RIAs of any size. Typically, there is a master password that grants access to all of the passcards in the vault.
A word of caution: when firms allow employees to create their own passcards, they give them the credentials to access the applications without the use of the vault. This means anyone with credentials can log into applications on unprotected or virus-infected devices, such as personal devices, increasing the risk of a breach. This is typically more problematic for smaller RIAs, which are more likely to lack a chief compliance officer and may neglect compliance.
Firm owners can enforce secure access by creating passcards for all employees for all business-based applications. This virtually eliminates the possibility that others have access to core business applications outside of the password vault and secure devices.
Adopt Two-Factor Authentication
Two-factor authentication is quickly becoming the standard for secure logins. Whereas the password is "the thing you know," authentication is “the thing you have.” This typically means receiving codes on an authorized device such as a mobile phone or responding to additional prompts to authenticate your login.
Advisors who utilize password vaults and two-factor authentication give their firms quite a bit of cybersecurity protection, even if they do nothing else to guard against potential fraud.
Get More Than ‘Cloud Cover’
Though "the cloud" generally offers security for data and documents stored in it, the level and complexity of the security or encryption varies by vendor. Additionally, accessing or storing data outside the cloud can lead to breaches, particularly when using unsecured devices. There are also no guarantees on information used outside of the cloud.
This means RIA owners should be concerned with how, when and where documents are accessed in addition to where they are stored. Though it is tempting to download information onto personal, unencrypted devices in the name of productivity, doing so can expose the firm to cybersecurity issues and data breaches.
Implement Oversight
Validation and oversight of cybersecurity policies are just as important as creating them. To minimize external threats, small RIAs need to utilize technology to enforce authentication. Firm owners need policies and procedures for monitoring usage of devices, the Internet, social media and email.
Small RIAs permitting the use of personal devices for business should consider their increased cybersecurity risk that comes with doing so. At minimum, firms should implement policies to secure personal devices that access firm data, especially email.
Ultimately, it is the RIA owner's responsibility to ensure the security of the firm's data. System monitoring and policy enforcement through technology can add valuable safeguards and peace of mind. Delegation to a trusted staff member can be a viable option, but only if the owner keeps close oversight on the process and procedures.
Make Client Security A Part Of Client Service
Small RIAs may falsely believe that their deeper client relationships buy them a level of protection against thieves compared to larger firms with more clients. Familiarity can have its benefits, but it can also breed a false sense of security.
In fact, Symantec reports that 43 percent of all phishing attacks in 2015 were on small businesses.
It is natural to want to help clients who need an immediate response. But given the complexity of today's attacks, small firms need procedures for validating email and telephone requests for wire transfers, and for identifying and confirming clients. Scammers use publicly available information to build credible back stories and build trust. What seemed like validation overkill 10 years ago is now mandatory as the amount of publicly available information on every one of us increases.
Invest Appropriately For Cybersecurity
Though many small RIAs fall short when budgeting for cybersecurity, others spend without really understanding what types of protection they are—and are not—buying.
Cybersecurity protection need not be prohibitively expensive. Owners of small RIAs should consider cybersecurity as a centralized framework for organizing the technology needed for daily business. This includes everything from email, file sharing and Office suite, to back ups, archiving and security. A good rule of thumb to follow for estimating the costs of a proper technology environment that includes cybersecurity is roughly $200-$350 per person per month, depending on factors.
It is naive to think that cyberthieves will bypass small RIAs in favor of large firms with bigger payouts but tighter controls. In the majority of cases, the smaller firm delivers an easier potential payday. RIA owners who may have neglected their cyber protocols until this point should invest in moving forward with the basics not only for compliance's sake, but for the sake of their livelihoods.
Wes Stillman is CEO of RightSize Solutions, a provider of intelligent cloud technology and business management solutions for advisors. He can be reached at [email protected].