3. Poor Password Protocol
Password vaults have emerged as a secure solution for RIAs managing multiple passwords from multiple people using multiple applications, but they are only as secure as the utilization policies implemented by the RIA.
Typically, a password vault uses a master password that allows access to all of the pass cards in the vault. Pass cards hold the authentication credentials to access specific applications, and automatically log the user into their assigned applications. If the users are allowed to create their own pass cards, they will also have the credentials to access the applications without the use of the vault, potentially on unprotected or virus-infected devices, increasing the risk of a breach.
It is more effective for the RIAs to have the security administrator or compliance officer create the pass cards for all employees for all business-based applications. This approach should eliminate the possibility that employees have access to core business applications outside of the password vault and secure devices.
2. Lax Enforcement Of Security Policies
Cybersecurity is as much about enforcement as it is about policy. Strong cybersecurity policies will generally address issues related to device usage, user authentication, the Internet, social media and email. Advisors need to reconsider policies that permit personal devices to be used for business purposes. RIA owners must recognize that when its data can be accessed using any unsecure, unprotected device or application, the firm is exposed to real cybersecurity issues.
For example, a RIA may have an encrypted, password protected email system. But once the firm email is synced to an unprotected device, the email become unsecure and the entire firm is now potentially exposed to malware and phishing viruses.
The issue is often not about storing data or email inside the firm. The increased cybersecurity risk can happen when the information leaves the safe environment and ends up on unprotected personal devices and laptops.