What cybersecurity risks are Financial Advisors most susceptible to? More importantly, what can your firm do to protect itself from those risks? Here are some practical fraud prevention tips and cybersecurity best practices you can implement at the office as well as in your personal life.
Regarding safeguarding approaches, “Education is the biggest thing you can do for yourself and your employees,” underscores Rob Hawke, Managing Director, Operations & Technology at Symmetry Partners. “We constantly test and train our employees to refine their knowledge and skills and help them understand potential threats,” he adds.
The key is reinforcing your human capital because people can be the weakest link. With a little awareness and training, you can equip people in your firm to be an effective human firewall.
Phishing is a cyber threat where scammers use email or text messages to trick recipients into providing personal details, credentials, or information they can use for nefarious purposes. The email or text message usually contains a malicious link or attachment that prompts you to take action. When a user clicks the link or engages with the email/text, it unleashes malware or ransomware.
Many phishing attempts are disguised as Microsoft Help directing you to log into your email account. But it’s not really Microsoft asking you to log in—it’s fraudsters who can gain access to your email when you engage in their phishing attempt.
Once the fraudsters have access, they’ll quickly take over behind the scenes. For example, they may start directing every incoming and outgoing email to an email address that they control. Then they’ll cover their tracks by setting up auto rules that delete those forwarded emails.
Password protection should be top of mind, especially because most people have to keep track of many. Industry experts strongly recommend two things:
Purchasing an enterprise or business license—as opposed to using a free consumer-grade version—is beneficial. Why? Because if you’re using a free version and you lose the one passphrase that’s guarding your password manager, you’ll be in a quandary. The password manager company doesn’t know your passwords, so they can’t help you. However, with an enterprise license, your IT administrator may be able to access your passphrase.
In terms of security, Rob notes that Chrome and Edge password keepers aren’t entirely secure, which is why he recommends using a dedicated password vault solution, particularly for firms that share login credentials.
“Ideally, credential sharing shouldn’t happen, but if it does, it’s better to store everything in a password vault versus sharing an Excel file or giving just one person access to all the firm’s passwords. If that person leaves the firm, you can instantly remove their access through password vault—you don’t have to worry about someone leaving and maintaining access to sensitive information,” explains Rob.
When it comes to creating good, strong, unique passwords think long: in the realm of 16 to 20 characters. If you’re using a password manager, you only need to remember one password—the one that protects the password manager itself. Here, a 40- to 50-character passphrase is recommended.
Stringing together eight random words can help you easily remember the password you created and make it more difficult to crack.
Of additional importance, do not reuse passwords for any important accounts. And, if you’re a solo practitioner or a hybrid worker be sure to invest in a separate laptop for work. People in your home shouldn’t be using the same laptop you use for your business.
Hackers use a variety of tactics—social engineering, brute force attacks, and exploiting weak passwords—to gain access to passwords. Their methods often exploit human or system vulnerabilities.
Hackers can also gain access to your passwords and sensitive information during a data breach. “If a vendor you’re using has a breach, you definitely want to reset your passwords,” advises Rob.
Whenever there’s a breach, that information will be put onto the Dark Web, which is part of the internet that’s intentionally hidden and used by those who want to remain anonymous—and those conducting illegal activity. The Dark Web isn’t accessible through traditional search engines and browsers; it’s only accessible with special software. Most password manager solutions also offer a breach watch of the dark web to easily help identify exposed passwords.
Hackers can use software and automation to run “credential replay attempts,” where compromised usernames and passwords are sold on the Dark Web, to see if they can use them to gain access to information.
If you’re using poor credentials that are easy to guess or crack or a password that’s eight characters or less, hackers can use free or low-cost applications to attempt to access your passwords. This is where using two-factor or multifactor authentication wherever it’s available is essential.
Other recommended security defenses include turning on firewalls and running antivirus and anti-malware.
Using a virtual private network (VPN) is essential because it:
“Your work office has a firewall, so you’re generally safe on that network. But if you’re spending time working remotely outside of the office, you definitely want to use a VPN, especially if information is going back to the office,” says Rob.
Encryption ensures that information is modified into an unreadable format that’s only accessible with the correct decryption key. Using encryption is integral when it comes to safeguarding sensitive data and defending against data breaches, cyberattacks, and privacy infringements.
The first step is making sure your encryption application is activated. It may not necessarily be on by default. If you’re on a Windows machine and you’re not using Microsoft Defender or a firewall, other internet security packages, such as Norton Symantec, include whole disc encryption.
For Mac users, MacOS has a native file vault encryption that can be easily enabled via settings. Consult with your IT department, which may have it already enabled and may be required for permission to make that change on your Mac device.
Without encryption, you run the risk of someone removing your hard disk with a screwdriver, connecting it to their own computer, logging in, and loading that hard disk like they would a USB thumb drive. If your machine is encrypted, no one can access that hard desk. And if it’s lost or stolen, it may be wiped, but the sensitive client information won’t be accessible.
“The way you exchange permission with your clients is critical,” cautions Rob. “Problems can occur if they’re sending email without any encryption. Now that email is sitting in your inbox. Whether your end client gets compromised, or you get compromised, that information can be found.”
Rob provides an example, “Knowing the policies, a hacker can repeatedly go through your account documents, find signatures, digitally lift them, and put them on third-party wire documents. That’s where a portal is critical—and having security parameters around that to help block that type of activity,” he explains.
As an Advisor, you must take a proactive approach to mitigate risks, protect against potential breaches, and safeguard client assets and sensitive information. Educating employees and fostering a culture of cybersecurity awareness among staff and clients are essential components of your cybersecurity and fraud prevention strategy.
Symmetry Partners, LLC, provides this communication on this site as a matter of general information. Information contained herein, including data or statistics quoted, is from sources believed to be reliable but cannot be guaranteed or warranted. Due to various factors, including changing market conditions and/or applicable laws, the content may not be reflective of current opinions or positions. All content on this site is for educational purposes and should not be considered investment advice, recommendation, or offer of any security for sale. Symmetry Partners does not provide tax or legal advice and nothing either stated or implied in this material should be inferred as providing such advice. Symmetry Partners does not approve or endorse any third-party communications on this site and will not be liable for any such posts.
Symmetry Partners, LLC is an investment advisory firm registered with the Securities and Exchange Commission (SEC). The firm only transacts business in states where it is properly registered or excluded or exempt from registration requirements. Registration of an investment adviser does not imply any specific level of skill or training and does not constitute an endorsement of the firm by the Commission.