How to Manage Your Company’s Security Policy
Posted by Wes Stillman on October 13, 2016
Editor’s Note: Today’s blog post is a guest post from Wes Stillman, who is CEO and founder of RightSize Solutions. Wes also recently guest presented a webinar titled Cybersecurity: What Advisors Need to Know about Protecting Data. A recording of the webinar can be accessed here.
The biggest stumbling block for registered investment advisors when it comes to guarding against cybersecurity breaches is not technology-based, it’s a people problem. The right technology is critical, but RIA leaders face a bigger challenge in fostering a cybersecurity-sensitive culture in a way that resonates throughout all levels of their firms and is much more than a simple policy handout.
How can your firm protect itself from the growing number of cyber threats? It starts with exercising some online common sense. Here a few consideration to evaluate within your company’s security practices and processes:
- Take an inventory of all existing policies, software and hardware your firm utilizes. Where are your weak points? An ever-increasing number of advisor solutions are cloud-based, which is great for accessibility, but think about who is accessing your client information, and where exactly that information resides. Consider the business partnerships and data exchanges your company executes on a daily basis. In today’s interconnected business environment, our data supply chains create many access points to your customers’ data. Make sure you are doing your part to protect these connections.
- Make sure your employees realize the critical role they play in making a meaningful impact to improving security, and that they are equally capable of causing huge issues. Firms should train associates to recognize red flags such as emails that ask for personal or credit card information, requests for immediate action regarding unfamiliar situations, or emails that include suspicious attachments. And by the way, managers are not exempt. Management typically has more responsibility for company information and administrative privileges, which makes them even more vulnerable.
- Institute the use of a centrally-managed password manager solution. Using strong and different passwords is crucial to preventing breaches, and limits damage in the event of one. Remember that human behavior is inevitable, and if you require complex and unique passwords, employees will write them down, or worse, use one password for everything. Instead, offer a password vault to encourage safe behavior. RoboForm has a free solution that will allow you to generate complex unique passwords for all your online activities. These days, passwords are quickly becoming just a part of confirming identity. Multifactor authentication goes beyond a simple password. It provides a double check to confirm identity. Having a combination of a password and a personal identifier (something you know, and something you have) is quickly becoming the norm.
- Establish and enforce a firm-wide Bring Your Own Device (BYOD) policy that clearly defines what is and is not acceptable usage. Mobile email is the most common process that employees want to access on their personal devices. Make sure there are specific rules that enumerate the policies that should be in place for receiving work emails on personal devices. These should also include policies for remote access that enforce utilization of VPNs to increase security. Further, consider a cloud based solution that will allow secure access from anywhere. Also, make sure company devices are encrypted and up to date with latest software.
- Make sure that you have the right contingency plans and backup procedures in place for when disasters do happen. The right technology is critical, but RIA leaders can face a bigger challenge in fostering a cybersecurity-sensitive culture in a way that resonates throughout all levels of their firms. Management needs to keep cybersecurity at the forefront by continually asking themselves, “Where’s the data?” Even if information is safe when stored, and safe in transmission, the firm may still be at risk if its data is being used on unprotected, unsecured devices. Also, think about all of the levels of security at your company. Clearly layout who has access to what and control administrative privileges accordingly (both with internal staff and outsourced vendors). For example, by limiting the ability to install drivers and execute applications can help control what gets onto your systems and prevent attacks like ransomware.
Ultimately, cybersecurity is a critical aspect of your firm’s success, business health, and keeping clients’ personal information safe. Firms that do not stay aware and are not proactive in this area run the risk of becoming the victim of a multitude of threats to their firm’s technology and data. For more insight, our recently published ‘Managing Your Company's Security Policy’ whitepaper offers 10 actionable tips that your firm can immediately put in place and benefit from. These tips range in terms of effort, cost, and function and are all accessible solutions that can provide the backbone of a secure organization.
Wes Stillman is CEO and founder of RightSize Solutions, providing IT Management Services for the wealth management community and very first provider of outsourced technology management and Cloud-based cybersecurity solutions to RIAs. Wes can be reached at wnstillman@rightsize-solutions.com