Financial services was hit with another hack. Capital One was the most recent “victim” (along with thousands of clients) of a security breach. Advisor cyber security, identity theft and consumer privacy awareness continues to develop, and it grows with each subsequent year. Banks, financial advisors and wealth managers recognize it is not a matter of if they will be hit, but when. Nation states and solo hackers attack large institutions on a daily basis with little success. However, they only need to get luck one time to make their efforts worthwhile.
All hope is not lost. There are steps and resources advisors and their clients can implement to protect themselves and their assets. Yahoo! and Equifax did a horrible job or protecting the information, but Capital One responded quickly and swiftly. Here are the top seven tips for advisor cyber security for firms AND their clients.
- Have a Plan – This is the most important, and it is the most overlooked. Small to medium sized businesses think they will never get hit. Work with an IT security firm to design a prevention and response plan. Management should review and update the information annually for relevant changes and improvements.
- Training – All office staff should be trained on identifying phishing scams and protecting company and client assets. Customer-focused firms offer training programs to their clients and regularly help them with shred days and specialized events. Employees don’t need to be IT experts, but they do need to know what links to click and emails to open. The employee is the weakest link in cyber security.
- Update Technology – Consumers and professionals alike frequently leave their mobile devices, laptops and desk tops on older operating systems. Updates fix bugs, backdoors and security flaws discovered by developers and system operators. In 2014 Microsoft stopped supporting Windows XP. Apple moves some of its products to the “vintage and obsolete” list. Insure you are on the latest OS.
- Notify Authorities – If you detect a hack or break in to your systems, notify the appropriate authorities. Contact the Office of the Inspector General, Social Security Administration and FBI Internet Crime Complaint Center. Phone numbers, emails and other contact information should be kept with the cyber security response plan.
- Notify Clients – A client of mine experienced a data breach, and they immediately sent notifications to all of their clients alerting them of the incident. They used a separate email server from the one that had been compromised. In their communication, they alerted everyone of their plans to address the situation and the path forward.
- Keep it up – Monitor the situation. Just because you have discovered a breach or attempted hack, there may be other backdoors that have been installed. Look for other possible incursions and continue to track the attacks. Advisor cyber security is not a static initiative. Always keep efforts moving forward.
- Learning Points – No plan is perfect. Consult with industry experts to uncover other prevention measures to implement. Submit a report to management on what worked well, what failed and plans to prevent future hacks and phishing attempts. These should be added to the employee and client training program.
No plan is perfect. However, the worst plan is not having one at all. No company is so small they are off the radar, and everyone is a possible victim. Capital One did a great job of displaying on their website what happened, an apology by the CEO and what they are doing to help clients (e.g. – free credit monitoring).
If you’d like a consultation on your cyber security efforts, contact us for more information.