Back office IT security is an unsung modern-day hero. When things go right, it runs in the background, practically invisible. But, when something goes wrong, the failure could result in irreparable damage to the firm’s reputation, legal and enforcement costs and potential loss of clients.
Although data breaches at companies that are household names have been appearing on the news with surprising regularity, many firms still view IT security as a low-priority issue. In theory, everyone agrees that security is important. In practice, unless the server room is on fire, there is a dangerous lack of urgency to verify security preparations. Just like visiting the dentist or revising a will, we tend to believe there will be plenty of time to do it when we are less busy.
If you think that your firm is immune or simply not interesting or important enough to warrant a virtual break-in, think again. According to the 2016 PricewaterhouseCoopers Global Economic Crime Survey, cyber-crime is now ranked #2 among the most reported types of economic crimes (up from fourth last year).
Treating Password Policy As An Afterthought
The problem with passwords boils down to three key issues:
- Poor design rules
- Lack of password usage policies
- Weak encryption when stored.
Ryan Kerry, CEO of Accusource, has seen an almost endless series of cybersecurity issues during his 20+ years in the industry. Customers depend on his firm for outsourced portfolio accounting solutions and cybersecurity policies are a critical component to ensure client data remains safe.
Bad password habits are the most common cybersecurity issue found during audits, Ryan reported. They appear more frequently when firms work with alternative investments or obscure custodians, he noted. Fortunately, most password issues are easy to fix with a dash of education and consistent enforcement.
Design Better Passwords
Training users to avoid choosing easy-to-guess passwords will be your first line of defense. Any in-house Single Sign On (SSO) applications should run new user passwords through a strength meter before accepting them. Open source options are available that can be freely incorporated into your code base.
If you do not have access to the SSO code, an alternative idea is to have users check their potential passwords against some freely available online services:
All of these sites will evaluate a password’s strength and also check it against the 1,000 most commonly used passwords that have been gleaned from hacker data dumps. The sites will inform you if your password is on the list or is otherwise weak and should be avoided.
Establish a Password Usage Policy
Many companies do not have a well-enforced set of password guidelines. As a result, it is not unusual to see an advisor and his or her assistant use the same set of log-in credentials across multiple platforms for convenience. Unfortunately, those practices make it challenging to place accountability in the event that access is compromised. They also expose the firm to damage across platforms if access credentials are stolen. Every user should have a unique user name and password combination for each program or system they access. Kerry also recommends changing those passwords frequently (at least twice a year).
Use a Password Manager
Password storage systems deserve a separate mention. Kerry has seen a number of terrible password habits over the years. Some of the worst offenders used Excel spreadsheets, 3-ring binders or even Post-It notes stuck to monitors.
A more secure approach is to use a password manager app. Think of it as an encrypted vault that you always have available on your mobile devices and computers. There are many inexpensive and highly secure options that will synchronize your passwords across all of your devices.
Not Taking Advantage of Remote Access
Remote access is often viewed as too risky. As a result, many firms choose to simply deny it as an option. However, as Kerry points out, it is possible to build highly secure remote access protocols that give employees the benefit of accessing the data they need without exposing the firm to undue risk.
Highly secure remote access begins with defining effective procedures for allowing non-firm devices access to the firm’s network and data. Kerry recommends requiring VPN access (in other words, no free Starbucks wi-fi access allowed).
Use two-factor authentication to overlay the traditional user name and password combination with an additional piece of data known only to the authorized user. The second layer can be an electronic hardware token with a code that changes every 60 seconds, a phone app or an individually assigned PIN.
Automating certain controls over remote access can also be highly effective. Consider creating an automated virus scan of each local machine to detect vulnerabilities or abnormalities. An intrusion prevention and detection routine running in the background can be effective at identifying traffic or activity patterns that are risky.
Lastly, many security-conscious clients have strict bans on employees moving mission-critical data onto personal devices. While this may seem inconvenient, it is the best way to remove an entire category of security threats. The fewer you have to worry about, the better you will sleep at night.
Digital security is critical to your firm’s ability to serve clients and safeguard their data. As such, it should never be overshadowed by other priorities. The pace of technological change is increasing at a faster rate, which means that hackers are developing more powerful tools in order to compromise your systems. Keep your security protocols up-to-date and invest in digital security and human training. Your clients deserve nothing less.