Cybercriminals are quite nimble in outsmarting protection measures. This makes it essential to be proactive and stay one step ahead of bad actors. The SEC Cybersecurity Guidance provides a lot of information about security and compliance. But it doesn’t specify what steps firms should take to teach their clients how to be safe online from cyber threats.
This is important to consider. We have come across cases where the registered investment advisor firm itself was safe, but the client’s email or computer wasn’t. These compromised accounts were then used to steal funds.
The cybersecurity risks and incidents we are dealing with today are immense. For example, a massive data breach containing a collection of 772,904,991 unique emails and 21,222,975 unique passwords was discovered this year. If you want to find out if your email address was one of them, you can check it out for yourself here.
The sheer number of compromised email addresses and passwords is staggering. Cybersecurity isn’t something only for senior management or the board of directors. Bad actors don’t discriminate, they target everyone. So even though the SEC Guidance doesn’t mention it, client cybersecurity is critical to your business. Banks are already addressing the problems and so should you!
So how do you help clients better protect themselves? An excellent place to start is by providing information about cybersecurity risks.
Here Are Some Safe Computing Tips to Share with Clients:
Two-Factor Authentication for All Important Online Accounts
Every online account you have is vulnerable to a data breach. For the time being, the best way to secure your accounts is with two-factor authentication (2FA).
What’s two-factor authentication?
You might have come across 2FA before. Apple, Facebook, Google and the like already have it as an option to better secure accounts. In fact, they encourage you to select this option.
2FA adds a second level of authentication to an account login. For example, when you enter only your username and one password, that’s single-factor authentication.
When it’s 2FA, it will need the user to have two or three types of credentials before they are allowed access to the account.
What are the three types of credentials?
- A personal identification number, a pattern, or password
- An ATM card, mobile phone, or a small security device with built-in authentication (known as a key fob)
- Biometric fingerprint, voice print, or FaceID
This is how it works. When you log into a service (like your email account), it will use your mobile phone or another authorized device or service to verify your identity. This usually takes the form of clicking on a text or an emailed link. You can also authenticate your login by typing in a number sent to an authenticator app.
The idea behind 2FA is nothing new. Credit card companies have been using it for years. Whenever you’re asked to enter your ZIP code to confirm a charge, that’s 2FA in action.
Here’s a terrific resource to share with your clients: https://twofactorauth.org/. This site lists the major sites and services that support 2FA.
Sign up for an Email Security Service.
Gmail and Outlook have some basic security features built into them. The paid versions of these platforms offer much more.
If you’re using a company email address, you’ll need to use an email security service. Email security services scan all emails before they come into your inbox, and do a better job than Gmail or Microsoft in catching bad emails.
Never Use Public Wifi
When you’re on the road and need to get some work done, it can be tempting to use free public Wifi. Most people use it at the airport, coffee shop, or hotel to save on data charges. But whether it’s from your smartphone or laptop, this is a bad idea.
You should never use a public WiFi network because they are (notoriously) insecure. Anyone connected to that same WiFi network could be watching everything you do.
Public WiFi networks are typically unencrypted. This means that someone with basic hacking skills can quickly access your information.
So next time you think about checking your financial statement on a public Wifi network, consider the following:
- Man-in-the-Middle Attack: This is a classic digital eavesdropping technique. In this scenario, a bad actor can sit in the middle and capture sensitive information passing from one point to another. You can also be misdirected to a rogue site or asked to download malware from a bogus link.
- Evil Twin: This is when the free public Wifi network’s name is modified a little to trick you into logging in. An “evil twin” network can look authentic. So even if you’re very careful, you can easily fall victim to this technique.
- Snooping and Sniffing: This technique uses specialized software and devices to track WiFi signals. You have to be careful because they can have full access to what you’re doing online.
So when the risks are this high, it’s much safer to use your mobile phone’s hotspot. The same is true even if you’re not accessing sensitive information.
If you can’t use your mobile phone’s hotspot, consider signing up for a VPN service. VPNs will encrypt your online traffic to keep it safe from spying eyes. One we like is Private Internet Access.
PRO TIP: This is also a good reminder for registered investment advisors. Regardless of the situation, never use public Wifi. It’s one important way to maintain compliance with the SEC Cybersecurity Guidance.
Always Use Long and Unique Passwords
Long and unique passwords are hard to remember (trust us, we know!). For example, using your child’s name or your birthdate as a password is much easier to recall.
But to protect your sensitive information, it’s vital to use long, unique passwords. Both financial sites and email accounts will need strong passwords.
So change your password if you have been using it for more than one account.
Use Two Good Antivirus Programs
Antivirus only catches less than half of the malware that causes breaches. To boost security, it’s good to have two programs to get a combined protection effect.
In the age of ransomware attacks, you can never be too careful. But practice caution and make sure that both programs don’t come into conflict with each other.
Contact us if you want to learn which ones we recommend. You need to be careful, and certain types of antivirus programs conflict with each other and cause problems.
Be Aware of Phone Calls
Online financial heists often start with someone calling you, pretending to be from a bank to gather information. So it’s essential to teach your clients to always be alert.
Consider educating your clients about their own cybersecurity management. Banks have gotten very good at this – they post “how to be secure” pages on their website, create videos, and will even have educational seminars.
The SEC Cybersecurity Guidance doesn’t mention anything about client cybersecurity, but you will have to take a proactive approach. While you won’t be expected to do it on the same scale as banks, it will help to spread the word about good cybersecurity.
If you need help with your client cybersecurity program or have questions about the SEC Cybersecurity Guidance, sign up for a free SEC Cybersecurity Strategy Session or give us a call at 888-646-1616.