Evasive Action for Cyber Attacks in the Cloud
Regulators are urging advisors to get proactive about managing cyber risk. Last week, the SEC came out with new guidelines aimed at coaxing firms to set strict digital-security policies now rather than responding to hacks after the fact.
The warnings don’t just apply to computers and mobile devices used in the office. Both the SEC and Finra are scrutinizing how FAs work remotely, according to Alan Moore, co-founder of XY Planning Network in Bozeman, Mont. Coming on the heels of exams and sweeps, the latest guidance calls for developing written security policies to cover all types of electronic communications, including those advisors send from home or on the road.
“Advisors need to realize that even the most secure Web-based software services aren’t totally foolproof,” Moore says. “You’ve got to make sure there aren’t any leaks on your end too.”
Cloud-based computing can offer freedom to work where and when you want. But experts warn that handling client data remotely can open a Pandora’s box of security issues, particularly in terms of protection against hackers. To really guard clients’ personal data when working in the cloud, tech gurus often suggest FAs take a three-pronged approach.
The popular document storing and creation tools from Dropbox, for example, are designed to work with all sorts of programs — from Word to Photoshop — on all types of mobile devices and operating systems. The suite, which can cost as little as $15 a month for five users, also boasts “strong encryption” and highly secure login features, according to the company website.
That’s all fine, says Neal Quon, a technology consultant based in Orange, Calif., who works with RIAs. But he recommends advisors use a program like PGP Drive Encryption from Symantec. The program, which ensures that data remains encoded both before and after it’s been sent to the cloud, retails for $72.33 per user. “If for some reason there’s a data breach on the cloud provider’s end, the PGP software will prevent the hacker from actually being able to read anything,” says Quon.
Even with encryption on both ends of a data transmission, he says advisors should set up their own personal virtual private networks. These are especially important for FAs on the go who need to tap into public Wi-Fi networks. “Installing your own VPN framework adds a second level of security that we think is vital to working in the cloud,” says Quon. One of his favorite apps is Hide My Ass, which costs around $79 a year.
As an extra safety measure, he suggests advisors create and store documents using software from storage developer Box or Microsoft’s SharePoint instead of Google Drive or Dropbox. The former programs offer greater flexibility to define rights and assign access privileges to multiple users, says Quon. Another advantage for advisors, he adds, is that they are designed to comply with Finra and SEC recommendations for digital security. While Box has a free version, fuller-fledged business packages start at $5 a month, similar to SharePoint’s entry-level pricing.
Besides securing data and documents, advisors need to protect e-mail transmissions while working remotely, says Sam Gough, an advisor at Ballentine Partners in Waltham, Mass., which manages $5.6 billion. Once identity thieves steal someone’s e-mail login and password, he says, they “essentially hold the keys to the kingdom.” They can use the information to change the victim’s login settings for cloud-based services — even if they’re different from the e-mail account’s settings.
So Ballentine has built a proprietary security suite that includes a two-step authentication process. The system sends codes to users before they can access e-mails or documents. Gough says he spends considerable time explaining to new clients the need for these verification procedures in their personal accounts.
He adds that people often resist because they don’t want to be inundated with security alerts and reminders. In those cases, he helps them set up their messaging and document storage services so approvals are required only for unrecognized users or computers. “So not only do we build such security into our own system,” says Gough, “but we also make sure that a client’s own e-mail accounts are properly secure.”