How exposed is your firm? I spoke recently with the manager of a large financial company about working together. "Let me run this by our at-risk team to see if this project is doable,'' the manager said. She explained that every new project that involves their security environment is analyzed to determine where their vulnerabilities might be. This is particularly important with projects involving software and Internet security. "Truthfully,'' she added, "there really isn't much of anything we do that does not involve our security environment."
This is the world of vulnerability management, which even has a Wikipedia entry: "The cyclical practice of identifying, classifying, remediating and mitigating vulnerabilities.'' It generally refers to software vulnerabilities in computing systems, but it can also include organizational behavior and strategic decision-making processes.
I began to think about this in terms of our financial advisory practices. We have plenty of exposure. We probably aren't aware of all of our vulnerabilities and most of us don't have a formal process to handle them even if we knew what they were.
The most obvious exposure revolves around the software we use, the handling of secure data and our continual connection to the Internet. Our managing partner Matt McGrath sent out a notice this summer stating that we should not use a password-protected PDF file to send reviews or account applications to clients. McGrath says that the firm uses a four-character passcode, often the last four digits of the client's Social Security number, to password-protect sensitive documents delivered through email.
He's learned that four characters is not long enough to protect against hacking. We had four separate incidents in which a client's email was hacked and bogus instructions were sent to our office to wire money. Fortunately, our firm always contacts a client to confirm. And we use a McAfee email encryption program. The client has access to a file in a secure cloud file so that it's not floating around the Internet with a basic - and easily hacked - password.
In our firm's early days, we believed we needed internal control over our back office. Someone handling activities in-house felt more secure. Let's face it, if big firms like Bank of America have trouble protecting their data, why would a small firm like ours have a better chance? Our overconfidence could have cost us a lot of time and money over the years. We now outsource when we can and hire specialists to protect us from our known exposures.
While security and data protection is of great concern, there are other vulnerabilities that we should consider that are not so obvious, such as human resources and compliance. Consider the human aspect. How do you hire and integrate new employees? Do your new hires sign a confidentiality agreement? One of the best ways to protect your data is to obligate your staff to protect it to the best of their abilities.
Do you have an operating policy so that your new hire knows his obligations and responsibilities to the firm? Do you mentor your staff so that they understand your philosophy and values? A value disconnect can create chaos and conflict within your firm and affect your relationship with your clients. My uncle told me that in college he learned there are business values and personal values. "Don't you believe it," he counseled. "Your values should never be compromised for a business position. Always be authentic. Your clients and your staff will trust you absolutely."
If you have a small firm with limited staff you are at risk when employees are out of the office because of vacation or illness. Cross-training your staff helps limit this exposure. Your support to your client should be seamless, regardless of who is executing it. Additionally, I've always advocated a checks-and-balances policy so that multiple eyes review the work product and participate in the process as it moves along.
GO WITH THE FLOW
Similarly, reviewing your processes doesn't just help you spot your vulnerabilities, it can also help your work product become more efficient. I always suggest employees plot their processes using a simple flow chart so that they can see how work is accomplished and where it flows from one staff member to another. Once they know how the flow goes, you can talk with staff to see how these workflow processes can become better and reduce your at-risk exposures.
What measures do you take to keep staff from accessing inappropriate Internet sites? Have you advised staff that business emails should be professional and kept separate from personal ones? Some photographs and questionable jokes do not belong in the workplace. They can create another risk to your firm.
Brian Hamburger of compliance consulting firm MarketCounsel says, "Advisors tend to look at compliance as a thing to be accomplished. It's generally pushed off to the side and looked at separate and apart from the rest of your practice issues. Regulatory compliance should be the quality of service you provide, woven into every aspect of your practice. Your firm should foster a culture of compliance where everything you do is integrated and coordinated within your processes. It's all about accountability to your clients, your staff, the regulatory environment and to your profession."
Hamburger suggests having a business consultant take a comprehensive look at your firm and practices to ensure that you have met all your obligations and sewn up your risk issues in all areas of your practice, not just in compliance.
I recommend five steps that can help manage your vulnerabilities:
1) Define your policy. Determine what security environment you want and what you need for your practice. Look at your firm holistically, including staffing, operations, data safety, compliance, organizational behavior and strategic planning. Your policy should include what standards you will use to compare and measure your progress, in addition to the frequency you will conduct your reviews.
2) Conduct a baseline assessment. Determine what areas are at risk. Consider simple items such as frequency of password changes or security access levels.
3) Prioritize your vulnerabilities. Decide which exposures need the most attention. What issues create bigger risks and can cause more damage by postposing [postponing??] your scrutiny? What issues need attention, but create a smaller risk if handled later? Some risks may be remedied immediately, such as putting video cameras in your office or buying data breach insurance to cover loss or theft of sensitive information. To prioritize, you might use classifications such as urgent, critical, serious, medium and minimal to prioritize your vulnerabilities.
4) Mitigate vulnerabilities. Determine what solutions are required to reach your aspirational goals. This may include adding software, staff, procedures or processes. Indicate a time frame to finish these remedies. Your time frame might be dictated by the classification you have assigned to your risk. For example, a critical issue might be assigned a 30-day period for a remedy, while a minimal exposure might be assigned 90 days.
5) Maintain and monitor. Business environments are dynamic and require constant supervision and modification to meet current needs and situations. Make vulnerability management a priority at your firm. Be diligent and consistent.
In this environment of rampant computer viruses, hacking, identity theft and too much frivolous litigation, you cannot afford to take your business vulnerabilities lightly. Set aside time to review your current risks, and get some professional help to solve your risks. It's time well spent.
Deena Katz, CFP, is a Financial Planning columnist and an associate professor of personal financial planning at Texas Tech University. She is also chairwoman of Evensky & Katz, an advisory firm in Coral Gables, Fla.