Encryption: What advisors need to know
Encrypt sensitive information, planners are routinely warned by security experts. Many states even require it. But there’s also confusion out there among advisors about the nuts and bolts of encryption.
“Planners would love to get specific guidance,” says advisor and technology consultant Bill Winterberg, but he suspects that many are frustrated. As a result, he says, “I would boldly guess that the majority of advisors are not using encryption properly.”
Encryption, which is basically taking easily readable information and making it secure by making it unreadable, is a technically complex process, involving complicated algorithms. But the everyday use of encryption online is generally pretty simple, once you understand the options.
Winterberg points out that many computers, especially Apple, come equipped with encryption systems, and there’s simple off-the-shelf encryption software that should be adequate for most planners, he says. When people use passwords to log on to a computer, access files or send emails, they’re generally already using encryption, though it can be difficult to know what information is encrypted and how. One way you’ll know that information is being sent in an encrypted form is when you see an “s” added to the familiar “http” in a web address to read “https.”
LEVELS OF ENCRYPTION
There are different types and levels of encryption. Encryption can be applied to an entire hard drive, and it can also be applied to specific files, providing multiple layers of defense. If a computer is lost or stolen, those additional layers can be helpful in protecting data.
Advisors should encrypt all backup files, regardless of the form they are in, says technology and compliance consultant E.J. Yerzak, who conducts security risk assessments for advisors and broker-dealers. Email can be encrypted manually or automatically – many email programs have encryption options built in, and advisors can get plug-ins, but those options have to be enabled by both parties using the program to be secure, says Yerzak.
While advisors should encrypt their email, he says, “email is still a notoriously insecure means of communication.” For planners concerned about protecting information, encrypted portal websites for clients are an increasingly popular choice – and Yerzak and Winterberg both approve of the trend.
Automatic encryption and other options are becoming more prevalent in mobile devices, but handhelds still seem to present the weakest link in the security chain, says Yerzak. Advisors are often told to avoid using public wireless networks, like hotspots in coffee shops, but planners can add a layer of protection by using a virtual private network, VPN, that’s essentially a secure, encrypted “tunnel” over a public network. It offers more defenses, but Yerzak points out, “there’s never 100 percent security.”
Encryption is a necessary tool for planners, but, Yerzak warns, “it’s not a silver bullet.” For example, if the encryption key is accessible to people who shouldn’t have it, he says, it’s just like the information was never encrypted to begin with.
Encryption can also add another level of complexity to communication, which is a potential problem for interaction with clients. Yerzak says that he occasionally sees “pushback” from clients who express annoyance at security precautions and sometimes sees advisory staff who send information insecurely to accommodate customer impatience.
“The best way to address that is to be clear and communicate with clients that it’s in their best interest that you’re making them jump through all these hoops,” says Yerzak. “In my experience, firms that have done a good job of communicating the underlying reasons are in a better position to make that jump towards using encryption.”
Paul Hechinger is a New York-based freelance writer.