How to Keep Client Data Safe From Online Attackers
LAS VEGAS -- Just hours before he was going to give a presentation on online security for advisors, Bill Winterberg lost his phone at the AICPA Personal Financial Planning Conference. Luckily, thanks to a plan he has for just such an occasion, he found it.
Winterberg activated the "Find my iPhone" function on his phone. By activating a sound signal, he was able to locate it within 3 minutes in the event's designated lost and found section. A good Samaritan had found it and turned it in. It offered a teachable moment for him.
"Make sure you have good security habits. Protect desktops and mobile devices and make sure you know how to locate [them]," Winterberg, an Atlanta, Ga.-based CFP and founder of FPPad told the audience at the presentation. "If you cannot recover those because not all people are kind, know how to remotely wipe and erase the contents of the device that cannot be recovered."
The incident highlights a timely lesson for advisors, who are prime potential victims for attackers seeking pertinent information. "[Financial planners] are an ideal target for attackers. If they are able to penetrate your defenses, who knows what they can get away with," he said. "Not all targets are Target Stores and J.P. Morgan...your business is a target because of all the information it contains."
Just weeks after a massive data breach was reported at J.P. Morgan, Winterberg walked the audience through several ways to keep their information safe from online predators.
FINDING PASSWORD 'ENTROPY'
Picking a password that's both difficult to guess and easy for you to remember is not easy. And while you may be aware that 'password123' is probably not the best choice, you may be surprised by the types of passwords sophisticated attackers can break.
Even if you take an obscure word like 'troubadour' and substitute it like 'tr0ub4ad0Ur,' for example, attackers can find ways to work around it. The key, Winterberg said, "is all about... the uncertainty in a random variable."
Winterberg suggests picking four random common words and putting them together in a mnemonic device so that you can easily remember it. "Adding one bit of entropy to a password, or every character you add to your password makes it more difficult to break it," he said.
Also, to keep your information secure, practice good "password hygiene," he says. "Password hygiene is like a pair of boxer shorts," Winterberg joked. "You need to be changing them often, you need to not share them -- which means sharing them with other people or [using them] on multiple websites." Also -- Don't keep them lying around (under your keyboard or desk). Keep your passwords a mystery.
WOULD YOU MAIL THIS INFORMATION?
Email is many advisors'--and clients'--preferred method of communication. But there is some information that simply should not be sent over email. Winterberg suggests that advisors ask themselves if they would send information they plan on emailing through the U.S. postal system prior to sending.
"If you wouldn't mail it, why would you email it?" Winterberg said. "Once that file leaves your environment, you can't control where it's going to end up...Let's be honest, you're not helping everybody in the world protect their email accounts. You don't know if [your clients are] using passwords on their phones."
Winterberg suggests setting up an online document vault as an alternative. These information organizational systems create a secure area for documents through a website or third party service.
"It is your due diligence to find the services that work well for your organization -- but do not present too many hurdles for your clients," he added. "You want it to be easy to access but not so easy that you're vulnerable to attack."
DON'T FALL FOR SOCIAL ENGINEERING
It's easy to feel safe after employing the techniques above, but sometimes hackers take advantage of one unavoidable loophole: "You are a human being and you employ human beings in your organization," said Winterberg.
Hackers can use that to their benefit through social engineering, which he defines as "the art of manipulating people to divulge confidential information." In these situations, attackers attempt to extract information by 'phishing,' sometimes posing as one of your clients or as the computer company in order to trick you into leaking valuable information.
But how can you tell if you're being fooled and how can you prevent it? Educate yourself and your employee base. Keep all your systems up to date and resist 'right now' pressures. If someone claiming to be your client is asking you to do something rapidly--such as wire money immediately-- think twice.
"Attackers want you to do something now," Winterberg said. "They want you to do it before you think about it. If you think about it, you'll connect the dots and realize you're being attacked."
He said that clients generally understand when advisors take pause before doing things quickly. Most clients "appreciate a little inconvenience to know you're looking out for [their] interests," he said.
Overall, set up your defensive strategy. Know a little suspicion can go a long way. "Have some healthy suspicion. Not all stories you receive are truthful," said Winterberg. "You are a honey pot of sensitive information -- and attackers know that."