Wealth Think

Cybersecurity mistakes your firm is still making

p1a4dgvv3o1i4shms1kdo1hnr18fpe.jpg

As recent breaches and related major SEC-imposed fines have made clear, cybersecurity is not something that financial advisors and accountants can afford to address once in a policy handout, never to revisit.

Indeed, breaches keep occurring and mistakes keep happening because of non-adherence to firms’ cybersecurity policies and because of a lack of oversight and enforcement of those policies. This has become more true over the past year or so as firms have shifted operations and applications to cloud-based environments. The financial services industry is a long way from being cybersecure.

Wes Stillman

Forewarned is forearmed. Here are the most common cybersecurity mistakes that advisors and accountants are still making.

Misunderstanding the cloud 
Overestimating the protection offered by the cloud and software as a service (SaaS) applications is still a key mistake. The cloud generally offers security for data and documents stored within it, but it is not a cybersecurity solution.

When information is used outside of the cloud, there are no guarantees. Owners of RIAs and accounting firms should be concerned with how, when and where documents and applications are accessed — regardless of where they are stored. Information that is accessed, downloaded and used on unsecure, unencrypted devices can potentially expose the firm to cybersecurity issues.

Low cybersecurity awareness
Another major blunder firms make is assuming that employees are equally up-to-date on what the cyberthreats are and how to protect the firm from them. Unless firms work actively to create a culture of cybersecurity awareness, this is never the case. Security threats are constantly evolving as the sophistication of the bad actors increases.

A firm owner can elevate the level of cybersecurity awareness in their existing culture by leading through example with ongoing verbal, written and electronic reminders. Budget time in team meetings to address these issues and consider bringing in outside consultants from groups like Infosec or KnowBe4 for occasional briefings, training or updates.

Lax enforcement of security policies 
As the SEC showed with its sanctions and collective $750,000 in fines against Cetera, Cambridge and KMS Financial Services, cybersecurity is not just about instituting comprehensive policy, but about meticulously enforcing it. When a firm allows data to be accessed using any unsecure, unprotected device or application, it is exposing itself to real cybersecurity issues.

For example, an RIA may have an encrypted, password-protected email system. But once the firm email is synced to an unprotected device, the email becomes unsecure and the entire firm is potentially exposed to malware and phishing viruses.

Today’s firms should consider secure identity management platforms that minimize the need for passwords by using single sign-on with adaptive multifactor authentication (MFA). In fact, MFA and end-device protection should be non-negotiable, particularly in remote work environments where users can access firm and client data through personal devices.

Firm owners need to keep cybersecurity management at the forefront by continually asking themselves, "Where's the data?" Remember, the issue is often not about storing data or email inside the firm. The increased risk can happen when information leaves the safe environment and ends up on unprotected personal devices, such as laptops, tablets and mobile phones — all of which are vulnerable to data breaches and cybersecurity attacks.

Client service overriding client security
It is natural to want to help clients with requests that seem to merit an immediate response. But excellent client service also includes policies that validate these requests to ensure they are legitimate.

Advisors must have procedures for validating email and telephone requests for wire transfers and for identifying and confirming clients. For example, a client who has forgotten their account login can be directed to re-register themselves and answer their own security questions rather than being given a password prompt or other personal information over the telephone.

Delegating cybersecurity/IT oversight to employees
There is too much at stake to continue delegating cybersecurity and IT oversight entirely to the staff member who is the firm's default technology expert. Cybersecurity threats are increasingly sophisticated, and the regulatory environment is evolving, too. Ultimately, it is the business owner's responsibility when something goes wrong.

Putting checks and balances in place serves to protect the firm owner, as well as to monitor how IT policies and procedures are executed. Owners of RIAs and accounting firms also need to know and document who is logging in to what, when and where in the event of a cybersecurity breach.

Skimping on the cybersecurity budget
Cybersecurity management requires commitment of time and resources. Unfortunately, many advisors and accountants fall short when budgeting for this, which increases their firm's exposure to a potential breach. Firm owners need to consider cybersecurity as part of their firm's larger risk management budget and as an investment in brand protection and cost avoidance. For those with some security measures already in place, a good rule of thumb is to consider their annual IT budget and add on an additional 25% for cybersecurity protection, in addition to ongoing training and policy management.

For reprint and licensing requests for this article, click here.
Technology Practice and client management
MORE FROM ACCOUNTING TODAY