Whether your registered investment adviser (RIA) firm is a small to mid-size business or an enterprise ─ you must strategize how to best protect your firm’s devices from cyber threats. The number of sophisticated attacks, such as phishing, have undoubtedly increased for the wealth management industry. In this blog post, we discuss the tools firms deploy to have a successful cybersecurity strategy, as it relates to their employees’ devices.
Most RIA firms, small or large by now, have seen the benefits of hiring IT firms or Managed Service Providers (MSP) to create and administer corporate level enterprise networks for the RIA firm. These enterprise grade networks connect and control all users to the local area network, as well as any resources to data centers or cloud environments. All firms with remote workers will have the enterprise network set up to support their employees working from personal or business devices. It’s increasingly common to see remote employees working from their own personal computers (called BYOD or bring your own device), as firms can avoid the cost of purchasing new computers, and the employees are already familiar with their own device.
A firm’s IT provider or managed services provider (MSP) will have antivirus programs installed in company assets and will be responsible for making all the latest updates as appropriate.
The IT or MSP provider should be providing regular reports to the RIA firm, detailing the status of the equipment, including if the pattern files are current, how the equipment is protected, and when the antivirus scans are both scheduled and completed. It’s vital for the reports to show which computers, if any, have not completed the required scans, so the devices are flagged to be updated.
For firms which take this task on internally (without an IT or MSP provider), you should have a reliable antivirus on all your employees’ devices. It’s also vital to be diligent about updating the software pattern file. The pattern file is a repository the manufacturer puts together to recognize new threats. For example, if a bad actor writes a new virus (which is a common occurrence currently), an antivirus provider, such as Webroot, works to recognize the virus and create a pattern to upload into their virus scanner. Therefore, you need to make sure your virus scanner is frequently updating and can recognize each new virus as it’s identified. These heuristics are updated regularly. As a compliance and cybersecurity provider for RIAs, this is one of the main areas of weakness we see within firms, because people typically shut their computers down at the end of the day, and the scans don’t run.
For remote workers, ensure a virus scan is performed regularly — we recommend once a week. If you’re in charge of your computer, you must ensure these scans are completed. Instead of shutting down, lock your computer overnight when you know the scans are scheduled to run, so they can be completed.
Multifactor authentication (MFA)
MFA is deployed by the MSP, IT provider, or firms can take this task on in-house. There are three main reasons to implement MFA within your RIA firm.
1) If an employee forgets their password, they can recover the password or create a new one using their second device and without having to engage IT. We often see that involving IT for password recovery can create unnecessary delay.
2) The second factor, the mobile device or dongle used to verify the user’s identity, will not be present for another party (a hacker) to use to log in.
3) The MFA program tracks where each user has logged in. This is beneficial from a management and supervisory perspective because you can detect if someone is logging in from different locations, which is particularly important if they’re not where they are supposed to be. Besides geographical location, MFA will show the time and date employees log in, which is often used to demonstrate that remote work is efficient. It’s difficult to track this data through VPN databases.
Another aspect of a strong cybersecurity program is good data hygiene. We do not recommend having your employees store files on the computer’s hard drive ─ particularly if the computer is not set up with encryption. As an alternative, we suggest remote workers rely on the remote desktop instead of pulling files onto their computers. This is typically an operational requirement, which is written in the firm’s policies and procedures. It’s very difficult to monitor and prevent employees’ file storage habits daily.
If an employee’s hard drive is stolen, the files and private data can be accessed by the person who takes the device. RIAs would risk having their client’s private financial data stolen if they stored information on their devices – unless it’s encrypted and locked. RIAs should frequently discuss this area of risk with their employees, so everyone understands the consequences if they do not store their files properly.
We recommend RIAs deploy encryption tools, such as Bitlocker, for all their local devices. Set up the device to ensure all files are encrypted as they are created or transferred. If the hard drive is stolen, the bad actor would not be able to access them without the encryption key. Tip, ensure the IT provider has the encryption key, so you can access the files again.