As more registered investment adviser (RIA) firms shift to utilizing cloud-based technology systems, such firms may want to explore utilizing a password manager tool as part of the firm's information security plan. Cloud-based solutions require staff members to manage a growing number of system login credentials. Password manager tools help protect against risky password management practices and reduce the overall burden in managing a multitude of login credentials across the firm's customer relationship management (CRM), portfolio management and reporting (PMR), financial planning, email, cloud storage, and other relevant systems. However, just implementing a password manager tool is far from a full cybersecurity solution in itself. Rather, it is just one tool among many others that investment advisory firms should look to deploy.
Common Password Mistakes
Staff members reusing the same password across multiple software systems is a major cybersecurity risk for RIA firms. If the common password was compromised, a hacker could have instant access to multiple services, greatly increasing the impact of a security breach. The risk of a password being compromised exponentially increases each time it is reused, as hackers can acquire the password from additional sources. The password's security is, by extension, only as good as the weakest security protocols implemented by the services it is used to access. One common password exploitation scenario is when a staff member's recycled password to his or her personal email account is compromised, that same compromised password can then be utilized to access sensitive RIA firm systems if additional information security tools, such as two factor authentication, are not properly implemented.
Another common mistake is using different, but weak passwords because they are easy to remember. As we discussed in our earlier post titled "The Greatest RIA Cybersecurity Threat is Your Firm's Staff: What To Do," there are a few guidelines that an RIA firm can follow to help create stronger passwords. The list of recommendations below helps protect a password from brute force password cracking tools:
Create a strong password by:
- Containing both upper and lower case letters
- Containing at least one number
- Containing at least one special character
- Using at least 10 characters
- Avoiding any words found in a dictionary
- Avoiding any personal information such as pet names or birth dates
- Avoiding consecutive or repeated characters (e.g. 123456, qwerty, abc123, etc.)
For all of the reasons listed above, remembering appropriately strong passwords for two or more online services quickly becomes a difficult task. Because most advisors try not to spend an hour a day memorizing several 16 digit randomized sequences, a few dangerous "office remedies" have emerged. Many advisors choose to create a list of current passwords in Microsoft Word or Excel. Another approach is to utilize their web browser's included password saving tool. With both of these solutions, an unencrypted list of passwords and usernames is often saved to a computer's hard drive. Thus, if the computer is stolen, lost, accessed remotely via a hacker, or inappropriate accessed by the office cleaning staff, a bad actor now has access to the full list of system login credentials. On the other hand, some advisors or staff members instead write down passwords on a note pad or sticky note. Again, this poses a significant information security risk because it is quite easy for a bad actor to gain access to the physical password list.
How does a Password Manager Tool Help RIA Firms Manage User Login Security Risks?
Many RIA firms are beginning to establish cybersecurity policies and procedures which require advisors and staff members to use unique, complex passwords for each system. However, simply implementing such a policy is generally not enough, instead an investment advisory firm needs to have the ability to audit, test, and ensure that employees are actually following password policies. If left unchecked, most employees will default to bad password practices given the inherent inconveniences in utilizing unique, strong passwords.
A password manager tool facilitates the use of strong passwords and can provide audit and tracking capabilities to ensure that each staff member is following the firm's user login credential information security policies. For example, password manager tools often provide the capabilities to each individual user:
- Automatically generate unique, random passwords for the user for each software system
- No longer require the user to remember or insecurely save multiple login credentials
- Allow the user to access secure passwords online, offline, and across multiple devices
- Identify weak current passwords that may not be strong enough or used for multiple systems
- Automatically update passwords on a regular basis
For an administrator or RIA firm principal tasked with managing the firm's information security procedures, password manager tools also often provide these additional features:
- Implement and require 2 factor authentication at the firm level rather than separately for each software system
- See a full audit trail of all firm software systems accessed by each individual user
- Ensure that each individual user is using strong, unique passwords with the ability to set and enforce custom password policies (length, strength, etc.)
- Grant or remove user access to all firm software systems in a single interface
- Receive alerts if a user's login credentials are believed to be compromised online
When logging into a service, a password manager tool functions very similarly to an internet browser's standard password archiving tool. When the advisor or staff member accesses a web or cloud-based system that includes a login page, a password manager tool recognizes the current web page and will provide the previously saved password. The password manager tool will next automatically generate a lengthy, unique password. The encrypted password is then saved to the user's account and can be accessed and viewed through the password manager software.
RIA Cybersecurity Risk Cannot Be Mitigated Solely with Technology
However, it's important to note that password manager tools are not an information security solution for RIA firms by themselves and are not fool proof. A password manager tool still requires each individual user to create a strong, unique master password which the user must remember. If the user's master password is compromised and other security layers such as 2 factor authentication are not properly implemented or enforced, the user's account can become exposed. In addition, the security strength of the password manager tool which is being utilized also becomes paramount. Proper due diligence is essential.
As such, there is no perfect solution when establishing password management policies. Even with the proper technology and security tools in place, staff members need to be constantly trained and reminded about ever-looming cybersecurity risks.
Be sure to check back soon as we outline some of the most common password manager tools being utilized by RIA firms.