Maintaining cyber security is largely a matter of identifying risks and protecting and educating your end users, information technology consultant Steven Ryder told a group of financial planners Saturday. Ryder, president of True North Networks in Hartford, Ct., spoke at the Financial Planning Association’s annual conference in Seattle.
“Cyber security is not convenient,” Ryder said. “It is time-consuming and frustrating.”
Cyber security is not something you can achieve through a one-time audit; you must revisit and monitor your level of security on a regular basis. He added that human error plays a major role in most violations of cyber security. Quoting Albert Einstein, Ryder said: “Only two things are infinite: the universe, and human stupidity, and I’m not certain about the former.”
Ryder cited a number of incidents of hacking, such a the well-known thefts of massive amounts of credit-card data from retailer giants Home Depot and Target, as well a cases in which small-business owners had fallen victim to phishing scams. He told of a business-owner client of his who had been duped into providing her email password to someone posing as one of her business contacts. Immediately after providing the information, she realized her error and called Ryder, who was able to change the client’s password before any damage was done.
Ryder himself once received an email from a friend whom he knew was, at the time, hiking through the Himalayas. The email urged him to open an attached document. Ryder admits he was almost fooled until he emailed the friend to verify the message and immediately got a response that again urged him to open the attachment. His friend’s email had been hacked.
(One way to spot a phishing email, Ryder said, is to mouse over the return address in the email. In many cases, the actual email address will appear.)
Acknowledging that there is no magic bullet for online safety, Ryder recommended a series of steps for maintaining a level of digital security. Those steps include:
> Identifying risks
Your risks include both your online vulnerability and your “physical” vulnerability. In other words, ask yourself if your devices can be accessed or stolen by the wrong people. Are any of your devices infected in such a way that they can damage your data? Identifying risks also involves taking inventory of software and devices, and assessing connection points to your client data.
> Developing a cyber security policy
Ryder recommends creating a written policy that includes such components as a business continuity plan and a cyber-security training program for your staff.
He recommends you consider purchasing cyber security insurance, a relatively new — and reasonably priced — product that can help advisors recoup losses suffered as a result of a cyber attack.
> Assess your network and information protection
Restrict access to your networks to only those who must have access.
Have a written policy for data destruction and hardware destruction to ensure they are disposed of securely.
And review the way your firm handles removable media, such as flash drives, which can place sensitive data at risk.
> Back up your data
Make sure you have a policy for backing up your data. If you use a cloud service, make sure that service enables you to back up your own data periodically.
> Use complex passwords
Make sure all passwords are at least eight characters long and use upper- and lower-case letters as well as numbers and special characters. Where possible, use pass phrases, such as “TheSe@hawk$W0nTheSuperBowlin2014” to make them long, but easy to remember.
Password services such as LastPass can be helpful, Ryder says, but you must have a “really complex” password for this type of program, which would contain all of your passwords.
You can never be 100% safe, but you can reduce the risk of attack. “The best you can do,” Ryder said, “is protect and educate your end uses and be smart about what you click on.”