5 Top Cyber Security Tips for RIA Owners

Cybersecurity or Information Security—“infosec” for the “buzzier” crowd—has made the news in many areas over the last decade. Some large, highly targeted organizations with sophisticated security teams have fallen victim to a breach. Embarrassingly enough, in most cases, the initial breach was something basic, such as entering credentials into a phishing website or not having Multi-Factor Authentication (MFA) enabled on accounts.

Many RIA owners have likely asked themselves, “How do I prepare information security-wise so this doesn’t happen to me?”  This world can be very technical and overwhelming for most. Let’s break down some basic items that can be implemented at low cost/effort to improve your firm's security posture significantly.

Access Controls

Some of us may have seen the cartoon of security folks sitting around a boardroom table proposing the next big thing to help secure their organization.  Many are throwing out lavish expensive propositions, but one person in the corner rolls their eyes and says basic access controls.  This person is 100% correct!  Most of the best security software in the world is either significantly hampered or completely useless if specific access controls are not in place.  In general, there are a few major things to look for here.

MFA

Multi-factor authentication, or MFA/2FA, is one of the puzzle's most important pieces (and sometimes free).  This has become more of a need than a want in the cloud software and services age.  Years ago, we could use a single username/password somewhat securely since the system was likely contained inside a private network and behind a firewall.  Today with cloud services being available worldwide, this is very dangerous.  A known username and even guessing a password successfully could result in a breach.  Generally, the easiest and cheapest way to stop this is MFA.

There are many different kinds of MFA, such as email, text, and time-based authenticators such as Google authenticator or biometric, etc. While some arguments can be made about which factor is better and which vendor supports which, the driving factor is to turn it on and use it. A less secure factor is better than none at all if that’s all the vendor supports. Most vendors directly support MFA in their apps, especially the popular ones like Google Workspace or Microsoft 365.

Generic Accounts

Shared generic accounts such as accounting@domainname.com have been in place at organizations worldwide since the dawn of login accounts. These have made collaborating easier and decreased costs due to fewer licensing implications. However, in today's age, these should be discontinued for several reasons.

1. Many individuals likely have access to this one account.  If someone leaves or is terminated, that individual may retain access somehow.  Even if the password is changed, they may know how or have access to reset it.
   
   
2. MFA is much more difficult to implement and share with shared generic accounts.  This is especially true for text message second factors.
   
   
3. Last but not least, and not really security-related, these are almost always illegal and break the licensing agreement. Companies have been finding technical ways to block them and not allow them in recent years (think Netflix as an example).

Access where access is needed, but no more.

This is fairly straightforward, but many breaches were caused by over-allocating access to employees or third parties.  Here are a few good questions to think about.

1. Does my auditor need admin access to my accounting software, or can I down the permissions to read-only?
   
   
2. Does the HVAC company need access to my entire network or can it be isolated to the HVAC system only?
   
   
3. I hired a new person to help with specific tasks. The person who previously did them has been assigned other duties. Have I removed access from the previous systems?
   
   
4. Who has access to my WiFi password?  Do I have a WiFi password?

The highlight of all this is only to give access where needed and remove it if no longer needed. The impact would be limited if any of these accounts were ever compromised. The principles listed above can also be applied to files or general data.

Technical Computer Controls

This world is huge in terms of what can be obtained and what can be done. Therefore, we will concentrate on the basics.

Encryption on devices

Ensure the drive is encrypted on any mobile device, such as a laptop. If the laptop is ever lost or stolen, data can be easily pulled from it without encryption. Most operating systems have built-in encryption technology, such as FileVault or Bitlocker. Encryption could be the difference between a data loss situation or not.

Endpoint Detection and Response(EDR)

EDR is basically a fancy new name for Anti-Virus software. It is software that monitors and responds accordingly if a potentially malicious file or program is introduced to the system. Many vendors, such as Crowdstrike, can provide this functionality. Even if only a few computers are in use, this may be worth it as it provides centralized control and reporting for all devices.

Mobile Device Management (MDM)

MDM is basically the new age of computer management.  This software usually allows for updates or enforces specific operating system parameters.  While this can be specifically advantageous to firms with maybe 5 or more computers for automation, many things an MDM can do can also be accomplished manually.  For example, if an operating system update comes out, can I do this manually easily, or do I need a way to automate and enforce this?

Sensitive Data

At times, obtaining a client's social security number or other sensitive personal information may become necessary.  Since this is someone else's private data, it is best to handle it carefully to avoid compromise.  A few tips are:

1. Avoid writing this data down on any type of physical media.  If needed, ensure it is entered and shredded almost immediately after use.
   
   
2. Do not store it digitally in a local document or text file on a computer. Even if the computer's drive is encrypted, there is still a risk if the computer is ever lost or stolen. It is possible that this data could be accessed if the correct password is entered.
   
   
3. Enter the data directly into the system that requires it. Cloud-based systems that might require this data generally have safeguards in place.

Phishing Awareness

Nothing is worse than falling for a phishing scheme and giving away important information or credentials.  In fact, phishing is one of the most successful techniques attackers use to gain access to important information.  This is why it is critical that staff members be up to date and trained on how to spot a phishing attempt to stop the problem before it begins.  Many types of phishing awareness training are inexpensive or free blogs to read up on, such as this one issued by the CISA.  While it might seem trivial to some, it could be the difference between having a data breach or not.

What’s next?

While there is no magic approach to cyber security, considering the above items will likely significantly improve your firm's security posture. Cybersecurity can be vast and overwhelming, and it can be overwhelming to consider what to do next (I could likely write an entire blog on email security by itself), but these, I believe, will be the biggest bang and easiest to implement.