Category: Security


Protecting Your Clients’ Security

Filed under: Best Practices, Client Communication, Investment Operations, SecurityLeave a comment
April 5, 2013

iStock_000009182001XSmallIn a day where security threats are constantly evolving and your business is reponsible for keeping confidential information secure, your clients’ computer systems may seem an unlikely place to prod your nose, but unfortunately, an increasing number of security threats are originating from the clients of investment advisors.

One recurring example that we have witnessed over the past year, is the hacking of email accounts.  In this scenario, your client’s email account with Google gets hacked because their password is “patriots1” or perhaps their PC has been infected with a keylogger virus.  In any event, a hacker somehow discovers your client’s password and now has access to their historic email records.

In the past, hackers might have been satisfied to use that account to SPAM everyone on earth, but today’s hackers are more sophisticated.  Apparently, they’ll actually take the time to read through your client’s emails in search of financially sensitive information.  Based on the content of previous communications with your firm, they can compose a similar looking email to one that the client might have sent in the past to ask your staff about total holdings or even request a check.

Here are some tips your clients should follow to keep their email and other accounts secure:

  1. Don’t enter your passwords in kiosks and other systems available to the public.
  2. When you get the option to store the password for various accounts and websites on your PC, don’t do it.
  3. Never send your passwords in an email.
  4. Use encrypted email connections.
  5. Institute complex passwords.  I know it’s a pain, but so is having your identity stolen.
  6. Don’t use the same passwords for multiple accounts.  Yes, this is a pain too, but there are some programs like eWallet that can help.
  7. Run up-to-date versions of security software that include protection for spyware, malware and viruses.  Don’t ignore messages from your Antivirus program.
  8. Stay up-to-date on operating system and application security patches.
  9. Be cautious of which sites you browse.  A program like openDNS can help you keep your computers clean by limiting access to potentially harmful websites.  The home version of OpenDNS is free.  You can find it at www.opendns.org.  Antivirus programs like AVG and Symantec can filter websites too, but do it with less specific controls.

Here is what your clients should to do if they do get hacked:

  1. Contact a computer professional or the email provider to help determine how you got hacked.
  2. Alert your investment advisor and other vendor relationships that hackers could try to take advantage of.
  3. Resolve any issues that may have led to the hack, such as: simple passwords, malware, spyware, and viruses.
  4. Change your passwords and any hints from a computer system, smart phone or the original system once the threats have been removed on the following: the hacked site, any other sites where you used the same username and password and any sites whose information you stored in the hacked account.
  5. If you determine that you have been a victim of spyware or malware, you will need to change all your passwords for your online accounts and follow the procedures for recovering from identity theft.
  6. If you cannot follow any of these steps because your account credentials have been changed, you will need to contact the company providing that account in order to regain control of your account.
  7. Implement better security provisions going forward.

There is only so much you can do to protect your clients.  Ensuring that email communications are secure should be at the top of the list. Your firm can implement a product like Zixmail to encrypt selected emails, but at the point where your client’s computer system has been compromised, this may only provide an additional deterrent, and should not be seen as the solution to the problem.

The best course of action is a combination of staying vigilant, educating your clients, implementing best-practice email security, and instituting additional internal controls aimed at how your firm handles client communications, such as balance and check requests.

About the Author: Kevin Shea is President of InfoSystems Integrated, Inc. (ISI); ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide.

For details, please visit isitc.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@isitc.com.

Tags: , , , , , , , ,
Comment

Avoid Internet Doomsday Hype

Filed under: Business Continuity, SecurityLeave a comment
July 6, 2012

Unless you live in a cave, you have probably heard lead-ins to the story from reporters,  “Enjoy the Internet while you have it.”  These reports make reference to Monday, July 9th, 2012 as Internet Doomsday.

Here is what you should know about the threat:

  1. It isn’t new.  This malware has been around for a while.
  2. If your PC is serviced regularly, and your antivirus program is active, it is unlikely to be a problem.
  3. There is no impending attack.  Potential outages will actually be caused by the FBI taking temporary DNS servers offline.  If your PC is infected with this malware, then you will lose Internet access until the malware is removed and the proper DNS settings are restored.
  4. According to current reports, 360,000 PCs worldwide and 64,000 PCs in the United States (US) are still infected.  Per census data (July 2011) there are over 311 million people living in the US.  So there are a relatively small number of infected PCs here.
Nonetheless, you can go ahead and check whether your system has been compromised using the following link: http://www.dns-ok.us/

 

Since servers in the corporate environment typically provide DNS information to the connected workstations in an office, your office DNS servers should also be checked. For more details on this issue, refer to the FBI article.

About the Author: Kevin Shea is President of InfoSystems Integrated, Inc. (ISI); ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide. For details, please visit isitc.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@isitc.com.

Tags: , , , , ,
Comment