By Ash Bhatnagar, CFP®
Data security is little understood by most, yet SEC Regulation S-P and now other regulations require that advisers have complete control over their security. Just recently I saw on the news there are gangs of super genius hackers in Russia and China constantly looking to steal and sell information. So is it hopeless, or are there things an adviser and a firm can do to improve internal security? There are many simple steps advisers can take to secure data without becoming overwhelmed.
To battle security issues, think of security from a process perspective and not a hacking perspective. The goal of the correct policies and procedures is to make the hacker's life more difficult. Consider these examples from earlier this year:
- Internal Revenue Service: The U.S Treasury Inspector General for Tax Administration found, in a fiscal year 2008 audit, that in more than a dozen IRS document disposal facilities old taxpayer documents were being tossed out in regular waste containers and dumpsters. The investigation also found that IRS officials failed to consistently verify whether contract employees who have access to taxpayer documents had passed background checks.
- Texas Lottery Commission: A former Texas lottery worker was arrested while training for a new job and charged with illegally possessing personal information on 140 lottery winners and employees, including names and Social Security numbers.
- You can find more sobering stories at www.privacyrights.org.
Your personal computer is the first place of infiltration. Your PC should have some form of password login process. An alternative to a password is a fingerprint reader. They are fairly inexpensive, and you do not have to worry about people sharing passwords. Once logged in, you should have a screen saver time-out password. I often find people walk away from their desks without any security.
Every PC should also have antivirus software with an automated update. I would even suggest you get two different antivirus software products. They are fairly inexpensive and having two will not hurt. Most people use Microsoft Explorer for a Web browser, but look at freeware such as Firefox. You can also download utilities from www.mozilla.org, where there are many free security software options that work with Firefox. These utilities may also work with Explorer:
- A hacker could copy your keystrokes as you are typing to determine your ID and password via software they downloaded into your PC. KeyScambler will scramble the key strokes making it virtually impossible for hackers to read the information. Some sites may not like this product, so you may need to disable it temporarily.
- BetterPrivacy protects against Flash-based cookies.
- Adblock Plus stops most Internet ads.
- Redirect Remover removes redirects.
- Web of Trust (WOT) warns you about Web sites that try to deliver malware or spam.
In all, there are more than 460 security downloads through www.mozilla.org. You can also go to www.download.com to find software.
Data encryption is something that is often asked about. I think data encryption is necessary, but I suggest you do not encrypt the whole drive. I have had situations where the encryption software crashed and it was a bear to recover the whole drive, so try separating data from your software.
For example, Microsoft Word does not need to be encrypted, but a note you typed should be. Talk to your tech personnel to accomplish this. For data encryption, TrueCrypt is very popular and free. There is also Folder Lock that you can try for free. For more options, once again try www.download.com.
When you are backing up your data, make sure it is encrypted. Many advisers use third-party backup providers, but what happens when the data gets there? Do your vendor's employees have access to the data, and what are the vendor's security procedures? Remember, most data is compromised due to process issues, not actual hackers.
The next level of security is the network. Exposing your system to the outside world is the most dangerous thing you can do, but you cannot function without it. Almost everything is performed via the Internet today. But first, think about if you need a server at all. For instance, we are working on a product that encompasses e-mail, office applications and encryption integrated with disaster recovery and Regulation S-P all via the Internet. If you would like to be in the beta, send me an e-mail.
If you have a server, leave the technical management of servers to the experts. However, there are some things about your server you should know:
1. Don't run unnecessary servers. If you don't need the FTP (File Transfer Protocol) server that's bundled with your Web server, don't give hackers another target. Disable it, or don't install it at all.
2. Subscribe to your server vendor's security alert list.
3. Practice good password habits. Avoid simple, easy-to-guess passwords, particularly for privileged administrator accounts. Key employees should have administrator access and should know the administrator password.
5. Use permission mechanisms to limit access to the Internet, downloads, etc.
6. Monitor your logs. Your Web server keeps track of every request; review your logs regularly for signs of out-of-the-ordinary behavior.
7. Segregate public and private data. Don't store sensitive data on the same machines as the public server if you don't have to. Instead, consider two different data hubs, one for the Internet and one for internal data.
Here are some resources that can help you build a security program and keep you alerted about threats:
- National Vulnerability Database hosted by the National Institute of Standards and Technology (NIST); http://nvd.nist.gov
- SANS Institute top 20 vulnerabilities; www.sans.org/top20
- Best practices guide for setting up a Windows server from the National Security Agency (NSA); www.nsa.gov
- Access additional resources at www.staysafeonline.org, www.us-cert.gov and www.cert.org
The Massachusetts Rule
Massachusetts recently implemented a rule related to security and identity theft. The regulation applies to all persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. (If you don't conduct business in Massachusetts, keep reading. Other states are considering similar regulations.) This regulation establishes minimum standards for safeguarding information in paper and electronic format. The effective date for compliance with the Massachusetts rule is on or before Jan. 1, 2010.
Persons is defined as any natural person, corporation, association or other legal entity, etc., and its employees and/or associates. Personal information is defined as first and/or last name in combination with any of the following information: Social Security number; driver's license number or any state-issued identification; and financial account number or credit/debit card numbers.
The Massachusetts rule also includes standards for the protection of information. Some of the highlights include:
- Persons shall develop, implement, maintain and monitor a comprehensive security program.
- The need for a security program is dependent of multiple factors.
- Every program must include: One or more persons to maintain the program; a method to identify and assess risks; security polices for employees; and reasonable steps to verify that third-party service providers with access to information have the capacity to protect personal information.
There are also specific security rules for computer systems, including secure user authentication protocols and encryption of all transmitted records and files as well as information stored on laptops or portable devices.
Some think that because the regulation includes all companies, they are not responsible for the due diligence of vendors. According to Regulation S-P, financial firms are responsible for maintaining a due diligence process on the companies and vendors they use. The Massachusetts rule makes this a little easier.
FTC's Red Flags Rule
The Federal Trade Commission's Red Flags Rule also applies to advisers and financial firms. It is more detailed than the Massachusetts rule, but is essentially the same principle. It requires companies to implement a written identity theft prevention program, and in its simplest form, it has four elements. A company must have reasonable policies and procedures to:
- Identify relevant red flags for covered accounts and incorporate those red flags into the identity theft prevention program.
- Detect red flags that have been incorporated into the program.
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft.
- Ensure the program is updated periodically to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.
The effective date for this rule was Aug. 1, 2009. The details are far too long for this article, but for more information go to www.ftc.gov/redflagsrule.
PDAs, like BlackBerries, are another tech item commonly used by advisers. Although they make life easier, they are easily lost, so place a password on your PDA as soon as you finish reading this. Some PDAs offer a service where the PDA can be erased remotely. This option is well worth the cost.
Security is an area that is firm dependent and can be managed with reasonable controls. Controls are necessary not only due to regulations, but also because the worst conversation you can have with a client is informing him or her that their private data may have been compromised.
In my opinion, these regulations are not overburdening, but it can seem overwhelming. Trying to be compliant today will alleviate many headaches tomorrow.
Ash Bhatnagar, CFP®, is president of RIA Independence Company (RIAICO), which specializes in providing integrated solutions, processes and controls for compliance, security, technology, operations and marketing. Contact him at firstname.lastname@example.org.