Table stakes security

Hackers have become more sophisticated and more effective, as evidenced by last year's hacking of several U.S. government agencies. Unfortunately, financial advisory firms are a prime target because they hold exactly the sort of personal and financial information that cybercriminals want. Complicating an already tricky situation, advisors and clients working remotely since the pandemic are now sharing more sensitive information across home networks and devices. And that creates more potential vulnerabilities.

Staying ahead of threats means staying vigilant, which is why Schwab invited cybersecurity expert John Sileo to IMPACT 2020 to offer advice for protecting your firm and clients from cyberattacks. Here are some of his essential tips.

Secure data wherever it is and wherever it goes

Remote working makes it especially important to keep tight control over sensitive data. Using a virtual private network, or VPN, to pass any information between your home and office systems keeps that data encrypted the entire time. It's also important to keep data protected even when it's not moving. To do that, it's a good idea to use a dedicated device or at least a separate account for all work-related activity, so you can keep that information isolated from personal devices or accounts.

Your home network can also have security weaknesses. Make sure every device connected to your network is up to date with the latest security patches. Using Wi-Fi encryption (such as WPA2 or the latest upgrade, WPA3, for devices that support it) and properly configured firewalls are also important elements of home network security.

Don't let convenience become a security risk

Securing your accounts with unique, strong passwords may require a bit more organization on your part. But it prevents criminals from gaining the keys to multiple systems if they happen to crack one password that you use for multiple accounts. Likewise, turning on multifactor authentication for all your log-ins provides a layer of protection that's well worth the added step. Also be sure to turn on account alerts that warn you about unusual activity or potentially fake log-ins.

Build and reinforce your human firewall

Making coworkers and clients aware of common cybercrime techniques could be the best preventive measure in your arsenal. The most effective—and dangerous—hacks often involve someone inside a firm unwittingly letting a criminal into the system to gather the information they need. Generally, one realistic-looking email is all it takes. 

Thwarting those attempts can be as simple as cultivating a culture of security among employees and clients. Emphasize the importance of thinking at least twice or confirming requests before sharing sensitive information or clicking on email attachments or links. You can also offer cybersecurity training and run random tests to keep your employees on their toes. Most people think they can spot a phishing attempt a mile away but may be surprised to find out how easily they can be fooled. And it's better to fool them in a test than to have them fall for a real fraudulent request. 

Don't assume third-party vendors are secure

When it comes to technology vendors, it's critical to verify before you trust. For any third-party software or services, make sure you understand the security protocols they use to protect data on your systems, on their systems, and in transit between the two. Your contracts should also spell out their obligations in the event of a cyberattack. So if a data breach does occur, both parties understand their responsibilities and next steps. 

Maintain a strong, safe backup system

In a worst-case scenario, having a safe second copy of your critical data can be a lifesaver. For example, if you become a victim of ransomware—when hackers block access to your data until you pay them—the ability to rebuild your systems from a secure backup can save a lot of time, inconvenience, and money. 

The best backup systems take regular "snapshots" of your information and then store them somewhere offline and off-site. It's also critical to test your backup recovery system regularly. It's better to discover and fix potential issues with restoring data before they become critical for business continuity.

Promote constant vigilance

Everything you do to keep your systems secure can have long-term benefits beyond protecting your firm and your clients from a data breach. Sharing cybersecurity best practices with your clients and keeping them notified about new scams demonstrates that you're serious about protecting their sensitive information, which can help strengthen relationships. 

What's more, encouraging clients to use strong passwords, multifactor authentication, and other safety measures can improve their own cybersecurity habits at home and wherever they do business online. And this helps build up our collective defenses against an increasingly sophisticated group of hackers. 

What you can do next

• Enroll in our Virtual Practice Management Strengthen Your Cybersecurity Program to uncover potential gaps and develop a detailed action plan to strengthen and maintain your firm's cybersecurity program.
• Visit our Cybersecurity Resource Center where you can browse our library of action-oriented resources.
• Consider a custodian that invests in your success. If you're thinking about becoming an independent advisor, contact us to learn more about the benefits of a Schwab custodial relationship.