Advisers are overlooking potentially huge holes in their data security.
From having unsecured servers to using weak passwords, advisers could be putting clients at risk, according to several security experts speaking Wednesday at TD Ameritrade Holding Corp.'s annual conference in San Diego.
“Have you locked down your server?” asked Andrew Gluck, president of Advisors4Advisors Inc., a service provider for registered investment advisers. “It should be in a server room behind lock and key. Employees should not be able to get into the server room.”
“If I can get [physical] access to your server, I can get into it in the time it takes to boot up,” said Brian Edelman, chief executive of Financial Computer Services Inc.
Advisers also should have a written data security policy and get employees to sign it, Mr. Gluck said. Remote access to client data by employees through their own laptops or tablets can be a problem when they leave, he added.
“Buy them their phones so it's a company phone,” he added. “When they terminate employment, you can take it and do what you want with it.”
Advisers should be sure that their phones have applications that will remotely wipe the devices clean if they are ever lost or stolen, Mr. Gluck and Mr. Edelman said.
They also reminded advisers not to send sensitive client information via e-mail and to beef up the strength of passwords. They recommended password managers from LastPass or RoboForm that produce and remember hard-to-crack passwords.
Strong passwords don't do any good if computers are infested with malware that tracks keystrokes, Mr. Edelman added, so advisers and their employees should avoid accessing or downloading suspect sites and software.
“Hackers really do look for the easiest targets,” Mr. Edelman said.