The SEC's Regulation S-P puts many advisers in a bind.
On one hand, the rule gives advisers a threefold responsibility: insuring the security and confidentiality of customer records, protecting against any anticipated threats or hazards to that information, and preventing, if at all possible, unauthorized access to and use of those records.
At the same time, the Securities and Exchange Commission provides little or no practical direction as to how advisers should carry out their responsibilities.
So what are average advisers supposed to do to protect their firms, themselves and their client data?
Here are some practical tips.
As simple and rudimentary as it might seem, the humble password is a good and often overlooked place to start.
Avoid using passwords that are easy to figure out. Believe it or not, among the most common passwords, as noted by several security experts and security websites, are “password,” “123456,” “abc123” or simply a person's name.
The strongest passwords are typically considered to be at least eight characters long, have a mix of upper- and lowercase letters, numbers and even punctuation marks just to add to the complexity.
Many people have a tendency to choose passwords that are short, say, seven characters or fewer. They use single words found in dictionaries or simple, easily predicted variations on words.
Advisers should avoid such passwords because hackers will use what is known as a “dictionary attack,” a fairly common approach employing computer programs that simply cycle through lists of such words to find a password.
A good security route to use is a “passphrase” instead of a single word.
“Passphrases are also easy to remember,” said Peter Herzog, senior software and systems specialist with the financial services technology consulting firm ActiFi Inc.
Mr. Herzog cited as examples of strong passphrases “Let'sHireAct1F1” or “ExceedExpectati0ns.”
For advisers who find this all a bit too confusing, especially when it comes to remembering multiple passwords or phrases, there are password management programs that automatically generate passwords.
Using such software means you have to remember only a single master password.
Two well-regarded auto-password programs are Roboform, a commercial product, and Password Safe, which is open-source (free).
KEEP SECURITY UPDATED
Some security suites, including Norton Internet Security 2010, build in auto-passwords. Independent advisers running their own shops should settle for nothing less than a top-of-the-line security suite. And the key is to keep it updated.
Advisers should select a top suite over individual security products because a suite's anti-virus features are designed to work seamlessly with its other core components, such as its firewall.
Neil Rubenking, PC Magazine's lead analyst for operating systems and security, constantly tests these products.
He recently selected the Norton Internet Security 2010 as the best suite on the market, representing a good balance for users. In his tests, the suite caught plenty of malicious content, viruses, spyware and spam, yet affected computer performance only slightly.
“That's because it does its work when your computer is idle,” not while you are processing a lot of client data, he explained.
Charles Meyer, proprietor of Meyer Advisory Services, who takes the security of client data quite seriously, has two personal computers in his office to store client data and keeps both isolated from the Internet.
“Rootkits and keyloggers [among other threats] are good reasons not to keep client information on a computer connected to the Internet,” Mr. Meyer wrote in an e-mail, referring to two common ways hackers breach a computer.
A rootkit consist of spyware and other programs that a hacker uses to monitor a person's online use and keystrokes. It creates a “backdoor” into the system and allows the attacker to mask the intrusion and gain root or privileged access to the computer.
Keylogging programs gain unauthorized entry to your computer, enabling hackers to record all your keystrokes, including passwords — all while you are unaware that your actions are being monitored.
While unplugging from the Internet works for Mr. Meyers, this may not be the most practical way for advisers to lock down their systems. For that, security software solutions may be a better bet.
E-mail Davis D. Janowski at [email protected].
