Overlooking security holes puts clients at risk

Financial advisers are overlooking potentially huge holes in their data security. From having unsecured servers to using weak passwords, advisers could be putting clients at risk, according to several security experts who spoke last Wednesday at TD Ameritrade Holding Corp.'s annual conference in San Diego. “Have you locked down your server?” asked Andrew Gluck, president of Advisors4Advisors Inc., a service provider for registered investment advisers. “It should be in a server room behind lock and key. Employees should not be able to get into the server room,” Mr. Gluck said. “If I can get [physical] access to your server, I can get into it in the time it takes to boot up,” said Brian Edelman, chief executive of Financial Computer Services Inc.

WRITTEN POLICY

Advisers also should have a written data security policy and get employees to sign it, Mr. Gluck said. Remote access to client data by employees through their own laptops or tablets can be a problem when they leave, he said. “Buy them their phones so it's a company phone,” Mr. Gluck said. “When they terminate employment, you can take it and do what you want with it.” Advisers should be sure their phones have applications that will remotely wipe the devices clean if they are ever lost or stolen, Mr. Edelman and Mr. Gluck said. They also reminded advisers not to send sensitive client information via e-mail and to beef up the strength of passwords. They recommended password managers from LastPass or RoboForm that produce and remember hard-to-crack passwords.

SUSPECT SITES

Strong passwords don't do any good if computers are infested with malware that tracks keystrokes, so advisers and their employees should avoid accessing or downloading suspect sites and software, Mr. Edelman said. “Hackers really do look for the easiest targets,” he said. [email protected] Twitter: @dvjamieson