By Mark Rylance, CFP®, CFT ™
In our last newsletter, Patrick Stark wrote about the importance of protecting your credit. But, an even bigger risk could be your vulnerability to online fraud and hacking. Stories about hacking and fraud are all around us. If it has not happened to you, chances are it has happened to someone you know. The scary part is that going forward attacks will likely accelerate and become much more difficult to defend against.
More and more clients are asking us what they can do to protect themselves and their data. Although we are not experts in the field of cyber-security, we do have some experience as a result of the proactive steps we have taken over the last few years to secure our data, and our clients’ data. We have learned that you cannot be perfect in your defense, but with some diligence, you can remove the low hanging fruit that will hopefully lead to the ‘bad guys’ looking elsewhere for an easier target.
The first step we took as a firm was to have an outside agency perform a full security audit of our safeguarding practices and systems. We found the audits so valuable that we have chosen to continue them on a quarterly basis at RS Crum. Here are some of the top security items discussed at our quarterly security review meetings:
Phishing Scams –Far and away the biggest threat to a small business is clicking on an unsolicited email and unlocking invisible malware that can go undetected for months, if not years. The scam can create untold damage to your computer and data. A rule of thumb is to avoid clicking on anything that seems out of the ordinary. If there is a file extension that seems odd (i.e. .EXE, . BAT, .SCR, .PIF, etc.), even if it is from someone you know, don’t click on it. Rather, if you receive one of these extensions by email, call or text the sender to see if it is OK to open. I have called my bank several times to confirm an email, only to learn that it was not sent from them. Banks and other financial institutions have told me that they will never send an email without some identifying information (account number, name, etc.).
Public Wi-Fi – Have you ever used Wi-Fi at a hotel or coffee shop, the one that says “Guest Wi-Fi”? Never trust public Wi-Fi (especially if there is no password required) because these can be created by anyone. With very little technology knowledge, I could go on my phone, create my own Wi-Fi, and call it “Marriott Lobby Guest Wi-Fi.” As soon as someone logs on, I can view all of their web traffic… pretty scary. Instead, use your mobile phone’s personal Hot-Spot and create a strong password. If you don’t know how to set this up, go to your local mobile store. They would be glad to help you.
Email Intrusion – One of the more common and dangerous intrusions happen when someone gets into your email and pretends to be you. If someone is in your email account, they can find patterns on how you communicate, see who you communicate with, and wreak havoc before anyone knows it is not you. This is a huge issue with financial institutions because ‘bad guys’ can use your email to reach out to advisors requesting outgoing wires. This is one of the reasons we verbally verify every wire that goes through our office. This is also one of the biggest risks if you lose your mobile phone because email is so easy to access.
Mobile Wipe – Last summer I lost my phone while at Magic Mountain with my kids (or it was stolen out of my pocket). As soon as I realized it was gone, I was on my daughter’s phone changing my passwords. Then, with the push of a button, I was able to wipe all of the content off of my phone. Of course, you need to make sure that all of your phone’s data and pictures are being regularly backed up, or you could have a mini-catastrophe from lost data.
Password Rotation – Changing your passwords is like flossing your teeth, everyone knows they should do it, but the vast majority don’t because it can be a hassle. Not only should you have a password on all your electronic devices, but you should also consistently rotate your passwords so that you can stay one step ahead of hackers. At RS Crum, our computers are set up in a way that requires us to change our passwords on a regular basis. Once I change my computer password, it also prompts me to change my online passwords as well. However, some experts say that if you have really strong password, that you don’t need to change it as frequently.
Two-Factor Authentication – This is equivalent to wearing a belt and suspenders when it comes to security. An example of how two factor authentication works is if you request a change of password or other personal information, companies will send you a text message with an additional number that you must enter along with your user ID and password. By taking this extra step, hackers must have your mobile phone, as well as your login and password information. You can setup two-factor authentication with your accounts at Google, Apple, Microsoft, etc.
Encryption – You may not need to go to this effort for all your devices, but at RS Crum we have taken the precaution of encrypting all of our hard drives. If anyone steals our computers, they will need to enter a long and complicated password to unlock the computer, followed by another password to enter the system. This can inhibit even the most sophisticated hackers from accessing the information on our computers.
These are just a few of the prevention steps you can take. If you are interested in learning more about our protocols, feel free to call our office and we would be happy to share more information.
Consumer Reports has also written a great article with more detail: