How secure is your remote work environment? This question has always been important, but since the COVID-19 pandemic, constructing a proper home office with up-to-date security standards is more critical than ever. Even when shelter-in-place restrictions are lifted, many of us will err on the side of caution and continue to work remotely.
During these times—and whenever you’re working remotely—it’s critical to be aware of cybersecurity risks for advisors. Below, I discuss some best practices for implementing a security checkup for your home work environment, particularly for those who work solo or as part of small firms. Working remotely heightens the risks of network vulnerabilities or attacks simply because the vast majority of home networks are less robust than business networks. Specifically, you may be using weaker hardware and passwords at home than you do in the office.
What Makes Up Your Home Network?
First things first: Let’s take a look at your home hardware. If you’re like most users, your home either has a separate modem and router or a modem/router combined into a single device. Whether you have one device or two, the default passwords are usually standard and may be known to thieves and hackers. That’s an advantage they love. You should change these default passwords immediately. You can usually find the default password printed on your device or in the device manual. What constitutes a robust password protocol? We recommend that your password should:
Be at least eight characters long
Include an uppercase letter, a lowercase letter, and at least one number and one special character
Be changed every 90 days
To streamline this process, try basing your password on a phrase that’s easy to remember. For example, “Hey, that is a cute dog!” could translate to “H,ti@CUTEd0g!” As another option, we recommend considering a password manager; good choices include LastPass or DashLane.
As for your router’s wireless network security, you should be using either a WPA2 or WPA3 security protocol. Some newer devices support WPA3 security, which is superior to WPA2, but WPA2 is still safe to use.
Finally, any modem or router in your home should have a built-in administrator account that allows you to implement the latest updates from the manufacturer. These include critical security patches and fixes for bugs. These updates aren’t pushed out often, but you definitely want to have them when they are available. Check the device manufacturer’s website for specific instructions on getting the latest updates.
Securing Your Virtual Private Network (VPN)
Proper cybersecurity for advisors working from home starts with your VPN. If you need to access your firm’s in-office resources remotely, a VPN allows you to do so by creating a private tunnel from your device to the network located at your office. VPNs can be accessed through a web application or a desktop application and require a specific web address to work. Typically, advisory practices rely on IT staff to set up and support a VPN.
To connect to a VPN, using multifactor authentication is strongly recommended. Multifactor authentication, also known as two-factor authentication (2FA), adds an additional layer of security to your login process. Typically, a 2FA system sends the user a onetime code via text message or email, but automated calls may be used as well. To access the VPN, you must input this code in addition to your login password. The step helps prevent a security breach if your account password is stolen. To ensure compatibility, the 2FA system should be implemented by the same IT staff that set up your VPN.
Instead of a VPN, some advisors may share files through a third-party service, such as Box or Microsoft Office OneDrive (or many other similar services). In those instances, accessing a VPN is not necessary because the files don’t live on your office server.
Updating Your Operating System
As with your network router, checking for new updates and patches to your operating system is part of a thorough security checkup for your home work environment. If you don’t have antivirus and antimalware updates installed, do so promptly. The links below will guide you through instructions for making system updates:
For Windows users, click here.
For Mac users, click here.
For Android users, click here.
For iOS users, click here.
If you keep any business files on a personal device, check your firm’s policy about file storage and backups. As you know, it’s every advisor’s responsibility to protect information that identifies customers. If you’re sharing your home workspace with family or friends, be sure to lock your screen when you’re away from your computer.
Strengthening Mobile Security
Despite their convenience, mobile devices pose unique security risks. As with your other systems, update your firmware and applications regularly. Although it’s tempting to postpone an update for just one day, it’s crucial not to delay this process. When prompted to install an update, do so immediately. Your lock-screen password for your mobile device is also critical. Follow these best practices to keep your device secure:
Don’t pick consecutive numbers (e.g., 123456) or repeating numbers (e.g., 111222).
Opt for a longer passcode, preferably at least six numbers.
Pick a short auto-lock time.
Set a maximum number of failed attempts before your device locks or wipes its information.
Running Regular Backups
If your desktop computer or laptop is hacked, compromised, stolen, or physically destroyed, you want to be able to restore your data. It’s critical that you back up important business files. To do so effectively, use a two-tiered solution that encompasses both on-site and off-site backup. An on-site backup simply means storing your data in more than one location at your home. If you have a secondary computer with enough storage space, consider transferring a copy of your files to it. Another great option is using an encrypted external drive (such as a Buffalo preencrypted drive) to store a copy of your files. For off-site backup services, you might explore a third-party service such as CrashPlan or Carbonite. Other options include the third-party file-sharing services mentioned above (such as Box or Microsoft Office OneDrive). Whatever service you choose, what matters the most is keeping your data in more than one location.
Planning to Handle a Security Breach
Do you have an incident response plan for your firm? At a minimum, your plan should specify whom to contact in the event of a cybersecurity incident, such as a data breach, successful email attack, ransomware, or a lost or stolen mobile device. Beyond physical theft, keep in mind that many fraudsters will target remote workers through social engineering scams, such as making bogus calls to reset passwords or falsely reporting lost phones or equipment. For many people, working remotely is uncharted territory. Expect fraudsters and thieves to understand this fact and abuse it. In times like these, the difference between a firm that survives and one that falters is having a decisive plan of action ready to roll, should an unfortunate security incident ever occur at your practice.
Want More Information?
For more information on cybersecurity for advisors, FINRA’s website provides up-to-date guidance. You’ll find additional wisdom on this blog, too. In a previous post, we discuss best practices for taking a risk-based approach to information security. And, tomorrow, we’ll look closely at how to protect yourself and your firm from common phishing and other social engineering scams. Education is paramount to staying safe!
This material is for educational purposes only and is not intended to provide specific advice.