As part of an effective cybersecurity policy, advisers need to pay more attention to password authentication, fingerprint scanners and other technologies to protect their data.
The Securities and Exchange Commission is looking under the hoods of advisers and broker-dealers' cybersecurity protocols. Specifically, the regulator wants to ensure that firms are properly implementing cybersecurity policies, monitoring data and training employees to keep client data safe.
Access to data, which includes remote access, customer logins and passwords,
is also a focus of SEC scrutiny.
Yet, passwords still remain an issue among users across the Internet, as evidenced by a 2015 study of passwords by SplashData. The study found login credentials like "123456" and "password" remained first and second on the list of the worst passwords, a spot that they have held since 2011.
"The challenge has been the idea of complex passwords," said Brian Edelman, chief executive of Financial Computer Services Inc., a cybersecurity consulting firm. "But that doesn't solve the problem. It actually creates a new one."
If advisers really want to have a secure cyber practice, they will need to implement multiple methods, he said. It can be
convenient, as well as efficient, he added.
Mr. Edelman tells his clients to have multi-factor authentication on top of their
password managers, which store log in credentials. Multi-factor authentication methods include receiving a passcode texted or called in to the users, who then enters it into their systems.
Worst password of 2015
RANK |
2015 |
2014 |
CHANGE FROM 2014 |
1 |
123456 |
123456 |
unchanged |
2 |
password |
password |
unchanged |
3 |
12345678 |
12345 |
1 ↗ |
4 |
qwerty |
12345678 |
1 ↗ |
5 |
12345 |
qwerty |
2 ↘ |
6 |
123456789 |
123456789 |
unchanged |
7 |
football |
1234 |
3 ↗ |
8 |
1234 |
baseball |
1 ↘ |
9 |
1234567 |
dragon |
2 ↗ |
10 |
baseball |
football |
2 ↘ |
11 |
welcome |
1234567 |
new |
12 |
1234567890 |
monkey |
new |
13 |
abc123 |
letmein |
1 ↗ |
14 |
111111 |
abc123 |
1 ↗ |
15 |
1qaz2wsx |
111111 |
new |
16 |
dragon |
mustang |
7 ↘ |
17 |
master |
access |
2 ↗ |
18 |
monkey |
shadow |
6 ↘ |
19 |
letmein |
master |
6 ↘ |
20 |
login |
michael |
new |
21 |
princess |
superman |
new |
22 |
qwertyuiop |
696969 |
new |
23 |
solo |
123123 |
new |
24 |
passw0rd |
batman |
new |
25 |
starwars |
trustno1 |
new |
Source: SplashData
Sid Yenamandra, the co-founder and chief executive of Entreda, a financial services cybersecurity consulting firm, said single sign-on software that logs into linked apps with a master identity is another option. Such software can also help advisers change hoards of passwords in one swoop, as opposed to having to log into each platform and change the password individually.
"It is very clear that in order for cybersecurity to be successful, it needs to be convenient," Mr. Edelman said.
Neil Waxman, managing director and a financial adviser at Capital Advisors, Ltd. in Shaker Heights, Ohio, ensures his firm is secure with fingerprint scanning for its laptops and quick desktop and smartphone log-out times, on top of a password policy with numerous requirements. The firm came up with its cybersecurity protocol after having an audit and going through training years ago.
"This requires users to re-enter their passwords often, which is annoying but a small price to pay to protect our client's confidentiality," Mr. Waxman said.
A fingerprint scanner allows employees to log back into their systems more quickly, he said. It is also more secure than just a password, which can be hacked. Biometric measures are specific to the individual.
Mr. Yenamandra said biometrics is a viable option for advisers, so long as they consider it is another piece of hardware that needs upkeep and maintenance.
"It is always a great idea to have because it provides an added layer to ensure trust," Mr. Yenamandra said. He added that it is technology that is not widespread yet, but available on certain smartphone and laptop devices. It can also be bought externally.
The three main cybersecurity focal points, Mr. Yenamandra said, are "authentication, authorization and control."
The SEC is also serious about those focal points, and has already started cracking down on firms and their cybersecurity measures. Financial firms are still
coming up short in their cybersecurity efforts, made evident when the SEC charged
R.T. Jones Capital Equities Management in St. Louis for failure to have a policy in place.
"Cybersecurity is not a technical thing, it is a common sense thing," Mr. Edelman said. "[The SEC is] fining firms, so this is not a warning anymore."