While experts believe a holistic approach to cyber security is far more effective than a random series of checklists, there are some points reps can use to at least ensure they've strengthened a network to their best advantage.
- DTCC's Mark Clancy suggests reps who work in small independent offices create two accounts on their PCs — one that controls administrative privileges and to which they log in only when updating software, and one where all real work is done. He notes that at large firms, most employees don't have admin rights, and therefore if their computers are compromised, hackers can't take over the desktop and potentially the network. For independents, malware infections on computers where admin rights are up and running means a machine — and all its data — is then vulnerable. “You can't take control of a machine if it's current and not the administrator,” he says.
- Don't neglect third-party software. While staying up to date with patches on operating systems is critical, so, too, is ensuring other programs from client relationship management software to Adobe Reader is secure as well.
- iSEC Partners' Dan Guido says Windows users have an extra layer of protection most don't use. Tagged Data Execution Prevention (DEP), is an option that can be found under advanced systems settings (http://windows.microsoft.com/en-US/windows-vista/Change-Data-Execution-Prevention-settings) and blocks 14 of 19 known exploits, he says. While not a cure-all, it's an extra roadblock requiring hackers spend more time and take more steps trying to get in, which makes the attack potentially less desirable. “When attacks take more time, it also increases an attacker's costs which means they get less out of it, and it's less profitable,” he says.
- While mobile devices aren't targets yet, encrypting all data stored on these handhelds is a wise move. Passwords employed to protect iPhones, Androids and iPads should also be changed as frequently as desktops — which ideally should be reconfigured every 90 days, and with codes that use at least one letter, number, and if possible, a symbol.
- Jennifer Bayuk notes that security should be the responsibility of all employees — not just the chief technology officer or the principal of an advisory firm. Making every member accountable for ensuring access to data is safe is the best defense. ”The key is to have this part of everyone's job,” she says. “Don't just manage assets; make sure they're secure as well.”