It will probably be several months—or perhaps the year 2021—before we have firm data on just how many in the American workforce actually worked from home during part, or all, of the COVID-19 pandemic. It will likely take longer to study, collect, collate, analyze and accurately report on how and when peak internet usage occurred in different parts of the country, and among major enterprises and companies.
What is clear, even without deep analysis, is that this is the first period in U.S. history when so much of the population has been required to work from home.
In 2012, 39% of employees worked at least some of the time remotely, or in a location different from that of their co-workers, according to Gallup. By 2016, that number grew to 43%.
It’s undoubtably higher today, and not just for a few days of the week. While advisors are quick to point to their use of home office networks and consider the security box checked, that won’t be the end of the story. With the massive plunge into remote work, the unintended and unprecedented consequences for financial advisors and wealth management firms around data security, client privacy and cybercrimes are numerous and frightening.
“What you have when you go to this remote workforce is suddenly a much broader surface area that you need to be protecting, and you are going into home environments, often, which can be very diffuse, different,” said Brian Hengesbaugh, a partner at Baker & McKenzie in its global data privacy and security practice, during a webinar with clients.
“You can have family members working off the same WiFi network as your workforce members, and all kinds of issues in terms of how the security is actually configured in the home environment,” he said.
Then he pointed out other aspects that financial services IT executives and chief security officers must be wrestling with.
“How good is the equipment people are using; is it personally owned or company-owned? When you are looking at the privacy and cybersecurity rules, because of how these rules are shaped, they hit your enterprise in a number of different ways—one is certainly protecting customer data when it is being accessed or used remotely.”
The bottom line all advisors need to remember is that all the customer security and privacy rules still apply. Whether it’s the Gramm-Leach-Bliley Act (also known as the Financial Services Modernization Act of 1999), SEC and FINRA regulations, CFPB, FFIEC guidance, HIPAA, or state privacy and security laws like the California Consumer Privacy Act (CCPA) passed in January, or the breach notification laws of other states—it all still applies in the current situation, Hengesbaugh said.
It is likely some of those rules are being violated without intention, and the risks they are meant to mitigate have increased, given the disruption. While advisors working for larger RIAs or independent broker/dealers likely have remote-work policy and business continuity plans, it is equally likely those policies and plans have never been stress tested in the way they are now. If this is your situation and you are using a company-owned machine, at the very least you will more than likely be required to use the firm’s virtual private network (VPN) software with multifactor authentication, which insures that whatever you send or receive is encrypted and protected.
For smaller firms, both those that are SEC-registered and those registered with their respective states, this could be the first time a disaster or business continuity plan has ever been put into action. True, many sole practitioners who have always worked from home and rely on cloud-based applications may be in a better position. Nonetheless, here are some key security practices and tips to review and put in place:
Avoid clicking on anything in your email, whether personal or work, that looks the least bit suspicious or out of place, and give even those things that look legitimate a second glance before opening them. Hackers and other bad actors have been especially busy since the pandemic began to exploit people working in generally less secure home environments. Often these phishing attacks come in sheep’s clothing, looking like legitimate information on COVID-19 or something from the government or large companies and are urging you to open them. We have a recently contributed piece from Fidelity’s David Canter going into a bit more detail on how to better recognize these and up your suspicion level.
Passwords, passwords, passwords
It is a hackneyed topic, but still, the vulnerability persists: Strong passwords on all your applications, email, and devices make it much more tedious, maybe even difficult, for any entity (yes, more often than not these days it will be an algorithm not a human that is doing the heavy lifting to crack your passwords) to break into whatever you are attempting to keep safe.
For optimal security, make sure to use passwords that are at minimum eight characters long, though at least 13 characters is better (in fact using the longest password or passphrase permissible by each password system is the most secure). Use multifactor authentication when available and use different passwords on different systems and accounts. Do not use passwords or passphrases that are based on personal information that can be easily accessed or guessed.
Of late, many security experts argue that unique, randomly generated passwords that are at least 13 characters long are the most secure, but you will need to use a password manager to generate and keep track of them. For consumer product recommendations here and elsewhere in the story, I turn to my former colleague Neil J. Rubenking of PC Magazine. He has been a lead analyst in the area of security at the publication for almost 20 years and regularly tests all manner of security software, products, applications and suites.
Bad actors are always looking for the soft underbelly of technology. A fertile hunting ground continues to be applications, software, as well as computer and smartphone operating systems. Most big vendors like Apple, Microsoft and Google pump out a continuous stream of updates to patch vulnerabilities that they or others have found. The same goes for updates from smaller players; generally, it is always best to update to the latest version supported by your devices as soon as those releases come out.
Advisors that attend at least one big advisor conference a year with technology content should know to have strong encryption enabled on any device that has sensitive client information. Advisors are required by the SEC and FINRA to encrypt any emails or correspondence that includes a client’s Social Security number, financial statements or any other personally identifiable information. Documents that must be encrypted include a client’s prospectus, annual report or regular account statement.
Advisors should not be relying on the free versions of email applications because of backup requirements. The pro or premium versions of most email offerings have encryption turned on by default; for example, this is the case with Microsoft Exchange Server and Microsoft 365.
What can be more confusing if you are managing this yourself is encrypting the hard disk of your laptop or desktop computer. This level of encryption is most necessary in case your machine were to be stolen. Some Windows 10 devices come with encryption turned on by default (check this by going to “Settings,” then “System,” and then “About” and scrolling to “Device Encryption.” If your machine does not support this, you can use BitLocker, which is available only on Professional versions of Windows operating systems, but if you have a Home edition license you can purchase an upgrade. When it comes to Mac computers, the application to do the same is Filevault.
During my time at PC Magazine I co-led a team that for several years conducted testing of wired and wireless networking equipment. These products have continued to grow better in terms of performance, sophistication and security. Even so, both white hat hackers and black hats have continued to find ways to break into them.
If you have not already done so, or if it has been a while, check the security of your home WiFi network. Check your settings and be sure your WiFi is private and password protected (and be sure to assign your own unique password, not the manufacturer's default, many hackers know the latter), in other words not left so that anyone can join it. Given the relatively short effective distance of most WiFi signals, this is probably less of an issue in the suburbs or rural areas. However, in dense metropolitan environments—especially apartment buildings or neighborhoods with small lots—signals can easily travel across and between floors or from house to house.
In my New York apartment building I routinely pick up signals from more than two-dozen WiFi networks, with a sixth of them open, meaning I could join them if I wanted to.
Another thing that may have gone unnoticed prior to everyone working from home is that Ethernet remains faster than your wireless connection. In other words, WiFi is a shared medium and if everyone in your household is on it you are splitting that signal between everyone. If members of your household are streaming video or games, this can slow things down for you while working. If your home WiFi router has Ethernet ports and you can sit close enough, use an Ethernet cable to plug into it. You will still be sharing the bandwidth coming into your home, but it will likely be faster than your share of a split wireless signal.
For those with more modern or compact machines lacking Ethernet ports, whether Mac- or Windows-based, you can order an Ethernet-to-whatever-you-have dongle to the ports on your laptop (check your machine’s system specifications if unsure).
No WiFi router is bulletproof; for every security protocol that has existed up through the latest, WPA-3, experts have found vulnerabilities that make it possible to hack. The lion’s share of routers on home networks in the U.S. will still be running on the WPA-2 protocol, and ironically, WPA-3 devices can be hacked with the exploits very similar to what was used to crack the older protocol. Again, while no router is unhackable, applying the latest firmware updates and patches from the device’s manufacturer to your device will make those running either protocol more secure.
Run regular backups
It has never been easier to securely back up individual computers, or even a few of them on a home network (please do not ask me about the days of tape backup). Today there are plenty of online backup services available from Microsoft OneDrive to Google Drive and Apple iCloud as well as independent third-party providers like Carbonite. The main point here is being able to get all your files back if something happens to your computer or laptop if you do get hacked or attacked with some type of malware, including ransomware, or if the machine simply dies unexpectedly from a less sinister cause.
Antivirus, malware and/or security suites
I saved this for last because every advisor should already be running antivirus programs on their machines. There is, however, more to consider and most providers all have suites of programs available that bundle other forms of protection. Advisors should seriously consider a suite that combines antivirus with defenses against spyware, malware and other threats.
For actual product reviews I’m again turning to Neil Rubenking’s work at PCMagazine. Note that his roundups have a lot of great basic explanations in the introductions. Here are his 2020 roundups of antivirus and malware as well as ransomware protection products.
This article is not meant to be a comprehensive all-encompassing review of cybersecurity for advisors—far from it. The intention is to cover the basic bases that solo practitioners or very small firms will need to cover in order to work more securely in a remote home environment during the current crisis.