October is Cyber Security Awareness Month. It doesn’t exactly roll off the tongue, does it? The concept originally launched in America in 2003, but the EU quickly followed suit and it’s now a worldwide initiative.
Given the sensitive nature of the client data we hold, arguably we work in an industry where we need to be particularly mindful of the risks in holding and storing digital data. So, this month is a good time to review not just your data systems and processes, but those of the third parties with whom you share this data.
When you’re working with an outsourced paraplanner, cyber security should be a key part of your due diligence process. Are your data and your clients’ data being stored securely? How will you submit cases and receive your completed research, analysis and reports? What other data risks need to be considered and how can they be reduced?
It’s widely understood that sending personal and potentially sensitive information by email is less secure and therefore higher risk than other methods of data transfer. There are many encrypted email systems available these days, but they tend to be clunky and frustrating to use, not least if you have to log in to even see what the email is about.
Many companies now use some sort of portal or data transfer system to help protect their clients’ information. There are a number of ‘off the shelf’ options, such as Microsoft SharePoint, Dropbox and Basecamp. Some outsourced paraplanners have even developed their own ‘in house’ solutions.
Some portals allow not only the secure transfer of files, but they also allow the paraplanner and adviser firm to comment on files and discuss cases, providing an audit trail for all involved.
It’s important to understand a bit of the detail about how any such portal works, for example, where is the data stored. US-based servers can cause issues, for example, unless the relevant Standard Contractual Clauses are in place. It’s also important to consider whether the data is encrypted, both when stored and also on its journey to and from the portal to your device.
Strong passwords are obviously a must, but passphrases are better – a few unrelated words and numbers that make sense only to you. However, multi-factor authentication is becoming the norm these days, where an app on your phone generates a code to use when logging in. This adds significant extra protection from hacking.
It’s also important to consider where your paraplanner works
Public wifi networks aren’t always secure, so you’ll want to know there’s a Virtual Private Network (VPN) in place, or that your paraplanner works through a secure wired connection. Consider what data your paraplanner might hold on other devices too, such as apps on their mobile phone, as they’re small, regularly used outside the workplace, easily lost or stolen, and pretty easy to hack.
Make sure your paraplanner has strong anti-virus / anti-malware software in place on all devices. This should be run daily, and the tool should be regularly and automatically updated, to make sure the latest malware is detectable.
This should help not only to protect your clients’ data, but also to reduce the risk of interruption to workflow, for example, from ransomware attacks.
Finally, it’s worth making sure there is a formal data breach policy in place, so that if the worst happens, it gets dealt with properly. All these points from important part of your due diligence when outsourcing to any third-party service provider.
So let Cyber Security Awareness Month be a prompt to review the systems and processes of the firms you partner with, to avoid any data horrors this Halloween.