The other day when talking with some peers at a group function in New York, someone asked a pretty simple but intriguing question: “As a business owner, what really keeps you up at night?”
It was interesting to listen to the variety of answers coming from this very capable group of leaders. Market volatility, political turmoil, ever-changing regulatory requirements, hiring bright new advisors; the list went on and on and on. Perhaps more fascinating to me during this impromptu round of “Q and A” was how no one had dropped the dreaded c-word. Cyber-security!
There’s nothing as a business owner that presents a greater risk, that is more pervasive, susceptible to soft targets, and damaging than the potential for a data breach. In financial services, that risk is only amplified. Yes, we are a financial advisory firm entrusted with helping our clients reach their life-long goals, but perhaps even more important – we are entrusted with their data, their identities, and their security. It’s a huge responsibility.
It’s interesting though, that while we spend tens of thousands of dollars every year upgrading, hardening, and improving our digital assets and infrastructure, many, many times, we see that data breaches and fraud occur well beyond the boundaries of our offices. We’ve heard many stories from our clients about being victimized by cyber or identity fraud. Unfortunately, most of our clients don’t have the funds or even the expertise to create the necessary boundaries on their personal digital assets or identities.
So as our firm’s Chief Operating Officer, an owner, and someone who wants to get a good night’s rest, I’d like to share with you my top five things you can do to protect your identity, your assets, and your personal information.
We’ll start by saying this: Anyone can be hacked! The Security and Exchange Commission (SEC), the very governing body that holds our firm and thousands of others across the country accountable for its cyber security programs, was itself hacked in 2017.
Protecting your digital assets and your identity doesn’t have to be complicated and all encompassing. You’re not planning espionage or landing a lunar module. Lots of times there are simple steps you can take to reduce the probability of cyber theft. Here are my recommended steps:
#1 – Don’t Boil the Ocean
The very first thing you must do as an individual is turn on alerts – and preferably SMS alerts on your cell phone. Just about every major financial institution has the ability for you to do this now. Charles Schwab’s alerts can be turned on in your profile in Schwab Alliance. You should set your alerts to notify you whenever there is activity on your account, that way, when something happens, you know the minute it occurs and you can see if you recognize the transaction.
Make a list of all your accounts and go through them to turn on alerts. And yes, it’s annoying, but so is being hacked, so play it smart and be informed about your activity.
#2 – That’s Not the Secret Knock
In the opening scene of the famous movie “Stand by Me” three teenage boys are hanging out in a tree fort doing, well, …. teenage boy things, when their friend Vern knocks on the outside door. They quickly say “That’s not the secret knock!” to which Vern replies, “I don’t know the secret knock.” After a quick laugh, they let Vern in through the small door.
Our personal accounts are just like that door and the secret knock. And just like the movie, we’ve made it far too easy to let people in.
Most, if not all, major web-based digital assets have increasingly stringent password and two-factor authentication (2FA) controls – a secret knock – to keep your items safe. Unfortunately, many people still do not deploy two-factor tools. A study done by Google in 2018, for example, found that more than 90% of active Gmail accounts on their system don’t use two-factor authentication.
In fact, government agencies like NIST –The National Institute of Standards and Technology, actually recommend that – if it is available – users should use a one-time password or token generated by software like Google Authenticator or Symantec VIP Access to provide that second code for logins.
A good password followed by a secret 2FA knock will go a long way to keeping your assets safe. You should deploy 2FA on all your email accounts and any other online tool that houses personal information.
And while we’re at it, let’s talk about those passwords.
#3 – The password is………
Come on, admit it! You’re using the same password on dozens of accounts. Lots of people are, and by doing so, they’re making all their accounts susceptible to hacking. Worse, lots of folks are deploying passwords like “password123” or “welcome01” in hopes of remembering that key information more consistently. Unlike the old game show, in the cyber security game, losers don’t get nice parting gifts!
All it takes is one provider (can you say Equifax?) to have a breach. Your favorite password or personal data will be making the rounds on the dark web. It’s simply a matter of time.
NIST recommends that your passwords be at least 8 characters long, with no complexity requirements (like hashtags for example) and no knowledge-based authentication (e.g. what’s your father’s middle name). They are now recommending password phrases that only you can remember. The thinking here is that people are less likely to write their passwords down if they are easier to remember – and writing your password down and putting it somewhere is probably the worst thing you can do – for obvious reasons.
I recommend that everyone use a password keeper like Dashlane or LastPass. These tools not only collect your password info, encrypt it, and make it easier for you to access them on your phone and browser, but many of these providers also offer tips and tools on how to better manage your passwords, including which ones have been part of a security breach at thousands of digital providers. Many of these tools are free or low cost.
#4 – Drop the Mail
We hear it all the time and it goes something like this: “We don’t do anything online; we don’t want to be hacked!” And it’s true – if you don’t have a computer, email address or smart phone, it would be nearly impossible for you to personally get hacked. Just like if you didn’t have a car; it would be impossible for you to have a car accident!
But what’s more secure? Your personal data, traveling around the United States, touching multiple people and processes, and then one day, hopefully, ending up in your unlocked mailbox…….at the end of your driveway?
What’s easier to steal? Someone’s bank statements from their mailbox while they are at work for the day, or your encrypted password protected statements delivered to your online email box?
For my money, a responsible data protection plan is far more secure than the USPS. According to the United States Postal Service Office of Inspector General, in a thirteen-month period between 2017 and 2018, there were 425 arrests and 1,160 administrative actions taken related to postal workers stealing mail.
Moreover, according to a 2018 CNBC report, mailbox theft is on the rise. Read the story here.
Want to play it safe? Bolster your cyber defenses and get your personal information out of your unsecured mailbox.
And finally #5 – Don’t Make It Easy!
Even with taking all the preventative steps above, I still hear horror stories about things that people do in their homes, every day, that make them vulnerable to cyber attacks. Here’s a short list of quick hitters that will make you immediately smarter than the average American when it comes to cyber protection:
- Free Public Wi-Fi – avoid it at any cost! Don’t use it while you travel or while you shop or drink coffee. It’s one of the easiest ways for someone to get your information. Use Ethernet connections at home and invest in an unlimited cellular plan while away. It’s worth it. If you must use Wi-Fi, make sure it is password protected and the actual device is up to date. Here’s a guide to Wi-Fi technology.
- Virus and firewall software. Every computer should have virus and intrusion protection. If you don’t have it, here’s where you can find the top providers.
- Two-Factor your email – Most major email providers now have a way for you to build-in unique logins to your email so someone doesn’t get into your account from an unauthorized device. One of the easiest ways for you to get hacked is for an intruder to gain access to your email server and forward your emails to another address in the background, without you knowing.
- Don’t write down your passwords! Literally – people are writing down their passwords and storing them in a drawer near their computer. That’s one step removed from keeping them in your mailbox (See #4 above). Get an encrypted password software and lose the analog lists!
- Review your accounts regularly. We’ve seen stories of clients experiencing fraud in accounts that they have not looked at in months, or in some cases, years. Set up regular reminders to take a look at the actual activity in your accounts to look for unrecognizable activity, at least once per month, but preferably more.
- Don’t click on links you don’t trust. If you aren’t expecting it, ask the sender to verify. This includes social media – which can be the absolute worst when it comes to grabbing your information and using it corruptly.
There’s no one-size-fits-all when it comes to protecting your identity and digital assets. The biggest rule of thumb is to be smart and aware of potential threats and make sure you budget time to scrutinize your plan! As your partner in protecting your digital assets and your financial privacy, we are committed to working with our clients on strategies that can assist in cyber-readiness. Feel free to contact us at invest@levelFA.com, or, for our clients, you can text the word CYBER to 716-727-5047 and follow the prompts to drop us your cyber questions related to your accounts, Charles Schwab, or protecting your identity!
Michael Heburn
Partner and Chief Operating Officer
