(September 1, 2005) Technology risks are showing up more frequently and moving more quickly than ever before. Advisors working in large corporations tend to have the benefit of a qualified IT department at their disposal to work on these things, but independent advisors or anyone responsible for their own technology have a whole host of considerations to think about and deal with, or they may be putting sensitive client information at risk every time they turn on a computer.

This should concern clients, but it should also concern the industry as a whole, given the consumer trust element that financial advisors are dependent on. At the lower end of any industry there are stragglers who say security risks are not a priority, but this is particularly problematic in financial services where advisors are accountable for significant amount of confidential client information.

Industry priorities are moving in the right direction, say experts like Info-Tech Research Group research analyst, Carmi Levy, “but it’s not where we would like it to be,” he says. “There needs to be an industry-wide recognition from all levels, from the smallest shop, all the way up the ladder to the largest organization, that security needs to be a priority.”

Security measures and disaster recovery plans are, fortunately, not all that difficult to put in place, but still many advisors don’t give the process a lot of thought.

“Security for a small business person is typically not the most pressing need. As long as they have the computer, the software and tangibles in place, they believe it’s enough,” says Levy. “But it’s like insurance, you only realize you’re missing it when something bad happens and you realize that you should’ve bought it in the first place. Security is like that as well.”

However, just like insurance is sometimes a hard sell to the client who believes they are going to live forever, many small business owners, advisors included, seem to think technology is not worth the regular investment needed to keep abreast of changes.

“It takes effort and it takes time,” agrees Graeme Jannaway, managing director of business continuity and security consulting firm, Jannaway & Associates. “Except for viruses, which are seemingly popping up all over the place, most people look at technology threats and say the risk is pretty low. The risk is pretty low, but the consequence is you’re betting your business. If you have no backups of your files, of your records, of your client base and so on, you are kissing your business goodbye if something happens.”

Right now the biggest technology risks to client data include unpatched computer operating systems that allow hackers to access to information on the computer. “The biggies continue to be computer viruses, works and a general collection of ne’er-do-well bits of code that will hurt you,” says Jannaway. “A good disaster recovery plan is not complex, it’s just a case of keeping copies of copies. The big thing is to keep track of who owes you money. Don’t bother with who you owe money to — it’s up to them to remember that. What is your business? Think about it. If this little system [your computer] went away or if your office burned down tomorrow, what would you do? Would you still be in business? That’s really all you need to ask.”

To safeguard against technology threat:

  1. Patch your computer. If you are using a Windows operating system, regularly downloading patches and security upgrades is critical. Earlier this month, the most recent series of viruses designed to exploit a vulnerability in the Windows 2000 operating system, dubbed the Zotob and Ircbot worms, first appeared just seven days after Microsoft release patches to fix the software.
    Patches are software updates meant to fix known problems with a computer program. New viruses usually target Windows operating systems, simply because they are the most common.

  2. Get virus software like Norton Antivirus or McAfee Antivirus, and download updates as they become available.
  3. Scan your system regularly for spyware using programs like Spybot or Ad-Aware. Be sure you are getting the software from a reliable source. Spybot can be downloaded from CNet (www.download.com) and at Tucows downloads (www.tucows.com). Ad-Aware SE Personal is also available for free at www.lavasoftusa.com. Professional versions of the software start at $50. "Just pick one and use it," says Jannaway. "It beats the hell out of trying to find the optimal one and never getting around to it."
  4. Keep home computers and work computers separate. Don’t let the kids download games onto your work computer. Try not to let your work files get too scattered between work and home. "Be neat, be tidy, keep track of files, get rid of junk you don’t need and programs that you don’t need. Do regular scans for spyware. Good housekeeping goes a long way towards all kinds of things," he says.
  5. Be wary of requests for inappropriate information and advise your clients to do the same. Pharming — where hackers use legitimate looking websites, and actually hijack real websites in order to harvest client information, evolved from phishing scams where clients are sent legitimate looking e-mails requesting their personal information. "If you’re talking with the tax office, it’s fair game that they ask for your social insurance number. If you’re talking to Joe Blow, he is not allowed to ask for that information," says Jannaway. "There are only very specific reasons why you should ever give out your SIN number or your banking information."
  6. Get an uninterruptible power supply (UPS) suitable for the power needs of your computer. UPS costs run between $50 and $250, but it can be what saves your files in the event of a power failure. The unit charges a battery that, in turn, powers the computer. In the event of a power surge or failure, a UPS will give the computer enough time to save files and shut down properly before the system fails. "The fun little test is to start your computer, open a file and pull the plug on your UPS. It should run just fine. If it doesn’t, you’ve got a bit of a problem and you should talk to the people who sold it to you," says Jannaway. "In the same way, every once and a while, after you’ve done a backup of your client data, check to see that everything is still there."
  7. Make backups of all your files and test them. "There are all kinds of tales of people who thought they were taking backups, when in fact they weren’t taking anything," he says. There are many ways to make backups, but Jannaway suggests partitioning your hard drive, or getting someone to do it for you. Partitioning divides a computer’s memory into isolated parts, which can be recognized as separate, virtual hard drives. Each day or each week, back up files to a second partition or "virtual hard drive". Every month, copy all of your files to the third. Backing up to the same hard drive is useful if the files fail or get overwritten, "but it doesn’t protect you from the problem of that sudden screeching from your hard drive of a bearing going bad," he says. "At some point you should be dumping the information and moving it off site." There are companies that specialize in offiste data storage for businesses, but for smaller practitioners, the easiest way to do this is to get a second hard drive to plug into your computer. Large external hard drives start around $200. Keychain-sized hard drives, used for transferring files between computers, start around $30.

Finally, “if you want to avoid viruses, don’t do stupid things,” advises Jannaway. Once your computer is up to date, he says staying away from activities that you wouldn’t want written about on the front page of any newspaper, like downloading pirated software or surfing porn sites, is a good rule of thumb to use in avoiding malicious code. Also, avoid clicking ‘ok’ or agreeing to any pop-up propositions, fake error messages, or notes from people that you obviously don’t know.

If the whole concept of keeping your computer maintained is exhausting or overwhelming, get help from someone who is actually in the business of providing tech support, and not just the kid around the corner. Being technologically un-savvy simply won’t cut it.

“The first thing they’ll say is I’m a financial planner or I’m an advisor, I’m not a technology expert, and they’ll use that as an excuse to throw up their hands, surrender and say I don’t know anything about this so I don’t need to worry about it,” says Levy. “As the threat environment becomes more dense and faster moving, that excuse no longer holds water. Being technologically immature, maybe 10 years ago might have been enough to let you slide by, because the maturity of internet based threats wasn’t anywhere near where it is today. You don’t necessarily need to be whiz with technology, but you need to be savvy enough to know what questions to ask and where to go to get the answers.”

Filed by Kate McCaffery, Advisor.ca, kate.mccaffery@advisor.rogers.com

(09/01/05)