If you handle participant data, you’re a valuable target for a cybercriminal, especially when you’re working remotely. In the Summer issue of NAPA Net the Magazine, Judy Ward offers some important tips on protecting yourself.
“If you’re a financial advisor, you’ve got a lot of information that’s of value,” says Saad Gul, partner and co-chair of the privacy and cybersecurity practice at law firm Poyner Spruill LLP in Charlotte, North Carolina. “Sometimes, enough information could be available to steal money outright.”
To help protect participant data, keep the following four tips in mind.
1. Access client data only on a company device
Working at home himself this spring, Gul had two devices on his desk. “The company device is basically for all client work,” he says. “And the personal device, I use to access materials that are in the public domain.” Cybercriminals use technology to constantly scan for vulnerable devices, he says. “If somebody is doing client work on their own device, at some point that is going to get picked up and flagged by one of these (cybercriminal) ‘robots.’ And come the day when they want to steal something, your device is going to be exceptionally vulnerable.”
2. Only use a “closed” home network or other secure network
“You don’t want to use public Wi-Fi, ever,” Gul says. “In the good old days, when people actually traveled, it was inconvenient if you were at a facility like a coffee shop that offered free Wi-Fi, and couldn’t use it,” he says. “But the reality is that a lot of the time, those places have been compromised. Somebody can be physically present in that same location, and intercept that data.”
3. Limit data access to employees who need it for their work
“Every network is only as strong as its weakest link,” Gul says. “A lot of your employees don’t need access to your sensitive material to do their job. Any silo of information that is valuable, you want to lock down tight. If all your employees have equal access to data, somebody working remotely could have an unscrupulous brother-in-law, or an old computer that can easily be compromised.”
4. Keep doing cybersecurity practice drills
In addition to annual training, Gul says his law firm runs cybersecurity drills throughout the year. “We will send out mock messages constantly to our staff,” he says. “There are law firms that, if you click on a link in one of those emails, they will lock you out of the system, and then you have to go to a three-hour training and take an exam to get back into the system. We’re nowhere near that draconian in our response. But the best way to prepare is to keep sending mock messages to your employees, and see how they react.”
Judy Ward is a freelancer specializing in writing about retirement plans.
For more information on protecting participant data, see Data-Driven, a feature article in the Summer issue of NAPA Net the Magazine.
