Many smaller firms don’t have the resources to properly secure their IT Infrastructure. Tim Clark writes about the efforts some larger firms take to ensure proper data security.

Some years ago I was at a firm where a disgruntled employee deleted many financial plans and the CRM database before he left. Fortunately, I had a backup strategy and was able to recover the files. However, it did bring to light a serious issue. Did he really need access to those files? Who really needed access to what?

As a an adviser shop slowly grows over time and adds staff members, the simplest and most cost effective thing is to just grant new employees access and trust them. This is a scary practice, think of the liability if one angry employee takes off with your clients sensitive data. That data contains your clients’ Social Security Numbers, birth dates, and everything needed for identity theft. Or what if you are grooming a junior partner who decides to start their own practice with your CRM database?

What can small shops do?

First make sure you have a secure system, it’s relatively easy to set up domain or workgroup security; this will at least ensure that users must authenticate to get on any system in the office and create an audit trail. You can do this as soon as you add your second computer.

Make sure your IT person does not know any user passwords. Instead of having your IT person assign passwords, Windows lets you check a box to require a password change at next login. This ensures only the user knows his password.

Have a good password policy with frequent expiration (30 days). I know it’s a pain but security is very important. Apply the policy of least access privilege. Ask yourself some serious questions, does the para-planner need access to any plans other than the ones being worked on? Does your secretary need access to anything other names and addresses? Does your reconciler need access to any plans at all?

You should not have anyone accessing data directories or the database directly. This is one of the biggest holes that come up in security audits. If they have access to the raw data they can do anything they want with it, copy it off, sell it to your competitors, anything…

Have a second IT consultant come in and ensure your IT person has not created back doors through remote access. This just happened to someone I know, their entire client financial database was copied off-site through remote access.

Check with your broker/dealer and see if they can do a security audit. An audit will tell you if anything needs to be fixed. I’ve heard rumors that several clearing firms are starting to include security audits in their regular audits.