With cybercrime on the rise, we’re all at increasing risk. Here are some best security practices to follow and share with your clients

Key points
  1. In a digital-first world, cybersecurity must be top priority for Wealth and Asset Managers
  2. Cybercrime is on the rise: 7% of UK adults were victims of online fraud in 2020
  3. We share best practices in online security to pass on to your clients
  4. Alternatives to passwords may be simpler and more secure
Writing a Client Portal brief

Why Wealth and Asset Managers must prioritise data security

Wealth and Asset management firms are custodians of their clients’ money - and data - so frequently find themselves the target of cyberattacks. In 2018, 20% of attacks reported to the UK’s Financial Conduct Authority (FCA) were targeted at the wholesale and investment management sector. A data security breach can seriously impact the reputation of a wealth management firm, so firms must ensure their systems are secure and support their clients in following cybersecurity best practices.

How big is the cybersecurity threat?

In the UK it’s estimated that there were 4.4 million fraud offenses in the year ending 30 September 2020, although most of them went unreported. A recent Serious Organized Crime Threat Assessment 2021 emphasized that cyber-dependent crimes are “set to further increase in volume and sophistication over the coming years”. The EU is taking steps to mitigate this, by establishing a Cybersecurity Competence Centre to support cybersecurity research, technology, and development.

Security best practices to adopt now

The simpler the passwords we use, the easier they are to hack. Some password practices experts advise:

  • Don’t use the same password across multiple sites - if you do, and it is stolen, all accounts using the password are compromised
  • Use at least eight upper- and lower-case letters, numbers and/or special characters
  • Don’t use information referring to yourself (middle name, birthday, family members etc.)
  • Change your passwords every two months and don’t re-use old ones
  • Change at least four characters when creating a new password

Read some more tips here

Even when doing all of these things, relying solely on a password is not always enough. Some hackers have sophisticated tools like key loggers. These copy everything typed on your keyboard, then forward the information to the hacker so they can comb it for passwords.

It is therefore advisable to stipulate two-step verification for all log-ins. This means taking an extra step to log-in, besides entering a username and password. For example, you might have to enter a One Time PIN (OTP) sent to your smartphone, or a PIN from an Authenticator app from Google or Microsoft.

Our Invessed platform incorporates two-step verification while enforcing minimum password strength and expiry. The system makes the most of Web Application Firewalls and full end-to-end encryption provided by Microsoft's Azure Cloud

Password alternatives may become simpler and more secure

In the near-future, two-step verification may not be enough, which is why many Cloud SaaS providers are experimenting with alternative authentication methods. Google, Microsoft and other global software giants are continually working on the future of security. Face and voice recognition may become more common, and algorithms might one day identify not just the characters you type but how, based on the unique movements of your fingers on a keypad.

For now, please check that your clients are using passwords in line with expert advice as well as two-step verification, when logging into your Client Portal. To check on the security of their wider online activity, individuals can visit Google’s instant Security Check-up at any time.

Ask yourself, before logging out at the end of day, have I taken all of the security precautions I need to?