Over the past several months, we have increasingly relied on technology to stay connected to our colleagues, friends, and family members. But with this enhanced use of technology, there are fears about the security and safety of our online presence. We often hear about technology scams on the news, which try to take advantage of people’s natural desire to help or prey on their fears. Attackers attempt to gain access to people’s private information via deceptive means, which means we need to be vigilant when using computers and take reasonable measures to protect ourselves.
Over the years we have addressed various aspects of the importance of protecting your sensitive information, and most of the recommendations are still relevant. More recently, in Enhancing the Security of Your Personal Information, I discussed how consumers can approach personal information security by employing a three-pronged approach whose aim is to prevent, monitor and detect for inappropriate use of your sensitive personal information. And a few years later, in 2017, my colleague Sherrie Campbell shared some dos and don’ts for securing your personal information.
Since our previous Viewpoints on the topic of security and protecting personal information were published, much has changed. Smartphones and tablets are now ubiquitous and also prone to attack, and those wishing to steal your personal information have grown increasingly more sophisticated in their attempts at doing so. This Viewpoint addresses several topics we’ve previously discussed while peppering in some important updates on how to protect yourself.
How You Can Protect Yourself
Unfortunately, there is no way to provide an absolute guarantee that your personal information won’t be accessed. Malicious actors have become incredibly resourceful. Your objective should be to throw up enough roadblocks to avoid being an easy target or the low-hanging fruit for these individuals. The key is to make it challenging and time consuming for them to access your personal information by implementing basic security measures.
Treat Password Security Seriously
When it comes to wealth management, we often counsel our clients to focus on what they can control. Here are some examples of things you can easily do on our own that can provide significant protections.
- Don’t ever write down your passwords where someone else could access them.
- Use a password management program like LastPass or Bitwarden. These programs can create and track passwords that are unique to every login you have, allowing you to manage them all with one master password.
- Use complex passwords – no fewer than 10 characters, including upper and lowercase letters, numbers, and special characters.
- Create unique passwords for your various logins.
- Use multi-factor authentication (text codes, PIN generator, etc.) for all accounts that give you this ability.
Employ Basic Computer Security
We also recommend good computer security hygiene. There are a number of basic tactics you can employ on your own that will also provide some good protections.
- Install, and regularly update, an anti-virus program on all of your computers and keep its virus definitions updated.
- Keep your operating system and programs regularly updated to ensure security vulnerabilities are patched. This varies between Mac and PC users, but the same principles apply regardless of what operating system you use.
- Avoid getting phished. What does this mean exactly? For one, never provide any sensitive personal information to anyone via email. Be sure to avoid opening messages from unknown senders and certainly do not click links or open attachments contained in such email messages.
- Before replacing your computer, delete sensitive personal information from the hard drive and perform a low-level format. Better yet, bring it to Truepoint’s annual recycling event where the vendor we use will shred your hard drive to ensure sensitive information is inaccessible.
Be Vigilant: Protect, Monitor and Detect
Protecting and monitoring your credit reports is another tactic we discuss often with clients, especially coming out of the Equifax data breach of 2017. We generally recommend that consumers freeze access to their credit reports at Equifax, Experian, TransUnion, and Innovis. This will prevent new credit from being opened in your name. Temporarily unfreezing access to your report for a legitimate credit application is far less onerous than it once was, and freezing and unfreezing your credit is now free. For more information, visit the FTC’s webpage on credit freezes. A few additional points below.
- Monitor your credit reports regularly. You are entitled to a free credit report annually from each of the three main credit bureaus (Experian, Equifax and Transunion). Request a report every four months by rotating among the credit bureaus. Review the reports for unfamiliar accounts.
- Receive all sensitive data via online secure sites (e.g. bills, financial information, etc.) rather than via the U.S. Postal Service. Truepoint’s Client Portal provides the ease of securely viewing financial data and transferring documents between you and your Truepoint team.
- Don’t send account numbers, usernames or passwords in unencrypted messages. Use the phone to deliver passwords, or at least deliver login credentials in separate messages.
- Shred receipts, insurance forms, checks, bank statements, etc.
- Review all credit card statements in detail. Use Mint, YNAB or other similar services to consolidate transaction histories enabling you to review all of your accounts regularly.
- Set up alerts with your credit card and bank accounts. Establish triggers that will notify you if transactions exceed a certain amount, the number of transactions in given time period exceeds a threshold, your balance drops below a certain amount, or an online transaction occurs.
- Watch for routine mail you are expecting (or better yet, move to online delivery rather than mail). If you don’t receive a bill, statement, or other mail you were expecting, immediately contact the company to inquire about whether changes have occurred with your accounts.
- Follow up immediately if the Internal Revenue Service notifies you that more than one federal income tax return was filed with your social security number. Notify your CPA or tax preparer right away, or if you prepare your own return, contact the IRS at the phone number provided.
- Back up your data. This protects you against ransomware and computer issues.
How Truepoint Protects You
At Truepoint, we take security very seriously and use a variety of measures to protect a client’s personal information and accounts. We restrict access to private records to Truepoint employees who need the information in order to provide our advisory services. We also employ extensive data protection controls to maintain physical, electronic, and procedural safeguards to protect personal information at all times.
- Sensitive documents are stored in an internally-accessible file storage vault and in the client portal. Very few documents are stored onsite; most are in Laserfiche which is stored in a secure cloud location.
- On‐site documents are located on a secured server inside of a locked enclosure, inside of a locked room, inside of another locked room. Physical and electronic access is closely monitored and only secured computers may access these files.
- Documents stored in the client portal are encrypted and protected in transit using an RSA encryption key.
Documents stored in our file storage vault are encrypted in transit and at rest. Access to the storage vault is restricted to specific user groups. We’ve referenced the word encryption quite a bit, so what do we mean by that exactly? Encryption is the process of converting information into a code that can only be read if you have a secret key (for those wanting to learn a bit more, here is a good resource on RSA encryption). More specifically, we use encryption when sending emails and documents as well as when working with outside vendors. All of our employee computers (including laptops for this “working from home” period) are encrypted and run on a secured network protected by:
- Antivirus software
- Application whitelisting (only approved apps are permitted to run)
- Firewalls and network monitoring software and hardware
- VPN technology
We are required to verify verbally, either in person or to a pre‐established client phone number, any time a client requests a third-party-payee is added to a brokerage account. Truepoint stores documentation of this verification in our CRM system. We do this to prevent any unauthorized payee or bank being linked to a brokerage account. It’s important to note that third-party verbal verification serves as a failsafe should a client’s email become hacked – we’ll never send funds to a payee other than the account owner without verbally verifying the third-party payee first.
Lastly, our entire team receives regular compliance training, touching on topics like current fraud schemes and other red flags. Our objective is to educate and empower our team to recognize these activities – both to protect our clients and ourselves.
Information security is ever-changing in our fast-paced world. And technology continues to serve an important role in keeping people informed and connected. As things continue to evolve, we will ensure our guidance to secure your information is updated. If you have any questions, please contact your Truepoint team.