Hybrid work brings cybersecurity risks for advisors – here’s how to tackle the pitfalls

Open this photo in gallery:

Many advisors are continuing to divide their time between their homes and the office 20 months into the pandemic. But as the hybrid arrangement becomes more permanent, there are cybersecurity challenges that need to be considered and addressed, experts warn.

In a recent study, the CFA Institute found four in five advisors want to work remotely at least part of the time.

“In pre-COVID-19 times, there were not many organizations supporting flexibility,” says Rebecca Fender, chief of staff for research, advocacy and standards at the CFA Institute in Richmond, Va., adding that more are seeing the benefits after working remotely during the pandemic. “Now, most are saying ‘This is what we will do.’”

However, hybrid work brings complexity, warns Daphne Lucas, partner in Deloitte Canada’s risk advisory practice in Calgary.

“Hybrid work environments, where you have people that are working from anywhere on any device, introduces cyber[security] risks,” she says, and advisors don’t have the immediate information technology support that they might in the office.

The risks begin with an advisor’s tablet or laptop. It could be vulnerable or missing the latest security patches, she says. The risk increases if an advisor uses their personal devices for work – a common practice known as bring your own device (BYOD) – or if they use a work device for personal web surfing.

All companies should have a BYOD policy, she says, “so people understand what they should and shouldn’t be using their personal devices for.”

A company might allow users to access their work e-mail on a personal device but not download files from its network, for example. Or it might dictate a separate storage area for work data and applications on that device. Some companies might also ask employees to install device management software that ensures their smartphones have the latest security patches, she adds.

Ali Varshovi, financial services cybersecurity leader at Ernst & Young Global Ltd. in Toronto, says that modern mobile devices can separate work and personal data into different areas.

“Then, you can limit the connectivity between the two different environments,” he says. For example, an advisor could configure a device to prevent it from copying work files to the personal area on a smartphone or tablet.

Another consideration is that home networks are a potential security weak spot for advisors, Ms. Lucas warns.

Other devices sharing that network – from smart TVs to a teenager’s laptop – could present potential entry points for attackers in search of digital files.

What to do when working from home

Theo van Wyk, head of cybersecurity and solutions development at IT services company CDW Corp. in Mississauga, encourages advisors to set up separate areas of their home networks just for work devices.

“A lot of access points can support multiple wireless networks that use separate wireless logins with passwords,” he says. “Set up your access control rules so that the other things in your home like your entertainment devices cannot talk to your work laptop.”

Other measures to secure home networks include changing the default passwords on all connected devices, he adds. Advisors should also use a corporate virtual private network to connect their devices to the office. That will help to protect information by encrypting it in transit.

Mr. Varshovi says that moving to cloud-based productivity services has increased security for smaller advisor companies by enabling them to store their data more securely than they could in the office.

Nevertheless, online accounts are still vulnerable to attacks. The biggest cybersecurity risk is often in front of the keyboard, Mr. Varshovi warns. Social engineering attacks like phishing emails can fool advisors into giving up their cloud account information.

Multi-factor authentication technology can help with this risk as it combines a password with something in an advisor’s possession, such as a smartphone or separate security key, to help prove an advisor’s identity when logging into online services. That makes it more difficult for an attacker to steal and reuse passwords.

How to increase risk awareness

Technology alone might not thwart an attack, though. Mr. Varshovi says it must be combined with cybersecurity awareness for the best protection. That means regular training, ideally backed by anti-phishing tests in which consultants regularly test employees by sending fake phishing emails.

“An anti-phishing test is one of the most effective ways of training employees that are connecting to systems on a regular basis,” he says.

If an advisor falls victim to a phishing attack or notices suspicious activity on their system, it’s important for a company to be ready to respond with a plan, Mr. van Wyk says.

“Know how to contact your security group,” he says. Meanwhile, companies should reassure their advisors, and advisors should reassure their teams, that they won’t be punished for reporting a cybersecurity mistake.

Small advisory practices without a security group can work with a consultant to check that they meet the cybersecurity best practices set out in the Canadian government’s CyberSecure Canada initiative, Mr. van Wyk says.

This voluntary certification scheme checks small businesses’ compliance with cybersecurity best practices ranging from patching all software automatically and configuring devices securely through to installing security software and backing up their data securely.

Working with an authorized consultant to achieve this certification gives smaller advisor companies peace of mind that they are following basic cybersecurity best practices, he adds.

“Carve out a budget for yourself every year,” Mr. van Wyk says. “Invest it in making yourself more secure.”

That will help advisors save some of their weekly commute time while still meeting their security responsibilities.