Dual Factor Authentication Best Practices for Your RIA Firm

Author: Craig Pollack Date: Apr 12, 2018 Topics: _Investment Advisor Blogs

At its core, cybersecurity is a risk management issue for all modern businesses and organizations. As cyber attacks continue to increase, both in terms of their complexity and their frequency, it’s important for employees at every business to ensure that they’re prepared for the cyber battles that are to come in the future. And, take my word for it — they will come.

No matter what technology your organization uses, there is no way to prevent 100% of all cyber attacks. Even the Financial Services Information Sharing and Analysis Center (FS-ISAC) recently admitted to falling prey to a phishing cyber attack.

These kinds of attacks should be of great concern to any registered investment advisor (RIA) firm. However, according to the U.S. Computer Emergency Readiness Team (US-CERT), there are things that you can do to try to reduce cyber threats to your investment advisor firm. Several of these best practices include the use of dual factor authentication (DFA), or what is also known as two factor authentication (2FA).

What is DFA/2FA/MFA?

Multifactor authentication (a.k.a. multi-factor authentication, or MFA) methods, such as two factor authentication, essentially, are security enhancements that require multiple types of information to confirm that someone is an approved or authorized user. These are significantly stronger authentication methods than traditional usernames and passwords.

According to the National Institute of Standards and Technology Applied Cybersecurity Division, common forms of 2FA information typically include information that falls into three primary categories:

  1. “Something you know,” such as a pin, password, username, favorite memory, or a special phrase
  2. “Something you have,” like a mobile phone, generated code, or mobile app; or
  3. “Something you are,” meaning some sort of biometric identifier like your face, a retina scan, or fingerprint.

The US-CERT’s five recommended best practices include:

1. Integrating 2FA/DFA into Your Cybersecurity Strategy

The idea here is that by integrating two factor authentication into your cybersecurity strategy, you will be able to significantly reduce (or, ideally, eliminate) unauthorized access to your firm’s networks and sensitive data.

Depending on your firm’s security needs, there are different ways to protect your data via two factor authentication:

  • One Time Use SMS Text Message
  • Time-Based One Time Use Password or Code
  • A Hardware Token or Universal 2nd Factor

For example, when you call certain banks to speak with one of their representatives about your account, they may first text you a one time code to your cell phone. This enables them to confirm that you are who you say you are to gain access to your account information.

But, protecting your RIA firm from internal and external threats goes beyond protecting account information. There are additional steps that your IT staff (or managed IT service provider) should take to ensure that your network remains secure.  

2. Blocking Malicious Code

Who wants unapproved software running on their machines? My guess your response would be “no one.” By implementing application directory whitelisting processes, you’re able to prevent non-approved applications from being installed on your network. This is crucial to help ensure the security of your network by limiting what applications can be installed and run on any end-user devices.

If an infected software gains access to your network through a device via the access of an employee at your firm, regardless of whether the access was accidental or intentional, it can mean “game over” for your network security if you don’t have systems in place to protect your network and devices.

3. Limiting the Number of Privileged Users

Just as you wouldn’t allow a stranger or even just an acquaintance have free roam of your house unchecked, as an RIA, that same mindset needs to be applied to your firm’s network and device security.

RIA system administrators have privileged access that gives them virtually unlimited access to everything. By limiting system administrator privileges, you’re only allowing access to those who have a legitimate need as defined by your management directives. This is a smart practice that we recommend to all of our clients.  

4. Segmenting Your Network

If you’re not familiar with the concept of network segmentation, it’s the idea that you should separate your computer networks to ensure that they remain separate and visible only to those with authorized access. The idea is that if a hacker or a malicious employee manages to gain access to one part of your network, they’ll have to break out of that area before they can try to access any other areas. This gives your IT security team (or a dedicated managed IT security services team like FPA) more time to respond to thwart an attacker’s efforts.

By segmenting your network, if one part of your network is breached, the integrity of the rest of will remain intact and your data will be protected. Isolating critical applications and devices, whether via a separate server or virtual LAN, can help to minimize access and limit the potential damage to your firm. This is particularly beneficial for cases of ransomware, which is malware that can infect a device or network and block firms from accessing their files without first paying hundreds or thousands of dollars.

5. Securing Your Back Doors

A key to any successful business is the cultivation of strong relationships. The same can be said in terms of your investment advisor firm’s network security. Hackers will sometimes use technical approaches to try to gain access to your network by exploiting a network trust relationship to use it as an attack vector. This means that any third parties that share network trust relationships with you may prove to be a weakness in your network.

In order to mitigate potential risks, what you can do is conduct an audit of your network trust relationships’ defenses to ensure that they are using best practices. If the defenses are subpar, consider terminating or suspending these relationships until sufficient controls are in place to protect your backdoors.

These are just a few of the best practices that investment advisor firms should implement. As a trusted RIA, nothing is more important than protecting your clients’ most sensitive data. This is where hiring a managed IT security expert like FPA can be a smart move for your firm. Our managed security services can help your firm:

  • Prevent security events,
  • Detect and prevent intrusions and hacks, and
  • Recover quickly in the event that an attack occurs.

What do you think about these best practices? How do you use dual factor authentication at your RIA firm? Be sure to share your thoughts in the comments section below or send me an email to chat about this topic more in-depth.

The IT Security Primer For RIAs eBook


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.