The Dangers of RIAs Using Unencrypted Mobile Devices

Author: Craig Pollack Date: Sep 06, 2018 Topics: _Investment Advisor Blogs, Cybersecurity

We live in an age of unprecedented connectivity with nearly 70 percent of the U.S. adult population using a smartphone as of 2017. Due to the increasing use of unencrypted mobile devices and smartphones, we can connect with friends and family around the world, conduct business, pay bills, buy and trade stocks, shop, send videos, and emails — essentially, we can live our lives in total connection with others in a digital environment.

However, with all of this connectivity comes the dark side: When you can reach out and connect with others, including businesses, it also means that people who may have malicious intentions can reach out and connect with you… even when you don’t know it. And, unfortunately, mobile security threats continue to rise with a 54% increase in mobile malware, according to Symantec’s 2018 Internet Security Threat Report.

As a registered investment advisor (RIA), it’s likely that your firm has protection software installed on its computers and network — such as antivirus, firewalls, intrusions detection systems/intrusion prevention systems (IDS/IPS), etc. However, the majority of Americans don’t heed those same precautions, and the majority operate unencrypted mobile devices on your firm’s network.

What Does Unencrypted Mean?

Data encryption on mobile devices is a technique of securing sensitive information by skewing the info through a specialized mobile application. Encryption software makes the data and information stored therein unintelligible gibberish to any device that doesn’t have the right “key” or code to unlock the encryption. This process affords a significantly higher level of security than an unencrypted mobile device, which transmits information through unencrypted channels.

In a nutshell, an unencrypted mobile device is one that is discoverable by users who wish to exploit it. Hackers who may be nearby can use different programs, such as Wireshark or Kismet, to intercept your unencrypted data or access your unencrypted communications (such as email). Or, if you accidentally leave your device in a cafe or somewhere else, a malicious user has easy access to any of your files and data without device encryption.

Millions of mobile apps use the insecure HTTP protocol, which leaves your device vulnerable. Although TrendMicro reports that 63% of Android developers have switched to using the more secure HTTPS encrypted protocol, “almost 90 percent of the said apps still use HTTP in some systems.”

The Dangers of Unencrypted Mobile Devices and Data

Simply put, the importance of mobile security should not be underrated. Using an unencrypted mobile device leaves the safety and security of the information it handles at risk. This means that if you or any of your employees use a mobile device that belongs to the firm — or they use a personal device to connect to your advisor firm’s network — protections, policies, and procedures need to be in place to mitigate any mobile security threats that could result. If you turn off encryption, you are leaving your communications, data, network, and firm’s reputation as a whole at risk.

These cyber threats are growing at a record-setting rate. Research from IBM and the Ponemon Institute shows that in 2017, the global average cost of a single data breach totaled more than $3.6 million, with each lost or stolen record having an average price tag of $141.

As a registered investment advisor, you also are responsible for being compliant with regulatory requirements. You are responsible for the safety and security of the client and employee data you are entrusted with protecting. If clients learn that you are not doing everything within your power, that will impact their trust in you — which will affect the public image of your firm and its bottom line.

Any information that becomes stolen by malicious users as a result of you or an employee using an unencrypted mobile device may be used for financial fraud, identity fraud, or may be sold on the Dark Web for other users to exploit.  

Establish Bring Your Own Device & Acceptable Use Policies

It is essential for every business, particularly an investment advisor firm, to establish bring your own device (BYOD), computer use and acceptable use policies (AUP) for their organizations — particularly those that have industry-related cybersecurity requirements. This helps to ensure that any device that connects to your network abides by your cybersecurity requirements and standards.

Even the U.S. Securities and Exchange Commission (SEC) recommends that registered investment advisor firms take several steps to implement cybersecurity-related procedures and policies:

  • Maintain a complete inventory of data, vendors, and related information.
  • Document clear cybersecurity-related instructions, such as access rights, penetration tests, reporting, and security monitoring and system audits.
  • Require mandatory employee training (both for existing and new employees).
  • Ensure senior management is engaged and have approved the policies and procedures.
  • Immediate access removal of terminated employees.
  • Maintain a regular schedule of testing for data integrity and vulnerabilities.
  • Establish and enforce controls for who can access the firm’s data and systems, such as “acceptable use” policies, enforced and required access restrictions on mobile devices (including the use of encryption software).
  • Enforce a requirement that third-party vendors must provide network activity logs.

Additional Best Practices for Computer and Mobile Security

The Journal of Financial Planning’s Practice Management Blog provides five tips to proactively protect your firm’s and clients’ data while using the web. These recommendations are also applicable to mobile security best practices as well:

  1. Train staff to be vigilant;
  2. Practice safe web usage behavior;
  3. Be aware of ransomware;
  4. Avoid free software downloads and file-sharing utilities (only download trusted apps from trusted sources); and
  5. Heed warnings and notifications.

Require the Use of Encryption Software on Mobile Devices

Probably one of the best and most significant steps your firm can take to address the issue of unencrypted mobile devices is to enforce a mandate that every mobile device that connects to the network uses a trusted mobile encryption app. No matter whether it is an RIA firm-owned mobile device or an employee’s personal mobile device, it must be encrypted and secured as much as possible before being allowed to connect to your network.

Other recommendations that make a difference in firm data security is requiring the use of virtual private network (VPN) apps for people to connect remotely as well as the use of two factor authentication/dual factor authentication (2FA/DFA) apps for mobile devices.  

The importance of mobile security in today’s digital and connected environment deems it necessary for RIAs to mandate the use of data encryption on mobile devices. Evaluate the security of your existing cyber defenses by grading them with our Cybersecurity Report Card, which you can download by clicking on the link below.

Does your firm emphasize the importance of mobile security by requiring data encryption on mobile devices? Share your thoughts on the topic of unencrypted mobile devices in the comments section below or send me an email to discuss the matter more in depth.

New Call-to-action


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.