A Broker’s Guide to Cybersecurity: Part 2
Now that we’ve acknowledged that yes, your brokerage is a potential target for hackers, let’s start with setting some ground rules for cybersecurity. While these rules aren’t very sexy, they are absolutely essential to protecting your brokerage.
Establish an Acceptable Use Policy (AUP)
First, each employee and agent using your network should be subject to signing on an acceptable use policy (AUP).
The acceptable use policy should outline what types of activities are permitted and not permitted on the corporate network. It should be comprehensive and written in language that can be understood by the layperson. Included in your AUP should be a section on password security. I know some folks think passwords are painful, but they don’t have to be. Changing passwords regularly is one of the simplest ways to protect your network (that’s why your bank makes you do it). The AUP should be part of your communication plan about cybersecurity and is proof you’re serious about protecting your staff, agents, and customer data.
Vendors and Non-Disclosure Agreements (NDA)
Second, let’s talk about your vendors. For the purpose of this article I’ll focus on IT vendors, though you could apply this info to any vendor with whom you share confidential data. For smaller brokerages it’s not uncommon to have a 3rd party vendor manage your IT infrastructure. Even in larger brokerages, with a dedicated staff, there are projects where you may engage with a 3rd party. Do you make these vendors sign a non-disclosure agreement (NDA)? In order for them to be able to do their job properly, in many cases you do need to disclose confidential data. And even if you don’t disclose confidential data, they know the make-up of your technology environment. They know what technologies you use, what security practices you have in place, etc. As well, think about their staff. Without an NDA, you have no say in what info they disclose if they decide to leave. Having an NDA is simple way to keep your information private.
Privacy Screens on Visible Monitors
Third, think about your reception area or front desk computers. Do you have privacy screens on the monitors being used in this area? If not, you definitely should. This is a busy part of your office and the staff working the front desk will occasionally be looking at confidential data—an offer sheet, corporate communication, email, etc. There is no need for a visitor or non-employee to be glancing at the display and reading the information. Social engineering—where hackers can literally read information over your shoulder and reverse engineer access to all of your personal information—is one of the most common methods used to obtain confidential information. A missing or distracted front desk person is any easy opportunity to glean this information.
When it comes to your WiFi network you should consider segmentation. At a minimum, you should have separate corporate and guest networks (not only SSIDs but actual subnets).
Sorry for the “geek speak”. Let me explain.
The SSID is the name of the WiFi network and the subnet is the address of the network itself. Your corporate area should be protected and restricted to only those employees/agents that have signed off on the AUP. Any non-employee, customer or agent should utilize the guest WiFi. This helps isolate traffic and limits access to the confidential data on the corporate network.
And we haven’t even touched on your IT yet...
I’ve got a few more very important tips on protecting your brokerage from cyber-attacks. These tips are a great place to get started, and will help you ensure cybersecurity from the ground up. Stay tuned to the blog and/or next month’s newsletter for the final edition of my cybersecurity series: the dreaded IT closet...