RIA Workspace

Blog

  • Next steps to protect your RIA from the Meltdown and Spectre threats

    Next steps to protect your RIA from the Meltdown and Spectre threats

    Computer researchers have recently found out that the main chip in most modern computers—the CPU—has a hardware bug. It’s actually a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on your network, including your workstation and all our servers.

    This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. However, this hardware bug breaks that isolation.

    So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.

    The specifics on Meltdown and Spectre

    Meltdown and Spectre are two separate threats that exploit this hardware bug. Meltdown works to break down the very important isolation that you want between the applications you run and the hardware’s operating system. This gives programs access to the memory, and important data, on your operating system.

    Spectre works somewhat differently and instead breaks down the isolation that exists between different applications. An attacker can essentially access the confidential data inside another program.

    Both Meltdown and Spectre can attack PCs, mobile devices, and the cloud so very little is immune from these attacks. It’s unlikely that you’ll find any indication of either on your system because neither leave any traces in log files and traditional antivirus software will have a hard time identifying them.

    So, what should you be doing about this?

    You should be aware that you may have to replace some mission-critical computers to fix this. It’s also important that you and your staff be extra vigilant and keep security top of mind. Think Before You Click.

    However, one of the biggest steps will be to work with the patches and workarounds available to help protect you. You’ll need to update and patch all machines on the network. This is going to take some time, and some of the patches are not even available yet.

    What are patches?

    Patching is basically fixing system vulnerabilities that are discovered after the software is released. They can apply to an operating system, a server, desk tops, or any of the applications you use every day. Patches like those for your operating system often require you reboot after downloaded and installed to activate the changes. The number of patches your system or network requires every year can be overwhelming which is why you want to be sure they are scheduled as frequently as possible. Often, patches fix the problems they’re designed to correct, but they unintentionally cause problems with something else. Because this is common, it’s important that whoever manages the patch deployment for your business knows what to look for and how to correct it.

    At InhouseCIO, we keep clients’ systems up to date, which includes the latest patches. In fact, it’s what we consider a “critical function” of the support we provide. We’ve developed our own best practices to manage the risks associated with the approval and deployment of patches that includes our engineers assessing and testing every patch before deploying it on a system.

    If you have any questions about Meltdown, Spectre, or patch management in general, please contact us for more information.

  • Watch out for the huge KRACK in WiFi Security!

    Watch out for the huge KRACK in WiFi Security!

    A fundamental flaw with WiFi networks has recently been discovered by two security researchers. According to their reports, the KRACK vulnerability renders advanced encryption protocols useless and affects nearly every wireless device. Read on to find out more about KRACK hacks and how you can defend against them.

    What is KRACK?
    Simply put, KRACK, short for ‘key reinstallation attack,’ allows hackers to bypass WPA2 — a security protocol used by routers and devices to encrypt activity — and intercepts sensitive data passing between the mobile device and the wireless router, including login details, credit card numbers, private emails, and photos.

    In extreme cases, KRACKed devices can be remotely controlled. For example, hackers can log in to your surveillance systems and shut them down.

    What’s worse, Internet of Things devices — like smart thermostats and IP cameras — rarely receive security fixes, and even if some are available, applying patches are difficult, as these devices tend to have complex user interfaces.

    The good news, however, is you can do several things to mitigate the risks.

    Download patches immediately
    According to recent reports, security patches have already been released for major platforms, including iOS, Windows, and Android. Router manufacturers such as Ubiquiti, Mikrotik, Meraki, and FortiNet have also issued firmware updates, so make sure to install them as soon as possible.

    Although IoT patches are rare, consider getting your smart devices from reputable vendors that push out updates regularly. It’s also a good idea to contact a managed services provider to install the updates for you.

    Use Ethernet connections
    Some wireless routers don’t yet have a security patch, so while you’re waiting, use an Ethernet cable and disable your router’s wireless setting. Turn off the WiFi on your devices as well to make sure you’re not connecting to networks susceptible to KRACK.

    Stay off public networks
    Free public WiFi networks — even ones that are password-protected — in your local cafe should also be avoided because they usually don’t have holistic security measures in place, making them easy targets for cybercriminals.

    Connect to HTTPS websites
    If you do need to connect to a public WiFi hotspot, visit websites that start with “HTTPS,” and stay away from ones that are prefaced with “HTTP.” This is because HTTPS websites encrypt all traffic between your browser and the website, regardless of whether the connection is vulnerable to KRACK

    Hop on a Virtual Private Network (VPN)
    You can also use a VPN service to hide all network activity. Simply put, VPNs encrypt your internet connection so that all the data you’re transmitting is safe from prying eyes.
    Although the potential impact of a KRACK hack is devastating, security awareness and top-notch support are the best ways to stay safe online. Want more security tips? Contact us today.

  • Equifax’s Leak: lessons learned

    Equifax’s Leak: lessons learned

    No RIA wants their clients’ data leaked, but no matter how good your prevention plan is, the unexpected can happen. And when it does, what will determine the fate of your business is how well you respond to it. So before you start planning an incident response, read the following story and recite this: Don’t walk in the footsteps of Equifax.

    What happened to Equifax?

    Equifax, the huge American credit agency announced in September 2017 that its database was hacked, resulting in a leak of tons of consumers’ private data, including personally identifiable information of around 143 million US citizens. It included names, social security numbers, addresses, birthdates, and credit card and driver’s license numbers.

    Equifax responded by setting up a new site, www.equifaxsecurity2017.com, to help its customers determine whether they had been affected and to provide more information about the incident.

    Soon after, Equifax’s official Twitter account tweeted a link that directed customers to www.securityequifax2017.com, which is actually a fake site.

    Fortunately for Equifax’s customers, the fake phishing site was set up by a software engineer who wanted to use it for educational purposes and to expose flaws in Equifax’s incident response practice. So, no further harm was done to the already-damaged customers, and Equifax is left with even more embarrassment.

    So what did Equifax do wrong?

    Why? You first need to know that since the invention of phishing scams, phishers have been creating fake versions of big companies’ websites. That’s why so many major corporations buy domains that are the common misspellings of their real domains.

    You should also know that phishers can’t create a web page on the company’s main domain, so if Equifax’s new site was hosted there, it’d be easy for customers to tell whether the new page was legitimate and not be fooled by a fake domain name.

    What’s obvious from this embarrassing misstep is that Equifax had never planned for a data leak. And this is an unforgivable oversight by a company that handles the information of over 800 million consumers and more than 88 million businesses worldwide.

    Don’t repeat Equifax’s mistake

    Whether your business is a small startup or as big as Equifax, it needs to prepare for a data breach. Besides having a comprehensive network defense plan, you also need to have the right incident response plan in place.

    So what you should do after you’ve discovered the leak is, first of all, be upfront with your customers and notify them as soon as possible.

    You also need to establish a message that includes the following information:

    • How the leak occurred
    • How the leak could affect your customers
    • How you will prevent future attacks
    • What your company will do to support affected customers

    You should also create a web page to keep your customers up to date. But remember, the new web page should be under your company’s primary domain name.

    As we’ve seen from Equifax, an incident response plan that’s robust is a must. Feel free to talk to our experts about how you can come up with an acute one — so you won’t have to repeat Equifax’s apologetic statement, since it doesn’t help the company redeemged reputation at all.

  • Become a keyboard Ninja with these shortcuts

  • Workplace Analytics a good tool for RIAs to measure productivity

    Workplace Analytics a good tool for RIAs to measure productivity

    Microsoft’s MyAnalytics was designed for employees to monitor their individual performance, but an updated version, Workplace Analytics, is a significant upgrade giving manager access to the information. It not only provides managers with insight into an individual employee’s performance, but it also helps them plan and create strategies around increasing productivity and improving employee output and engagement.

    How it works

    Now available as an add-on to Office 365 enterprise plans, Workplace Analytics extracts behavioral insights from data gathered from Office 365 email, calendar, documents, and Skype. This means that any data an employee types into their email and calendar — whether it’s on the subject line or the main content itself — can be used to indicate their productivity status.

    The program has an overview dashboard that provides specific information:

    • Week in the Life provides an overall view of how the entire firm spends time and how employees collaborate
    • Meetings shows the amount of time spent in meetings
    • Management and Coaching gauges staff-manager one-on-one meetings
    • Network and Collaboration takes a look at how employees connect to colleagues

    What does it aim to do?

    Workplace Analytics aims to address, according to Microsoft, businesses’ most common challenges: complexity, productivity, and engagement.

    Using analytics data, managers and human resources departments can form productivity strategies for your entire RIA firm. If, based on Workplace Analytics data, a majority of your employees are spending 60% of their time attending meetings and not enough time doing creative work, they can come up with a strategy that reduces meeting time and focuses more on productive tasks.

    It also identifies how employees collaborate with internal and external parties. Suppose one of your staff frequently communicates with certain contacts. By using Workplace Analytics data, the employee’s manager would be able to determine whether this particular collaboration pattern is helping the employee hit targets or whether he or she is missing out on other more critical contacts. Also, based on this info, managers would be able to determine which employees are most likely to meet or exceed their targets and set firm standards accordingly.

    Data gathered by Workplace Analytics also allows managers to determine an employee’s level of engagement (i.e., whether the organization’s collaboration patterns are good for the company) and whether workloads are fairly distributed among workers and/or departments.

    Is it useful for small and mid-sized RIAs?

    Large corporations have been using Workplace Analytics, but small and mid-sized RIAs can also benefit from it. For one, the data used to provide the insights are all based on data generated by employees themselves — how much time they spend on meetings, whom they frequently communicate with, and how much time they spend on productive tasks.

    Aside from letting managers examine their staff’s working behavior, Workplace Analytics also provides an overall look into what happens at an organizational level. If you want your organization to harness the capabilities of Workplace Analytics and other Office 365 tools, contact us today.

  • Keep the cloud affordable for your RIA with these tips

    Keep the cloud affordable for your RIA with these tips

    Despite the cloud being a powerful and affordable solution that many RIAs welcome with open arms, there are hidden costs that some owners might not be aware of. It might cost you little at first, but it has the potential to snowball and cost more than your weight in gold. Follow these five tips to keep the cloud from breaking the bank:

    No standalones

    Cloud services come in various shapes and sizes, many of which are standalones that can contribute to rising costs. Opt for a service provider that offers a suite of products that all work together. They are often less expensive than a group of standalone products. Another benefit of working with a provider is that you receive a single point of contact to resolve your issues quickly and effectively.

    Experience matters

    If you have to integrate a standalone cloud service into your system, make sure you hire an experienced integration consultant for the job since they will be able to finish the job quicker, thus making it cheaper. Integration mishaps can cause serious downtime which drains a lot of money.

    Backups are important

    Performing endless backups will definitely waste cloud storage space. That’s why it’s important to examine your cloud storage data by asking the following questions:

    • How many versions of this data do you need to store for the long-term? The more versions you store, the more it costs.
    • What regulatory demands do you need to meet? Some data may need to be accessible for up to three years, whereas other data can be deleted after 30 days.
    • How quickly do you need to access your backup? If you can wait for a day or two, archive that data to a less expensive service or offline at your provider’s data center.

    Remove users

    Many cloud service providers charge by the number of users in your system. By neglecting to manage the list of users, you could end up paying for people who no longer work for you. Implement processes that remove users when they are terminated and consider scheduling a regular audit. Ideally, this should be once every six months to a year, to ensure that your cloud user list is up-to-date.

    Monitor proactively

    Ask your cloud provider whether they can proactively monitor your account to notify you of potential issues before they cause problems. This is especially important if you have a pay-as-you-go license that charges based on resource and storage usage.

    Utilizing the right technology resources is vital to your RIA’s success, and so is knowing how to prevent them from racking up a staggering monthly bill. If you wish to enjoy all the benefits cloud computing can provide your business at an affordable price, give us a call and we’ll be happy to help.

  • 12 questions RIAs should ask before moving to the cloud

    12 questions RIAs should ask before moving to the cloud

    Q1: How many RIA firms have you provided cloud services for to date and can you provide references?

    Our Answer: You don’t want someone practicing on your network. At a minimum, make sure they have at least 5 years of experience and clients already using this cloud platform.

    Q2: How quickly do you guarantee to have a technician working on an outage or other problem?

    Our Answer: Anyone you pay to support your network should give you a written SLA (service level agreement) that outlines exactly how IT issues get resolved and in what time frame. I would also request that they reveal what their average resolution time has been with current clients.

    They should also answer their phones live from 8:00 a.m. to 5:00 p.m. and provide you with an emergency after-hours number you may call if a problem arises, including weekends.

    If you cannot access your network because the Internet is down or due to some other problem, you can’t be waiting around for hours for someone to call you back OR (more importantly) start working on resolving the issue. Make sure you get this in writing; often cheaper or less experienced consultants won’t have this or will try and convince you it’s not important or that they can’t do this. Don’t buy that excuse! They are in the business of providing IT support so they should have some guarantees or standards around this that they share with you.

    Q3: What’s your plan for transitioning our network to the cloud to minimize problems and downtime?

    Our Answer: We run a simultaneous cloud environment during the transition and don’t “turn off” the old network until everyone is 100% confident that everything has been transitioned and is working effortlessly. You don’t want someone to switch overnight without setting up a test environment first.

    Q4. Do you provide a no-risk trial of our network in the cloud to test the proof of concept BEFORE we commit to a long-term contract?

    Our Answer: We provide all of our clients a free 30-day cloud “test drive” using your servers, applications and data so you can see, firsthand, what it will be like for you and your staff to move your servers to the cloud. While this isn’t a full migration, it will give you a true feel for what cloud computing will be like BEFORE you commit to a long-term contract. There is no charge for this and no obligation to buy anything. At the end of the 30 days, you’ll know whether or not this is a right fit for you, or if you would prefer to keep your current on-site network.

    Q5: Do you take the time to explain what you are doing and answer our questions in terms that we can understand (not geek speak), or do you come across as arrogant and make us feel stupid for asking simple questions?

    Our Answer: Our technicians are trained to have the “heart of a teacher” and will take time to answer your questions and explain everything in simple terms. Our client feedback is important and we do ask our clients to take a survey at the end of every ticket resolution.

    Q6: How will our data be secured and backed up?

    Our Answer: If they tell you that your data will be stored in their own co-lo in the back of their office, what happens if THEY get destroyed by a fire, flood or other disaster? What are they doing to secure the office and access? Are they backing it up somewhere else? Make sure they are SAS 70–certified and have a failover plan in place to ensure continuous service in the event that their location goes down. If they are building on another platform, you still want to find out where your data is and how it’s being backed up.

    Q7: Do you have adequate errors and omissions insurance as well as workers’ compensation insurance to protect US?

    Our Answer: Here’s something to consider: if THEY cause a problem with your network that causes you to be down for hours or days or to lose data, who’s responsible? Here’s another question to consider: if one of their technicians gets hurt at your office, who’s paying? In this litigious society we live in, you better make darn sure that whomever you hire is adequately insured with both errors and omissions insurance AND workers’ compensation – and don’t be shy about asking to see their latest insurance policies!

    Q8: Is it standard procedure for you to provide us with written network documentation detailing what software licenses we own, our critical passwords, user information, hardware inventory, etc., or are you the only person with the “keys to the kingdom”?

    Our Answer: All clients receive this at no additional cost. We also perform an update 1 to 2 times a year on this material and make sure certain key people from your organization have this information and know how to use it, giving you complete control over your network.

    Side note: You should NEVER allow an IT person to have that much control over you and your company. If you get the sneaking suspicion that your current IT person is keeping this under their control as a means of job security, get rid of them (and we can help to make sure you don’t suffer ANY ill effects). This is downright unethical and dangerous to your organization, so don’t tolerate it!

    Q9: Do you have other technicians on staff who are familiar with our network in case our regular technician goes on vacation or gets sick?

    Our Answer: Yes; and since we keep detailed network documentation (basically a blueprint of your computer network) and updates on every client’s account, any of our technicians can pick up where another left off.

    Q10: Do you INSIST on doing periodic test restores of our backups to make sure the data is not corrupt and could be restored in the event of a disaster?

    Our Answer: We perform a quarterly “fire drill” and perform a test restore from backup for our clients to make sure their data CAN be recovered in the event of an emergency. If there’s a problem, we notify our clients immediately and start working to resolve it the same day. After all, the WORST time to “test” a backup is when you desperately need it.

    Q11: Do your technicians maintain current vendor certifications and participate in ongoing training – or are they learning on our dime?

    Our Answer: Our technicians are required to keep the most up-to-date vendor certifications in all the software we support. Plus, our hiring process is so stringent that over 90% of the technicians who apply don’t make it through. (Guess who’s hiring them?)

    Q12: Are you familiar with (and can you support) our unique RIA firm applications?

    Our Answer: We own the problems with all line-of-business applications for our clients. That doesn’t mean we can fix faulty software – but we WILL be the liaison between you and your vendor to resolve problems you are having and make sure these applications work smoothly for you instead of pointing fingers and putting you in the middle.

  • Stay on top of the social media policies for your RIA firm

    Stay on top of the social media policies for your RIA firm

    With more and more social media platforms popping up all the time, it can be tough to keep track of social media policies and assess their effectiveness. However, if you fail to review them annually, you might get some unexpected surprises if problems arise.

    SEC provides guidance on social media

    In January 2012, the SEC issued a risk alert about the use of social media by investment advisors. You can find the full document here, but their key takeaways were:

    Investment advisers that use or permit the use of social media by their representatives, solicitors and/or third parties should consider periodically evaluating the effectiveness of their compliance program as it relates to social media. Factors that might be considered include usage guidelines, content standards, sufficient monitoring, approval of content, training, etc. Particular attention should be paid to third party content (if permitted) and recordkeeping responsibilities.

    More recently, the SEC published Guidance on the Testimonial Rule and Social Media where they answer some of the most common questions they get on the topic. The document is from 2014 and gives some good advice on how best to manage both of these for your RIA firm. The SEC also adopted amendments to Form ADV that requires information on advisors social media accounts. In an article in InvestmentNews, the Investment Advisors Association recommends: “It will be even more critical that whatever information advisors are putting in their contracts, in their Form ADV, in their marketing materials are not inconsistent with what they’re saying on social media.”

    Avoid legal trouble
    Do you remember Chipotle’s social media debacle in 2015? It lost a lawsuit for firing an employee that posted negative content on social media because it turned out that Chipotle’s social media policy violated federal labor laws. That’s why you should work with your legal team to keep your policies up to date: so they comply with the Federal Trade Commission and the National Labor Relations Board.

    Protect company information
    Social media policies can actually help safeguard sensitive data from hackers and cyber attacks, especially in a bring-your-own-device (BYOD) working environment. Employees must know the proprietary company information that must never be shared, as well as understand that confidential information — such as client information, non-public financials, and other sensitive information — are to be communicated only ‘internally.’ A good example is General Motor’s social media policy, which clearly spells out what can and can’t be disclosed to the public.

    Define which kinds of social media activities are and aren’t allowed
    Although posting offensive or insensitive material on a company-branded social media page is an obvious no-no, it still happens. For the people handling your company’s social media, what precautionary mechanisms are in place to avoid a public relations disaster? Are there rules for different platforms? Beyond that, however, is a lot of gray area when it comes to if and how employees will be held accountable for what they post on their personal profiles. When social media policies clearly outline how employees should behave online and the punishments that come with violating that agreement, you can deter rogue employee posts and avoid a viral fiasco.

    Effective social media policies need to be fluid and responsive to the fast-paced modern business environment. Taking the time out to perform yearly social media policy reviews will save your employees a lot of confusion while helping your company steer clear of potential PR and legal nightmares. If you have further questions, don’t hesitate to send us an email or give us a call!

  • How automation and technology helps RIA firm marketing

    How automation and technology helps RIA firm marketing

    Marketing is often a difficult endeavor for small and mid-sized RIA firm owners. Marketing involves a great deal of time, effort, and can require significant financial investment. For a long time, marketing automation was something only enterprise-level businesses and corporations could afford, but with new technology, that’s no longer the case. Read more about five benefits of this new IT innovation.

    Instant responses to email requests

    If a client or prospect sends your business an email via your website or a “Contact Us” form, any delay in response could ultimately cost you a client. But if you have a marketing automation plan in place, you can customize automatic email responses to respond to these leads as soon as an email is received. This lets potential clients receive either the information they requested or know that you will be responding in more detail soon.

    Stop leaving voicemails and start closing deals

    There’s a reason most people prefer to communicate via email: Keeping in touch over phone can be tough if both parties are always busy. An automated system solves this by logging when you’ve contacted leads and automatically emailing them about follow-up times. The call, email, and its response are all logged in your CRM and calendar without a single minute wasted entering mundane information.

    Inbound lead assignment

    When you have phone calls, emails, and meetings piling up, it’s hard to keep track of which client goes where and who is working with them. With marketing automation software and tracking, your staff are automatically assigned to inbound leads based on specialities and demographics so they can begin working on building profitable rapport right away.

    Give and you shall receive

    Potential clients and leads get dozens, sometimes hundreds of business emails every day. You need something to set your business apart from the rest. By offering valuable content such as “How to” guides and “Best Practices” tools in exchange for contact information, you can provide prospects with content they actually want.

    All it takes is a web form and some creative writing that ultimately leads visitors back to your firm. Your automation software delivers content to anyone who provides contact information, and it downloads metrics that can be tracked and analyzed by your solution.

    Never type another phone number again

    Networking events mean new contacts and new leads. Although that used to mean thick stacks of business cards, cutting-edge marketing tools make it possible to take a picture of contact information and automatically convert it into a cloud database. Call-ins, scanned business cards, and received emails all get organized into a single digital rolodex with recommendations for whom to contact, and when is best to do so — without one minute of tedious data entry.

    Every business owner knows that automating mindless tasks is a worthwhile investment. But not everyone knows just what sort of tools are available to help you cut down on wasted work. Our team specializes in using technology to add value to your business, and we believe that if you’re not utilizing any of the solutions above — that’s the best place to start. Get in touch with us today to make your marketing technology work for you.