In light of the increasing number of cyber attacks and data breaches in today’s technology-driven world, it is a good idea to always be mindful of protecting your own personal information when communicating via email or accessing financial websites. To this end, we have assembled the following list of tips for consideration to help minimize your risk of data theft or attack:
1. Never provide personal information, such as social security numbers, dates of birth, account statements, or tax returns, via unencrypted email. Much of the email sent in today’s world is still transferred over unencrypted channels. Each email that you send makes a journey between many email servers as it traverses the Internet to reach its destination inbox. It happens instantaneously, so we do not always think of it, but every server that touches your email is a potential for a breach, as are the connections between those servers. You have no way of ensuring that those servers and connections are secure along the entire journey, so it is always recommended that sensitive personal information be sent via a secure method. At Willow Creek, we use an industry standard encryption method from a provider called Citrix ShareFile. When we send documents to you that contain sensitive information, we will send them using this service. We also offer the ability for you to send documents to us via this service at any time by navigating to secure.willowcreekwealth.com in your web browser. If you ever have any questions about how to securely provide us with documents, please be sure to ask before sending them in an unencrypted manner.
2. Never provide personal information using an unsecure/unencrypted website. Modern web browsers, such as Internet Explorer, Google Chrome, Apple Safari, and Mozilla FireFox, have built-in methods for indicating whether or not a website is secure and your connection to the site is encrypted. In general, you can look at the web address bar at the top of your browser window and you will see an illuminated lock or even the words, “Secure”. If you do not see something similar to this when accessing a financial website or entering personal data, do not continue. An encrypted connection is essential to safeguarding personal information that is sent through the web.
3. Never access or send personal information when using a “public/free/open” wireless network. Many places offer free wifi, which is great for jumping online to check browse your social media sites, but when it comes to accessing financial information or providing personal data, be cautious. If a wireless connection that you are using is unencrypted, it is possible for anyone else that is connected to that network to obtain electronic copies of the data that you are sending. This is increasingly possible with email, which in many cases is sent unencrypted by default. Consider shared airport wifi, coffee shops, etc.; anyone on that network may be capturing what you are doing. You should also be careful when using a laptop computer without its own software firewall (many of which are disabled) on public networks, as a hacker could potentially infiltrate your computer directly and access your personal files in seconds. This is generally less of an issue with modern smartphones and tablets (but can still be an issue for laptops).
4. Purchase a home router/firewall – and keep it up-to-date. In some cases, where only one computer is connected to the Internet, you may not have a very important box installed to both enable you to share your Internet connection within your home on a secured wireless network or to protect you with a firewall. A hardware-based firewall within a router is essential nowadays in order to protect the computers within your home from attack from the outside. These small boxes are sometimes leased from your Internet Service Provider or purchased separately and cost anywhere from $40-$80. There is some initial hassle of setting them up, but once configured they do a good job of providing a base level of protection from hackers attempting to access your computers. We often say, “why would a hacker want to purposefully target me?” There may not be any reason at all, but hacking software is sophisticated and can attempt to hack tens of thousands of computers per day without the hacker themselves doing anything at all, just utilizing the processing power of their computer. You may not be targeted individually, but as a user of the Internet, you are always being targeted by default.
However, just having a router/firewall is not always enough. It is important to check for what are called “firmware updates” for these devices every few months, or so, and ensure that they are applied. This can be very simple to a little tricky, depending on the brand and model of the router. These firmware updates include important security fixes that, left unpatched, could allow a hacker to gain entry to your network and computers.
5. Use strong passwords for everything. You have heard this one before, but it’s worth mentioning again. Strong passwords can mean the difference between your personal information being hacked in 10 seconds versus 100 years by a computer using what is called a “brute force” attack—basically attempting to guess your password as fast as it can, which is pretty fast. Below are some general guidelines for choosing passwords:
a. Use a minimum password length of 8 characters.
b. Include lowercase and uppercase alphabetic characters, numbers and symbols.
c. Generate passwords randomly where feasible.
d. Do not use names, places, or words in the dictionary—again, random is preferred.
e. Avoid using the same password twice.
f. Avoid using information that is, or might become, publicly associated with you (such as your dog’s name).
If you’re going to use strong, unique passwords, then you need a way to remember them. We recommend that you select one of the many high quality password retention tools on the market today. If you have a smartphone with a fingerprint reader, you can download any one of a number of apps within which you can store your passwords and protect them with your fingerprint for easy and fast access. Be prepared to pay a little bit of money for the high quality apps, but they are generally worth it.
In recent months, we have seen a spike in socially engineered fraud attempts. In these cases, a hacker gains access to a client email account lacking a strong password and/or two factor authentication and monitors the email exchanges between the client and their advisor/banker/etc. After spending some time learning the tone, terminology, etc., the hacker composes an email from the client’s email address requesting a transfer of funds to a new destination, but accurately mimicking a legitimate email in all ways. In order to combat this, we have a number of verification steps in place, but this type of fraud has become strikingly common and stems back to poor passwords and security protocols by the end-user.
Finally, do not use the default password for anything. With home automation, home routers, etc., many of these appliances have a standard default password that is printed in their user manual so that you can configure them the first time. This password is publicly known. Ensure that these default passwords are always changed so that they are not an easy target for compromise.
6. Use a virus scanner on your computers. Most computers do not come preloaded with a quality virus scanner, but having such software in place is necessary (along with a firewall) to protect you against malware and other software-based attacks against your personal information. There are a few large players in this industry, such as McAfee and Trend Micro. All of the large providers tend to offer very effective software. The most important part is that you have such software installed and that you have a current subscription to the service. Again, be prepared to spend a little money for this protection as it is subscription based since the software will need to maintain its database of known threats in order to protect you against them.
7. Use common sense and be ever vigilant. Generally, if something seems not quite right, exercise caution. Whether that is an email asking for information, a website that doesn’t look right, or a file that came from a sketchy source, err on the side of caution. In some cases, cyber attacks strike without us knowing about them ahead of time, but in many cases, data compromise could have been prevented with careful Internet usage habits, especially with personal data.
8. We protect your data with industry standard controls and encryption. We take data security seriously and we adhere to all of the above suggestions that we recommend for you to consider at a personal level, but with enterprise level controls around each area. We ensure that all client data transacted across the Internet is encrypted at or above industry level standards. We also enforce strict physical security controls around servers and paper documentation, and we have high strength hardware firewalls in place to create strong barriers around your data. Our team also participates in on-going cyber security and fraud training in order to ensure that we are best equipped to protect your information. Finally, we have a robust and secure disaster recovery plan in place should a natural disaster or other disruption of services occur.
Should you have any questions about how you can protect yourself against cyber crime, hacking, or data loss, or if you have any questions about how Willow Creek ensures that your data is secure, please feel free to contact us.