When SIMPLE Simply Isn’t

Published on 15th October 2020 Author: Rob Black

Our company is growing.

Last year at this time, we were, collectively, three humans and two plants. Today, we are five humans, four plants, and a dog, and are in search of two more humans (and maybe some cats).

And so I sat down last month with Jon Bicknell, our terrific financial planner, to help us set up a formal retirement plan for the team.

After a brief discussion, Jon suggested a SIMPLE IRA rather than a 401K. It’s less expensive, provides for employee matching, and makes sense for a company like ours with fewer than 100 people.

Perfect. I filled out lots and lots of forms and was given login information for the web site of the chosen financial institution.

Here’s where it got interesting…

My password had to be six to eight characters long. There was no option for multi-factor authentication (MFA).

Come again? Is this 2004?

I’d be somewhat concerned if my town’s Rec department web site had this lax level of security.

But I am hold-the-phone, through-the-roof concerned that a trillion-dollar financial institution that expects me to enter corporate checking information, employee social security numbers and birthdays, and more, is operating in this way.

Nevertheless, I thought about it and figured it’s probably okay. So, I went ahead and entered all of the confidential information as requested.

Just Kidding! This is a SECURITY newsletter and I run a cybersecurity company. Even the dog on staff would have objected (the plants would have probably been fine).

I called Jon. “Is this a non-starter?,” he asked. “Yes,” I said.

And then, to Jon’s credit, he pointed me to a self-service SIMPLE IRA provider (I now have a ridiculously long password!) and he didn’t charge us anything. I felt terrible, but this was a huge red flag.

Security Never Sleeps

Unlike me, you probably don’t spend a large part of each day thinking about cybersecurity. Unfortunately, the bad guys do.

And so while I understand that you’ve got plenty of other things to focus on in running a business, it’s vital that you pay attention to the security practices of your vendors.

Here are three things to keep in mind as you do …

#1. Find the baseline.

Every company that you work with has an established level of security – intentionally or otherwise. Not all of them, of course, are critical to your operation. But, if they provide a service that involves anything more complicated than delivering paper towels to the breakroom, there’s a good chance they have some of your important data.

In addition to investigating basics like password requirements and MFA, you’ll want to ask about security documentation – i.e., do they have any?

If the answer is no, or if they point you to their privacy policy (not the same thing!), it’s a bad sign. It means that they have not been asked about it and/or simply have not given it much thought. Either way, they have not felt the need to codify this and their approach has not evolved as a result.

Further, and in line with what we covered last month (https://fractionalciso.com/elon-musk-cybersecuritys-iron-man/), remember that to the extent one of your vendors is a weak player on the security front, they are a prime target for attackers who would use them to access your data.

#2. Use brand as a proxy for security.

Often, and particularly for financial institutions that deal directly with consumers, if security is core to their brand (banks, credit card companies, investment firms, etc.), there tend to be strong, well-established controls and best practices in place. These companies are highly visible to both customers and regulatory agencies and are well aware that if they are not on top of things, it’s game over.

In my SIMPLE IRA example above, while the financial institution itself is huge, this division doesn’t deal directly with consumers and is far from a household name. That doesn’t excuse them, of course, but you can understand how best practices could get pushed to a back burner, leaving them – and you – vulnerable.

As with most things, there are exceptions to the “brand as proxy” rule, but it tends to be a good indicator.

#3. Trust your instincts.

Our #1 rule at Fractional CISO is “use good judgement.” For me, the moment I began interacting with my SIMPLE IRA friends, I knew something wasn’t quite right.

Fortunately, you need not be a cybersecurity geek to notice when things are off. Just as your subconscious may alert you to a potentially harmful physical situation out on the street, there are online signals that we likewise need to take in and pay attention to.

Does the web site feel professionally done? Are there typos in the email? Does the language feel odd in some way? Whatever the specifics, when your bad guy antennae go up, you’ll want to step back and think about what’s happening. This is a good time to confer with a colleague or seek more information from the vendor in question.

The worst thing you can do is ignore the signals and just plow ahead. That seemingly small decision can lead to significant and costly problems down the road!

Final Thoughts

Securing your own network and data is Job One.

Job Two, however, is evaluating the security practices of your vendors. If those who handle your critical information are breached, it can be as bad as if the attackers walked straight through your own front door.

Gotta run. Those plants don’t water themselves.

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).