Constant vigilance. That's what Martin Carmichael, chief security officer at TD Ameritrade, recommends for advisors worried about information security. Because security threats are constantly evolving, advisors must stay on top of the latest developments if they are to protect their firms and clients.

While a comprehensive discussion of every threat is beyond the scope of this article, Carmichael provided his 10 security tips for readers. He also shares what steps big RIAs and custodians are taking to protect themselves.

BACK AND FORTH

To illustrate the evolving nature of information security threats, Carmichael cites the endless battle to protect user credentials-the security of your login and password. The first threats to user credentials came from poor security policies and procedures. In some cases, people would write down their user names and passwords, making them easy to steal. According to a February study by web-browsing security firm Trusteer, 73% of people who bank online use the same password for their financial accounts and for their nonfinancial-and less secure-websites.

Next came the phishing sites and Trojans. While the two types of threats differ, their underlying methodology is the same; as you type your credentials on a keyboard, the credentials are hijacked and sent somewhere else. In this scenario, the hackers need to capture something at the keyboard level. When the security software designers realized this, they gained clues about avenues of attack and possible cures.

Today, Carmichael says, hackers can bypass your credentials. With the right type of Trojan malware, a code can be hidden on your computer, waiting until you log on to your financial site. Once it recognizes a page of interest, it will launch and capture your financial information. Carmichael says that Zeus-type bots are an example of Trojans that can access sensitive data while bypassing the credentialing process. You can inadvertently install this malware by downloading an email with the Trojan attached or by going to a bogus website, game application or browser advertisement.

TOP 10 SECURITY TIPS

To fight back, be prepared to invest time and money in software that helps you monitor malicious activity. The goal is to stay one step ahead of the hackers. Carmichael recommends following these 10 steps to maximize security:

1. Cover the basics first. This means installing security software on every computer. At the very least, Carmichael says, PCs should be equipped with antivirus software, anti-spyware software and a software firewall. McAfee and Symantec are two reliable providers.

2. Wear armor. "Whenever possible, sit behind a physical firewall," Carmichael says. Physical firewalls, or hardware firewalls, can stop intrusions outside your corporate or home environment before they get into your network. The type of hardware firewall will depend on the size of your firm and budget. For a solo practitioner, a router/firewall device may be sufficient. Larger organizations will require a more comprehensive corporate network firewall.

When you're traveling, you may not be behind a hardware firewall at all. At those times, Carmichael suggests making sure your software firewall is turned on and up to date. Another possible solution is to use a travel device with some level of built-in protection, such as the Apple AirPort Express.

3. Keep your system clean. Every time you download a program or install an add-in to your browser, you increase the risk to your computer's security. Some types of applications may put your system at more risk than others, but the more software on your computer, the more potential holes there are to exploit. Furthermore, the more software on your computer, the more there is to maintain and monitor for patches over time.

Carmichael says that best practices may dictate having separate computers for business and personal use. The business computer should be kept as pristine as possible, running only business applications. Everything else should go on the personal machine.

4. Know your websites. With phishing sites an ongoing problem, it's important to know that the website you visit is legitimate. A number of security suite providers now include software that can check the validity of websites. Norton Internet Security 2010 includes Norton Site Safety. McAfee's SiteAdvisor software is available as a free download at www.siteadvisor.com.

5. Classify your data. Some data in your office is highly confidential and some isn't. Carmichael suggests creating a classification system for your data. This allows you to use extra care while handling your most sensitive data. It may also help control costs, applying a lower standard to noncritical data.