Financial Advisor Website Security Best Practices

October 13, 2020 - Andrew Orr

A financial advisor website is at risk of malware and hacking attempts, but a few security implementations can greatly reduce that risk.

In the age of COVID-19, when in-person and face-to-face meetings are fewer than before, your website is the window into your organization more than ever.

Financial Advisor Website

Prospective clients come to your site to learn more about your organization and determine if you are the best choice to manage their wealth. Current clients come to access their accounts, via client login portals.

With a fully optimized website that drives traffic and engagement, you’re doing all the right marketing steps, but with that increased exposure means greater risk for a cyberattack.

Capital One was one such victim recently, in which a hacker gained access to 100 million credit card applications and accounts.

Malicious actors have their ways to exploit weaknesses, and in the unfortunate case of Capital One, a hacker could literally know what’s in your wallet. Their attacks will blindside you pretty hard when you weren’t expecting a hit.

Fortunately for a financial advisor website, there are tools in the cyber-toolbox to lessen the risk.

Financial Advisor Website Security Tips

Make Sure Your Site URL Is “HTTPS”

Do you see a “Not Secure” display next to your website URL?

Are there displays next to your URL that are missing? (A missing lock symbol or a circled green checkbox)

If you aren’t aware of this, visitors to your site (and Google) are.

The average Internet user is more conscious of their online security, and they are increasingly hesitant to visit not recognized as secure. In turn, Google will lower websites’ rankings in the search results if they aren’t secure.

For your site to be secure, the URL must be HTTPS (not HTTP). At that point, the lock symbol or green circle checkbox appears, depending on the device you’re using.

For your site to be HTTPS, you need to purchase a SSL (Secured Sockets Layer) certificate.

Without giving a technical explanation, the SSL certificate confirms your site’s authenticity and provides an extra layer of security to your website. You can learn more about what a SSL certificate is here.

To learn how to get the SSL certificate, check out this HubSpot article. If you have another team member with expertise or a trusted third-party website developer, they’ll know how to set your site up for HTTPS.

If you want to make your website look more professional, we wrote a post on how investment firms can improve their online appearance and generate leads.

Change Your Website Login Page

One way hackers access a site is by finding the website URL login page.

For the website administrator, there is a designated URL to log in to and make changes to the site.

The way hackers find these pages is not through any secretive or “illegal” way. They can find what service you use to build your site (i.e. WordPress) by viewing the website source code, and from there, they can deduce what your URL login page is, based on common formats.

What you should consider doing is changing the website URL login page. If you are using WordPress, for example, here is a link that explains how to do it. If you have an experienced web developer, they can make the changes for you.

By changing the login URL to one that is unique and difficult to guess, you are denying the hackers any chance to get in.

Change Passwords Regularly

There is no such thing as being too secure.

Even if you’ve made it impossible for hackers to find your website login URL, you should still change your password on a regular basis.

For whatever reason your password ends up in the wrong hands, a regular password update limits the risk. Furthermore, you can enable multi-factor authentication.

That way if someone does have the password, they likely won’t have access to the email address or the phone number that receives the notification code.

Update Site Builder and Plugins Version

If you’re using WordPress or other site-building provider, make sure the version you are using is up to date. Also, make sure the website code is compatible with the new versions the service provider has.

The same goes for website plugins. If these are not regularly updated, using old versions are vulnerable for exploitation by hackers and spreaders of malware. Old versions of a plugin or old version of the site builder you use may no longer be protected after new versions come out.

Thus, update regularly.

Disable Login Access to Unnecessary Users

It is possible that you have or have had third parties work on your site. If they have or have had access to your site but are no longer working on it, then remove them from your users.

The last thing you want is someone who is no longer associated with you having access to the site. It’s not that they would do anything malicious, but if their login credentials were hacked and there is no way to hold them accountable, it’s risky to keep their account active.

Also, when making someone a user, be sure you give them the appropriate level of access. If you don’t trust them with full control of the site, downgrade their controls.

Take Regular Backups of Your Site

Some of these points may be getting technical, and if they’re not your area of expertise, check with those who are experts, whether they’re in house or third party.

Check if your website is backed up regularly. What that means is old versions of your site will be saved to a server, whether it’s an internal server or a web hosting server.

The reason you need these backups is in case something bad happens to the current site, like a malware attack. You need the ability to restore an older version of your site that hasn’t been corrupted.

Keep Your Site Protected

A financial advisor website is vulnerable to malicious actors, but with the right steps, firms can reduce the risk.

As mentioned earlier, your website is a window into your organization, and think of your website as an open window that lets fresh air (AKA prospects and clients) in. If you don’t have screens (security), the flies and mosquitoes (hackers and malware) will come right in.

Make sure the aforementioned security implementations are in place to ensure a good site experience for the visitor while leaving the cyber-pests out.

When there are opportunities to keep your website more secure, always go for it.