Blog Article

An RIA’s Guide to Launching an In-House Cybersecurity Awareness Program

Oct 05, 2020

Learn how you can develop and implement a cybersecurity awareness program at your RIA firm to help protect you and your clients from cyber attacks.

Cybersecurity is an increasingly important topic, whether we’re talking about managing passwords, identifying phishing attempts or other forms of cyber attacks. If your firm gets hacked, your clients’ sensitive information could be exposed, which can be an expensive experience—both in terms of money and your reputation.

No matter what you have in terms of processes, software, and systems, it only takes one employee to click on a bad link, or have a weak password on their laptop, or not tell management when they think they may have been phished to create a cyber breach. However, employees who are consistently trained can also be your greatest asset and first line of defense in combating cyberattacks and threats. 

Why is a Cybersecurity Awareness Program Important? 

One of the most crucial strategies to preparing and protecting your RIA firm from cyber attacks is training your employees. People unfortunately are often the biggest risks when it comes to cybersecurity protection. 

The SEC is recommending all RIA firms to offer structured training and education on cybersecurity risks and prevention to all of their employees. RIA firms should begin to classify all their employees as either cybersecurity trained or untrained. Then firms need to develop a plan to move each employee from untrained to trained, as quickly as possible to prevent human errors.

Why is Training Employees such a Big Deal? 

Without proper training, your employees may put your firm’s data at risk and not even know it. Untrained employees may try to access company data through an unsecured internet connection, through a public computer, or through computer systems that they don’t know anything about just to service a client account quickly. Or, they may also use a home computer that everyone in their family has access to. These are just a few of the kinds of things that untrained employees do without thinking about the security risks they may be introducing into your firm.

Another human error example involves phishing. This is when attackers send spam emails that attempt to lure individuals into providing sensitive data such as personal information, financial information or secret credentials. Untrained employees commonly open every single email message that is sent to them regardless of whether they expect that email; if they know who that email is from; or without questioning whether it could be some sort of cyberattack. 

A trained employee will think about how and where they access client data. They will be much more careful, and perhaps much more unwilling to move any client data away from the company servers. They will also take a second look at communications, internet usage, emails, and web browsing with a slightly different, much more secure perspective. 

How to Create a Cybersecurity Awareness Training Program for Your RIA Firm

It’s impossible to underestimate the importance of proper training for cybersecurity attacks. According to Verizon’s 2021 Data Breach Investigations Report, as many as 85% of hacking related breaches in the past year involved a human element. In addition, users are frequently tricked into following a link or opening an attachment that they shouldn’t have.

Here are three key steps to designing a Cybersecurity Awareness Training Program to train your employees to protect your RIA firm from data breaches.

Step One: Develop Cybersecurity Training Content

First, and foremost, since RIA firms have to meet SEC cybersecurity regulations, start with what training is needed to meet compliance requirements. When it comes to compliance, SEC examiners will focus on both the content included in your training program and the implementation of your plans. It will not be enough to just offer basic training to your employees.

We recommend that after your employees get training on cybersecurity information, standards, policies, and strategic tools that will apply to everyone at the firm, there should also be some level of training specific to employees and their role in the organization. Therefore, we suggest that RIA firms have two levels of training – Basic Training and Specialty Training.

{{cta(‘72644154-4d43-47e7-a621-ee325832170e’,’justifycenter’)}}

The first level of training should focus on ensuring that all employees understand what is at stake should there be a cybersecurity breach at your RIA firm. Explain how it affects your customers and the firm in general. Educate them on the types of cyberattacks they may encounter. Train them on how to spot suspicious emails to avoid the clicks, how to spot when their computer is acting strangely, and how to report any unusual activity quickly, free of judgement, to stop the breach as quickly as possible.

Then, ensure that every employee understands and acknowledges the cybersecurity policies adopted by the RIA firm. They should be able to recognize how these policies are deployed, monitored, and enforced in the organization.

Finally, they need to acknowledge the role they play in keeping the firm safe. They must agree to be vigilant, ask questions, and be teachable. And, they must be willing to apply these teachings in how they conduct their work both inside the firm and from outside connections to the firm’s infrastructure. 

With most work forces no longer tied to their desk, employees must understand how to protect the firm by following procedures when accessing the company’s network remotely.

Note: It also helps to see management walk the talk when it comes to cybersecurity practices. Make sure leadership is modeling the desired behaviors and are committed to following the firm’s standards and procedures.

Another important tip is to enact a “No Blame” policy. Employees should feel free to report when they may have inadvertently done something to put the firm at risk or see someone else doing something risky. There should be no repercussions.

Specialty Cybersecurity Training

Specialist training focuses on the cybersecurity best practices or risks specific to an employee’s job function. Some employees need to access more sensitive data than others within the firm. They may need more robust training.

For example, an employee who works in Human Resources (HR) should be aware and have additional cybersecurity training around Personal Identifiable Information (PII) because there is a very good chance that they have access to this type of information for the firm’s employees. So, specialist-level cybersecurity training for someone in an HR position should revolve around how to identify PII information and how to protect it.

They will need this training both for compliance and for cybersecurity reasons. HR people should know what the compliance requirements and regulations are (examples: HIPPA for healthcare-related information and PCI for payment card industry), they should know specifically what the protocols are, and what the safeguards the firm has against leaking that information.

Step Two: Schedule Ongoing Cybersecurity Training Sessions

A lot of companies hold one big training session on cybersecurity and then consider training new hires throughout the year, when they have brought enough people on board to justify the effort. Unfortunately, that’s just not good enough. A training program should be periodic and consistent. It needs to become part of the company’s regular conversations. 

You need to keep training your employees so that being vigilant becomes second nature. It can’t be a “One and Done” endeavor. Hackers get more and more creative and sophisticated over time. You need to keep your employees informed on how to spot new threats to the firm.

Take advantage of microlearning practices where you share smaller bites of information more frequently, using different mediums. For example, instead of making everyone sit through a 4-hour training once a year, host several 30-minute brown bag lunches or webinars on smaller cybersecurity topics. Or, send an internal email monthly with a tip or best practice to reinforce the message.

Step Three: Make Your Training Program Unique to Your Firm

Since your cybersecurity awareness needs to be consistent and on-going, shake up how you deliver the training to avoid boredom or burnout.

The professionals agree, one of the most effective training methods is a simulated cybersecurity attack set up by your IT department or an outside company. Employees are expected to react to these attacks in real-time, and then afterward, they’ll receive coaching on how to avoid any mistakes they might make during the drill.

For instance, some companies create simulated phishing attacks (using dedicated software) to see how many people will click on them. This can be extremely valuable since most people learn better from experience than from lectures or handouts.

Experts also recommend making cybersecurity training positive. While every employee needs to understand the negative effects of a cyberattack on your RIA firm, once that is clearly understood, focus on rewarding employees who follow best practices.

For example, award employees who do not fall for the simulated phishing attacks with modest prizes. A gift certificate or an afternoon off are excellent incentives that don’t cost your RIA firm much but may encourage more cyber diligence.

By consistently training your employees, equipping them with the knowledge they need, making cybersecurity efforts part of the company conversation, and creating a positive no-blame culture, you will see a significant improvement in your overall cybersecurity.

How to Create a No-Blame Culture

As mentioned above, an important aspect of training is to avoid condemning employees who make missteps. Mistakes are teachable moments. As long as they come forward and inform management that they may have inadvertently done something to put the firm at risk, there should be no repercussions. 

Management must create a “No-Blame” policy because you want to know immediately when an employee has opened a suspicious attachment or downloaded something off of the internet that may contain a virus. The faster they inform you, the faster you can address the issue.

Three Actionable Takeaways

Here are three actions you can take right away to better protect your firm against cybersecurity attacks:

  1. Classify all of your employees as trained or untrained.
  2. Define a minimum set of information and knowledge that must be learned by all employees in order to be classified as trained.
  3. Create a schedule and action plan to take your untrained employees through basic training as soon as possible.

Starting with these steps and documenting results will demonstrate that your firm is taking needed action to improve your Cybersecurity Management Systems.