When you think of cyber attacks, you probably think of a highly skilled hacker using the latest tools to crack into computer systems — at least that’s what they look like in Hollywood movies.
But the truth is that a substantial portion of security breaches are the result of human error. In the wealth management industry, employees are your firm’s biggest assets, but they can also be your greatest liability when it comes to cybersecurity and data breaches.
This is especially true if your employees are untrained in protecting themselves and the firm from cyber threats. In this blog post, we discuss how important the hiring process is to building a culture of strong cybersecurity awareness.
By building a culture of strong cybersecurity awareness at your RIA firm, you will proactively protect the firm, the employees, the clients and their sensitive data. With job-specific cybersecurity training (and cybersecurity software), employees can become an asset in your fight against cyberattacks.
One area that isn’t often addressed in cybersecurity conversations is the hiring process.
Hiring managers can get play a big part of building a culture of strong cybersecurity awareness by assessing their candidates for cybersecurity hygiene. By pure definition, hygiene means the practices conducive to maintaining health and preventing disease. In this case, hygiene refers to the health of your organization and preventing cyberattacks. In the interview process, you can get a grasp on the candidates current cybersecurity knowledge and willingness to be trained.
When interviewing new hires, you’ll want to ask questions like:
- How trainable are they, or how trained are they, in cybersecurity?
- Do they already have the basics of understanding in cybersecurity?
- What have they learned from their previous job, if any, or from their previous experience?
If you are interviewing individuals from large organizations, they have likely been exposed to very strict cybersecurity rules, which you can leverage to your advantage. Position these highly trained new hires as leaders, teaching individuals how and why things are done at large organizations to help gain acceptance on some of the cybersecurity initiatives.
Here are a few other questions to help guide a productive conversation around cybersecurity hygiene with new hires:
- What training have you had on cybersecurity awareness and prevention? What level of training? How often did they receive training? Once? Once a year?
- What would you do if you if you thought you clicked on a suspicious link or email? Would they report it immediately?
- (If they work from home) What cybersecurity protections do you have on your computer, smart devices, or home network? What cyber risks might you face, based on your position within the firm? For administration or office functions, the risks may be phishing emails or suspicious website links. For IT functions, they may need a deeper understanding of the types of risks they may face.
- Do you understand the severity of a cybersecurity breach for a firm in the financial advisory space? If they are new to the financial industry, are they aware of SEC cybersecurity regulations and fines?
- Describe the cybersecurity protocols used at your last firm.
- Have you ever been victim of a cybersecurity attack? What did you do? This is not to make them uncomfortable or accuse them of not being vigilant, the question is to understand the actions they took afterward and what they took away from that experience.
In addition, during the interview, score them on these three specific areas of cybersecurity awareness:
1. How they Address it in Their Personal Life
First, ask them what steps they take in their personal life to protect their own data and privacy. Do they have a firewall at home? Do they use a privacy screen on their computer when working in a public place? Do they use public Wi-Fi systems when traveling or create a hot spot on their mobile phone? Do they close their webcam lens or use a lens cover when the camera is not in use? Do they use a password manager like Last Pass?
These are all good practices for keeping your personal data and privacy secure online. If a candidate is already doing these things in their personal life, chances are they will have no problem adhering to any cybersecurity protocols at work.
Admittedly, many people may not have a firewall at home or use a privacy screen when working public, and that shouldn’t necessarily disqualify an applicant. This is just a way for you to get a better idea upfront of how aware they are of cybersecurity.
2. Their Experience in Secure Environments
Second, ask about the kind of cybersecurity practices they had to follow in their last company. Can they clearly explain what the cybersecurity protocols were and how often they had training? How did they log in to the company’s network?
Do you get a sense that they felt these security measures were important or little more than an inconvenience? You want to hire someone who doesn’t resent the extra steps or precautions they needed to take to follow security best practices.
3. Their Attitude Toward Cybersecurity Threats and Procedures
Third, look for certain attitudes, such as a willingness to learn and admit mistakes. The cybersecurity landscape changes all the time—new threats, new best practices, new regulations. Training to keep the firm, your client’s data and even their own personal privacy secure is an ongoing process.
Determine if they are open to continuous learning and even have a curiosity about cybersecurity threats and protections. When you asked about how often they received cybersecurity training in their last job, did you get a sense that they felt it was excessive or not necessary? That’s a tip-off that they don’t take the threat of a cyberattack that seriously.
In addition, a key component of good cybersecurity hygiene is realizing that mistakes will be made, so don’t be afraid to report when something happens. While many breaches are a result of human error, hackers are really good at fooling people.
No matter how diligent someone is, they may eventually fall victim to a phishing attack. Someone with good cybersecurity hygiene understands that the faster a mistake is reported, the faster the attack can be shut down or contained.
On the flip side, your company needs to encourage a culture where there are no retributions for making a mistake or falling victim to a scam. Communicate this clearly to new hires so they understand that they will not be punished if they think they may have inadvertently compromised security in some way.
Be clear in the interview that the goal of these questions is not to reject someone based on cybersecurity knowledge. It’s to establish their level of familiarity with cybersecurity so you can identify the level of training they will need when they come on board.
The more they know and the more they do, the better. But even if they haven’t had a lot of education or experience with cybersecurity practices, if they are open to deal with a little inconvenience by following extra procedures, then you had a good candidate to work with.
Are you looking for thorough, affordable software to help streamline your RIA’s cybersecurity solution?