Five Steps to Stronger Cybersecurity
Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
Cyber-criminals are learning that the easiest way to get to your business’s valuable data and financial accounts isn’t by hacking your IT network code – it’s by tricking you and your employees into letting them in the front door.
Your employees must be trained as the first and last line of defense against cyber-attacks on their business and their clients, because that’s exactly what they are.
According to Verizon’s 2019 Data Breach Investigation Report, the data breach attack method that increased most over the most recent seven years of surveys was social engineering, which more than doubled.
Social engineering, such as phishing, was involved in 17% of data breaches reported by the organizations Verizon surveyed in 2013, increasing to 35% in 2018. During that same period, the most prevalent attack method, hacking, actually decreased from 56% to 53%
This trend should alarm RIA and broker-dealer firm owners. Cyber-thieves preside over a treasure trove of sensitive personal and financial data. You’re a prime target because thieves believe your firm may be likely to transfer money in response to email requests.
Fraudsters exploit routine financial transactions. They prey upon your employees’ habits and emotions. And they’re literally banking on their ability to find employees who aren’t trained to spot their tactics.
Here are five ways to implement a cybersecurity awareness training program that protects you and your team members:
1. Upgrade your “training” from a once-per-year (or less) snorefest
Marching your employees through a long, obligatory annual cybersecurity training program usually does next to nothing to protect your company’s data. That PowerPoint you downloaded? Zzzzzzzzzzz.
First, make sure employees understand that cybersecurity is EVERY employee’s job. Include that fact in every job description, and confirm that everyone will be held accountable. Also, include cybersecurity in your new-employee training program.
Institute brief company-wide training updates at least quarterly if you can. Unfortunately, there are always developing trends in cyber-crime you can feature in these updates.
2. Make training relevant by including material that’s specific to your firm
FINRA’s Small Firm Cybersecurity Checklist specifies that your cybersecurity training should take into account firm-specific risks, systems, and loss incidents.
It’s understandable to want to sweep under the rug any data breaches or other cyber-crimes your firm has suffered. But these are among the best possible training tools.
You can also build training around losses suffered by similar firms.
If you read about such losses or talk about them with industry peers, relay the details and lessons learned to your employees. Each incident could comprise one of your quarterly cybersecurity briefings. It’s quick. It’s real. It’s a wake-up call.
3. Provide phishing training that includes ongoing simulated phishing tests
The Verizon report mentioned above identifies phishing as the top “threat action” used in successful data breaches that involve social engineering and malware attacks.
Phishing prevention has been covered extensively in business blogs and news outlets in recent years. But even if you know what it is, try this eye-opening phishing quiz from OpenDNS for examples of what it really looks like.
I recommend that my financial services SMB customers consider training that includes simulated phishing emails sent to employees about once per month, such as the program from KnowBe4.
KnowBe4’s annual Phishing by Industry Benchmarking Report measures the “phish-prone percentage” (PPP): the percentage of employees in a given industry who fall for a simulated phishing attacks.
Here’s a sample of the 2019 benchmarks:
Phish-prone percentage (PPP) for small firms (1 - 250 employees)
You can see the vast improvement that training and testing made in financial services and all the other categories.
But remember, even a 1% to 2% click rate by employees leaves your business vulnerable. You’ll probably never eliminate the risk – what you’re looking for is reasonable cybersecurity.
4. Teach a standard procedure for electronic funds transfers
The classic scam of a fake email purportedly from CEO or CFO that asks an employee to do a wire transfer has evolved. Today, genuine-looking emails can come from clients, vendors, and anyone else that could plausibly request a funds transfer.
Train your clients and vendors, as well as your employees, on your secure funds transfer procedures.
For example, tell your clients and vendors you’ll NEVER simply email them with instructions for wiring money to a different account – you'll always call or tell them in person first. And, in turn, if a client or vendor emails you with new funds transfer instructions, follow up personally.
This training should also include how to use dual controls, so that no one person can move money without documenting that second person has approved the transaction.
Many smaller firms don’t have such controls, and of course, scammers know this.
5. Focus on cybersecurity hygiene when using mobile devices
The Verizon report indicates that mobile users are more susceptible to email-based spear phishing and social media attacks. When training is conducted on full-sized screens, it’s easy for employees to miss tell-tale clues when using their smartphones.
Even cybersecurity expert and author Perry Carpenter of KnowBe4 admitted in a recent blog post that he’d clicked on phishing links because he encountered them on a mobile device.
“...I was in a hurry, between errands, and traveling,” Carpenter wrote. “And, each time, the phish’s pretext felt plausible: a message about an issue with my benefits (he was a new employee), a missed call/voicemail notification while traveling, and a fake Google Calendar invite.”
As more of your firm’s business is transacted on smartphones and tablets, the need for cybersecurity hygiene training for these devices increases.
Regulators require cybersecurity training but don’t offer many details
After reviewing broker/dealer and investment advisor firms’ cybersecurity programs, the SEC’s Office of Compliance Inspections and Examinations noted in a 2017 risk alert that all of these firms had written cybersecurity policies and required employee training.
However, the alert noted, these firms, “did not appear to ensure this (training) occurred and take action concerning employees who did not complete the required training.”
Should your firm suffer a data breach that harms clients, regulators (and your clients’ lawyers) will look closely at whether you made reasonable efforts to train employees in cybersecurity.
If your firm doesn’t have cybersecurity expertise in house (which is considerably different than having “an IT person” on staff), get professional help designing and conducting a cybersecurity awareness program. Your strongest cyber-defense is knowledge.
Reid Johnston is founder and CEO of TechGen, a Minneapolis-based IT managed services provider specializing in cybersecurity for small- to medium-sized financial services companies.