Cybersecurity is an increasingly important topic, whether we’re talking about managing passwords, identifying phishing attempts, or other forms of cyber attacks. If your firm gets hacked, your clients’ sensitive information could be exposed, which can be an expensive experience—both in terms of money and your reputation.
No matter what you have in terms of processes, software, and systems, it only takes one employee to click on a bad link, have a weak password on their laptop, or not tell management when they think they may have been phished to create a cyber breach. However, employees who are consistently trained can also be your greatest asset and first line of defense in combating cyberattacks and threats.
Why is a Cybersecurity Awareness Program Important?
One of the most crucial strategies to protect your RIA firm from cyber attacks is training your employees. People unfortunately are often the biggest risks when it comes to cybersecurity protection.
The Securities and Exchange Commission ("SEC") recommends that all RIA firms offer structured training and education on cybersecurity risks and prevention to all their employees. RIA firms should begin to classify all their employees as either cybersecurity trained or untrained. Then, firms need to develop a plan to move each employee from untrained to trained, as quickly as possible, to prevent human errors.
Without proper training, your employees may put your firm’s data at risk and not even know it. Untrained employees may try to access company data through an unsecured internet connection or through a public computer just to service a client account quickly.
How to Create a Cybersecurity Awareness Training Program for Your RIA Firm
Here are three key steps to designing a Cybersecurity Awareness Training Program to train your employees to protect your RIA firm from data breaches:
Step One: Develop Cybersecurity Training Content
When it comes to compliance, SEC examiners may focus on both the content included in your training program and the implementation of your plans. It will not be enough to just offer basic training to your employees.
We recommend that after your employees get training on cybersecurity information, standards, policies, and strategic tools that will apply to everyone at the firm, there should also be some level of training specific to employees and their role in the organization. Therefore, we suggest that RIA firms have two levels of training – Basic Training and Specialty Training.
The first level of training should focus on ensuring that all employees understand what is at stake should there be a cybersecurity breach at your RIA firm. Explain how it affects your customers and the firm in general. Train them on how to spot suspicious emails, how to spot when their computer is acting strangely, and how to report any unusual activity quickly, free of judgement, to stop the breach as quickly as possible.
Note: It is vital to see management walk the talk when it comes to cybersecurity practices. Make sure leadership is modeling the desired behaviors and are committed to following the firm’s standards and procedures.
Another important tip is to enact a “No Blame” policy. Employees should feel free to report when they may have inadvertently done something to put the firm at risk or see someone else doing something risky. There should be no repercussions. You'll want to know immediately when an employee has opened a suspicious attachment or downloaded something off of the internet that may contain a virus. The faster they inform you, the faster you can address the issue.
Specialty Cybersecurity Training
Specialty training focuses on the cybersecurity best practices or risks specific to an employee’s job function. Some employees need to access more sensitive data than others within the firm. They may need more robust training.
For example, an employee who works in Human Resources (HR) should be aware and have additional cybersecurity training around Personal Identifiable Information (PII) because there is a very good chance that they have access to this type of information for the firm’s employees. So, specialist-level cybersecurity training for someone in an HR position should revolve around how to identify PII information and how to protect it.
Step Two: Schedule Ongoing Cybersecurity Training Sessions
A lot of companies hold one big training session on cybersecurity and then train new hires throughout the year. Unfortunately, that’s just not good enough. A training program should be periodic and consistent.
You need to keep training your employees so that being vigilant becomes second nature. Hackers get more and more creative and sophisticated over time. You need to keep your employees informed on how to spot new threats to the firm.
Take advantage of microlearning practices where you share smaller bites of information more frequently, using different mediums. For example, instead of making everyone sit through a 4-hour training once a year, host several 30-minute brown bag lunches or webinars on smaller cybersecurity topics. Or, send an internal email monthly with a tip or best practice to reinforce the message.
Step Three: Make Your Information Security Training Program Unique to Your RIA Firm
Since your cybersecurity awareness needs to be consistent and on-going, shake up how you deliver the training to avoid boredom or burnout.
The professionals agree, one of the most effective training methods is a simulated cybersecurity attack set up by your IT department or an outside company. Employees are expected to react to these attacks in real-time, and then afterward, they’ll receive coaching on how to avoid any mistakes they might make during the drill. For instance, some companies create simulated phishing attacks (using dedicated software) to see how many people will click on them.
Experts also recommend making cybersecurity training positive. While every employee needs to understand the negative effects of a cyberattack on your RIA firm, once that is clearly understood, focus on rewarding employees who follow best practices.
Starting with these steps and documenting results will demonstrate that your firm is taking needed action to improve your cybersecurity program.