In a previous question and answer blog, we explored how registered investment adviser (RIA) firms can help their employees become their best cybersecurity defense. Head of Virtual Desktop Infrastructure (VDI) at RIA in a Box Richard Mabbun emphasizes the importance of establishing a tailored cybersecurity training plan for an RIA firm’s employees. In this blog post, we discuss the different stages of cybersecurity training, from basic to intermediate, that RIAs can provide to their employees, along with best practices for a cybersecurity program.
The National Cybersecurity Alliance, in conjunction with the Cybersecurity and Infrastructure Agency (CISA), have named four key behaviors in keeping digitally stored information secure:
- The importance of two-factor authentication.
- Password strength and password managers.
- Software updates.
Cybersecurity awareness is undoubtedly important year-round. However, this month is an opportune time to reevaluate your employees' cybersecurity knowledge and practices, update policies and procedures and educate your employees as needed.
While the IT department or managed service provider (MSP) within your firm likely handles securing technology – cybersecurity training must extend to every faction of your organization. Each employee working with computers to accomplish their daily task creates opportunities for breaches in digital security.
To keep your firm compliant and protected against such breaches, it’s crucial to continuously train and educate your people on cybersecurity best practices.
There are some skills everyone in your firm should be familiar with and practice regularly, from your administrative assistant to your chief executive officer.
- Basic training and cybersecurity familiarity.
Every firm should have a cybersecurity guidance handbook each employee has access to and is up to date with. This could include best practices for mobile device usage, password management, identifying potential cyber threats, social media behavior and other pertinent information. Update the handbook or send out bulletins as new threats are known.
The Securities and Exchange Commission’s Cybersecurity and Resiliency Observations offer a great place to start.
The key takeaway – all employees need to complete the basic level of cybersecurity training.
- Intermediate cybersecurity skills.
Now that we’ve covered the baseline skills every person at your firm should know, let’s explore a few advanced skills required for specific job functions. As a common example, a human resources (HR) employee needs training on the recognition of Personal Identity Information (PII). An HR employee uses and sees this every day and should know how to recognize what should be protected and how.
- Specialty cybersecurity training.
Specialty training also focuses on cybersecurity best practices or risks specific to an employee’s job function. An example of a specialist requiring more robust training is an IT support technician, who needs to know the basic training, but also other types of information on risks, such as PII. Although they do not encounter PII as their normal daily duties, they still must recognize and know what it is so they can properly guide employees on the handling and protection of PII.
Conduct ongoing reviews
We encourage you to conduct ongoing reviews of your cybersecurity policies and procedures, which can provide regulators with documented proof you have carefully crafted a program unique to your firm and the industry’s evolving cybersecurity threats. Be specific when documenting methodology, timing and responsible parties for the firm’s cybersecurity activities.
Adding the periodic reporting above also shows active participation of your users, vendors, and technology in preventing cyber security incidents.
Test your systems
Perform cyber-risk assessments and determine what security weaknesses are present and where.
Once you’ve defined a training program for your users, established a solid technology stack to guard against and mitigate the risk of loss due to a cyber-attack, and have the means to review and collect the periodic data generated by training and tech stack, we recommend conducting penetration tests, also known as authorized simulated cyberattacks on your firm’s system.