Registered investment adviser ("RIA") firms must enhance their cybersecurity programs to meet the evolving compliance requirements and protect their firms from advanced threats. In this Q & A with Richard Mabbun, Co-Founder of ITEGRIA, we explore how firms can make employees their best cybersecurity defense.
Below, cybersecurity expert, Richard Mabbun answers our questions about creating a “cybersecurity defensive army” at an RIA firm.
Q: Financial firms seem to have an uphill battle when it comes to developing a cybersecurity program to defend against today’s sophisticated cyber threats. How should RIA firms get started?
A: Create a plan for your people. The biggest attack vector is a firm’s current and future employees. So, having a plan to take your employees and create soldiers of security for your organization is extremely important, which begins at the hiring process. During the hiring process, develop a strategy to take the temperature of a candidate in terms of their cyber-awareness and cyber-hygiene, perhaps giving them some sort of questionnaire. During the interview process, ask cybersecurity related questions to gauge their willingness to be part of the defense of your organization.
Q: What is the next best step after an employee is hired?
A: Once hired, it's important that you take charge of the training for your employees, and this can be done in two stages. In the first stage, send the individual(s) through a cybersecurity boot camp, to take an untrained individual through different training stages. Set the minimum requirements of cybersecurity training, such as how to recognize a phishing attack, how to recognize common scams, such as social text attacks, for example, from heads of the organization. Give them examples of how to record attacks and recognize that those are attacks.
Q: What is one of the most important concepts that every employee should know with only a basic level of cybersecurity training?
A: Train them to know that coming forward and raising your hand by saying, "Hey, I might have exploited us by clicking a link" is not going to be looked upon as a punitive event by the company. As a matter of fact, the sooner an event is reported, the better. Coming forward must be encouraged. This will make your organization aware that a cyber event may have taken place and then you’ll have a better chance of mitigating before any damage is done.
Q: What other aspects should be considered when creating a cyber security defense army?
A: Consider these scenarios; if an individual feels they clicked on something incorrectly, or they did follow a social engineering attack, what do they do? Who do they call? What are the steps to put that in motion?
Also, it’s imperative to develop a program to continually train your people. You must continually make them aware, continually educate them on new forms of attack, new viruses, new things to look out for, new areas and resources they can use to frequently enhance their cybersecurity fitness.
Q: How can you empower your employees to properly respond to a cyberattack?
A: The first thing is getting an employee to be a soldier rather than just an observer, or a bystander or somebody easily attacked. Once you've made sure that you have your entire employee base through a program that takes them from untrained, to a trained, then you really are in great shape because you created an army that is there to defend against cyber-attacks and recognize the forms of attack. This defense army knows the chain of command and who to contact to move awareness of the situation up the ladder as quickly as possible, and thus giving your cybersecurity teams a chance to be able to mitigate and report back to management. This will also allow communication to flow back to the entire organization to warn of an impending attack.