Developing Information Security Awareness at Your Advisory Firm
Preventing cybercriminals from accessing sensitive information keeps getting more challenging, and not just because they have more sophisticated resources, such as artificial intelligence (AI), to carry out scams. They’re often able to exploit human vulnerabilities. Consider this: human error accounts for up to 95 percent of security breaches. This makes information security awareness across your advisory firm critical for keeping your clients’ and your firm’s data safe.
All too often, an information security incident is preventable—it happened because someone clicked on a questionable link, used an easy-to-guess password, or responded to a phishing email. Obviously, we all make mistakes. But with a baseline understanding of information security and its role in protecting your firm’s data, you can guide your team toward making smart choices.
Here’s how to establish an effective information security awareness program at your advisory firm that addresses human susceptibility and common scams.
1. Keep Your Information Security Policies Up-to-Date
Strong security starts with policies—the rules that govern what’s safe and what isn’t. They should address all your business security concerns and practices. This includes how to authenticate a client, shred documents, and encrypt emails, laptops, and mobile devices. You’ll want your staff to have easy access to these policies and review them on a quarterly or annual basis to ensure their relevancy.
2. Set Expectations for Device Use
Consider enforcing a detailed smartphone policy that requires full-device encryption and strong lock screen passcodes (ideally, six digits). When working remotely, employees should use the firm’s virtual private network. Also, make sure employees know about the risks and your preferences when connecting to potentially unsecured or public Wi-Fi networks. Backing up all information to company devices is another best practice.
3. Be Prepared for Phone and Text Message Scams
If your firm isn’t prepared, anyone who answers the phone or responds to a text could be the weak link that opens up your business to a breach. For example, they could give in to a scam artist masquerading as a client demanding an “urgent” wire transfer. Or they could give up control of their laptop to a tech “expert,” claiming their system needs an upgrade.
With potential phone scams (vishing), not only is someone impersonating someone else, but they could also sound exactly like that person because of AI or voice-cloning technology. To avoid text scams (smishing), question messages that make an unusual or irrelevant request or seem to come from a client who rarely communicates with your firm this way.
To help defend against fraudulent transactions, let your team know how to recognize a phone scam and how they should proceed:
Request information. When dealing with an unknown caller, ask for their name and reason for calling. Anyone unwilling to verify their identity could be a scammer. Don’t give the caller the benefit of the doubt; you could get off the phone at any time and call back using a phone number of record (e.g., your client’s number on file) and confirm the number using reverse lookup services.
Be on alert. If a caller requests sensitive information about your client or firm, remember to question its legitimacy. See what happens if you request an in-person or videoconference meeting.
Ask for a call-back phone number. A legitimate caller is likely to oblige, and you could independently verify the number before calling back.
4. Don’t Let Staff Take the Bait for Phishing Emails
Phishing, or scam, emails are the most common type of cybercrime reported to the FBI—they account for 90 percent of all cyberattacks. Although there have been advances in spam filters and antivirus software, the most effective means of reducing your phishing risk is to share the signs of a problematic email with your staff.
For example, if you hover over a link in an email and the URL doesn’t match the link’s description, you should not click the link. Additionally, let the team know what to do if they come across a questionable email:
Don’t use unfamiliar links. Always open up a new browser window to log in to accounts rather than click from an email message.
Delete the email. Forwarding the email increases the chances of someone clicking on a bad link.
Verify the sender. Rather than calling the number in an email, verify the number another way and research the official website of the business or individual.
5. Implement Ongoing Information Security Awareness Training
A security awareness plan should address both onboarding training and continual reinforcement of the policies and best practices you’ve adopted. That way, new hires will understand your firm’s security practices from the get-go, and seasoned employees will have their secure habits affirmed.
To get started:
Make a plan. Write down the goals of your information security awareness program and how you will achieve them.
Create a calendar. Schedule when different phases of your training will take place during the year.
Share your plan. This will demonstrate your commitment to starting and maintaining your program, and everyone will be on the same page.
Check your tone. While you want staff to be aware of the risks, you don’t need to share “shock value” material to get their attention.
6. Supplement Your Program with Cybersecurity Training Software
In recent years, various security education software programs have been developed to provide training content (e.g., interactive games, presentations, and videos). Some programs also include simulated phishing tools, which you can use to create fake phishing emails, send them to your staff, and then generate reports on who clicked and who didn’t. This data can help you get a baseline of your firm’s security awareness, and you can use it again if your training is effective.
7. Stay Informed with Cybersecurity News
When you see something that relates to your advisory firm—whether it’s about the software you use or the smartphone a staff member has—share it. You could also compile any major headlines into a monthly or quarterly newsletter or start a chat in Microsoft Teams labeled “Breaking Cybersecurity News.” These updates could start a conversation or alert staff to something they didn’t know. Either way, they will help keep security top of mind without interrupting anyone’s workday.
8. Have a Process for Terminated Employees
This process should include changing all passwords these employees may know and collecting any company property, keys, and passes they have in their possession. Also, remove their ability to access any third-party vendor accounts.
Spreading Information Security Awareness
An effective information security effort requires clear and up-to-date guidance so your staff recognizes the signs of an attack and knows how to keep your firm’s information safe. At the same time, you don’t want to give your staff so much information that you overwhelm or scare them. Security awareness is not about paranoia—it’s about adopting secure habits so that dealing with threats becomes second nature to everyone at your firm.
Commonwealth serves as an extension of our advisors’ teams by helping them stay on top of information security best practices and requirements, technology solutions, compliance matters, and much more. Learn how.
This material is for educational purposes only and is not intended to provide specific advice.
Please review our Terms of Use.