October is cyber security month, and financial professionals should take note. Advisor cyber security is critical to protecting people, property and assets under management. Terms like phishing, malware, ransomeware and social hacking are common in the news and non-hacker verbiage. Cloud computing and other technology services put the power of cyber security in the hands of financial advisors.
People, process and technology are the critical components of advisor cyber security. Unfortunately, people, clients and employees, are the weakest link in prevention. How do they get started? There are five principles to follow:
- Partnership – No one can do it all alone. Look for IT consultants and other experts who specialize in the financial services industry. Their services should include email monitoring, specialized cyber security certifications and “white hat” hacking. 24-hour customer service is critical, as cyber attacks can occur at any time. Effective partners help create a path forward for training, prevention and response plan. Get a list of references before you sign any contract.
- Awareness – Assess your current cyber security practices. Do employees use a password manager? What is their current knowledge level and how many people have been trained. Conduct phishing exercises to see where vulnerabilities lie. Document gaps and challenges to establish a baseline for the office. Top advisors will rate their efforts on a scale from 1 to 10 (be honest). As changes are made, let employees know how their efforts affect the rating. Determining your cyber security awareness sets the baseline and tone for the rest of your efforts.
Training: Cyber Security Key for Advisors
- Training – People are the weakest link in advisor cyber security. Bring in a consultant to train employees on best practices, terminology and threats to watch out for. An administrative assistant in Wisconsin prevented a client from loosing $5000 in a phishing attempt by making sure she knew the questions to ask the caller. Properly trained personnel are the first line of defense in protecting property. Online and in person lunch and learns should be conducted annually for ALL employees.
- Preparation – During a cyber attack is the wrong time to set up a plan. A phishing attempt was attempted on one of my clients in Tennessee recently. Because they had a plan in place, it took leadership less than one hour to contact the IT team, create a communication for clients and thwart the attempt.
- Response – After a cyber attack or phishing attempt, there are always lessons to learn. When things have calmed down and the attempt / attack has been dealt with, leadership should document a review of the situation. What did you do well? What actions should have been taken that were not. Document the proposals and create a lessons learned presentations. Share the information with the rest of the team and employees.
Cyber security is not easy, and many of the actions can be dealt with in house. Financial professionals do not require a computer science degree to protect their assets under management. Have a plan before the attack occurs. As I tell my clients, it is not a matter of “IF” an attack occurs, it is “WHEN.”
Scientifically Speaking, of course…