Cybersecurity: Your most effective firewall is your workforce

It was a textbook case of a firm and its staff doing exactly what was needed to keep data and assets safe.

When Optivest Wealth Management's Ashlee Enzensperger got an urgent email from a client requesting a wire transfer for over $200,000 to purchase an investment property, she knew something was off. For one, there was the period at the end of the client's name. Then, there was the "sent from my iPad" signoff—something she had never seen from this client.

Looking closer, she noticed the wire instructions were for a Michigan LLC and a Minnesota bank account, neither of which the client had ever used before. When Enzensperger continued to follow her firm’s verification policy and requested a verbal authorization, the supposed client wrote back to say they were traveling and couldn’t call—another red flag. When a call finally came in, caller ID showed the client’s previous home phone number, which was no longer valid. Enzensperger had all the evidence needed to know she was dealing with a fraudster.

Scams like the one Optivest experienced are not unique. What is unusual, however, is the level of ownership this employee took to verify that she was dealing with her actual client.

"We tend to retreat, to back off, and to think that security is somebody else"s responsibility," says John Sileo, a prominent cybersecurity, corporate fraud, and identity theft expert. "But the strongest parts of cybersecurity are the human beings and how we treat the data."

Cybersecurity is not just a technical issue—it's a business risk. And your staff is your best defense.

A culture of security: It's not just an IT issue

The technology and strategies used by fraudsters are always evolving, and the threats are constant. In a shifting threat landscape, it can be difficult to know what to do and what not to do. It’s why, says Sileo, human error and manipulation are the leading causes of data breaches.

Your security culture doesn’t emanate from your company handbook but rather from how those policies, procedures, and expectations around security influence people’s behavior. It’s what happens to security when employees finish their training and are left to defend themselves and clients.

A healthy security culture must be more than an annual training or something that only your IT staff cares about. Your employees take tremendous care in building and managing portfolios, so why risk client trust by not making the same effort to ensure that client data and assets are safe?

"It's not about protecting data for data’s sake. It's about securing the very real, very human lives that are connected to it—whether it's you, your family, or your clients," says Sileo.

Core principles for creating a cybersecurity culture

Establish clear expectations for employees

Security is everyone’s responsibility, not just the IT department’s. Update your organizational vision and priorities to clearly articulate that security is a top business priority.

Terms to know
Fraud and cyber terms are numerous and can be hard to understand. Schwab can help.

Our Fraud Encyclopedia provides definitions and examples of common fraud techniques that you can use to educate yourself and your staff.

To get started, develop a document that explains your firm’s vision of security and why security best practices affect the success of your business. Feel free to use any of the resources linked below for inspiration. Circulate these documents and ask your entire staff to commit to upholding the vision.

Drive awareness through education

Build a strong foundation of skills, and follow up with ongoing training. Teach employees what strong passwords look like, and go over basic security tenets such as avoiding links and sharing personally identifiable information (PII) in emails. Effective education can change behavior, but results don’t happen overnight. Regularly scheduled training sessions help build and maintain momentum.

Not sure where to begin? Take the "Cybersecurity: Safeguarding Your Firm and Clients Assets" training course from RIA EdCenter^™.

Make it fun and engaging

Recognize that your staff members have many objectives competing for their attention. Memos and PowerPoint presentations are important for establishing awareness but only work if they’re interesting and memorable. And don’t stop there—get hands-on.

Create teachable moments. Conduct a simulated phishing attempt with your staff. Or consider quarterly cybersecurity roundtables, and bring doughnuts, coffee, and updates on the latest threats to share with staff.

Communicate often with clients about evolving threats

Fraud is constantly evolving, and so should your cybersecurity program. Pay attention to industry headlines. What’s the latest trick fraudsters are testing out? Does everyone at your firm know how to spot it? Good. Now ensure that your clients do too, because their behavior online is just as important.

Communicate the protections you have in place, and share your proactive approach with clients to deepen trust and strengthen those relationships. Visit the "Resources for You and Your Clients" section of the Cybersecurity Resource Center for best practices and sample talking points for communicating with clients.

Recognize that you don't have to go it alone

Working with cybersecurity experts can free you to focus on your core business while also enabling you to put stronger protections in place. Your Schwab Relationship Manager can connect you to comprehensive support, the latest educational materials, and third-party vendors.

Explore Schwab's self-guided tools, including our five-step methodology for organizing, developing, and strengthening your firm's cybersecurity program. And remember to use your Relationship Manager as a thought partner. As seasoned guides, they can help foster your security culture with best practices, industry insights, and information about the latest fraud trends.

If not now, when?

People often think of cybersecurity as a defensive strategy—a series of investments and measures to ward off hacks, data breaches, and systems failures. But building an offensive strategy through a healthy security culture can also be a powerful differentiator.

We hope these principles inspire you to instill a culture of security in your firm to protect against a cybersecurity breach.

If you're thinking about becoming an independent advisor, consider a custodian that invests in your success. Contact us to learn more about the benefits of a custodial relationship with Schwab.