Your people are your most effective cybersecurity firewall

Key Points

  • Cyber threats are rising as fraudsters continue searching out vulnerabilities.

  • Cyberattacks aren’t only about technology. They often involve human error and manipulation. 

  • A strong cybersecurity culture can help employees be a first line of defense. 

When Optivest Wealth Management's Ashlee Enzensperger got an urgent email from a client requesting a wire transfer of more than $200,000 to purchase an investment property, she knew something was off. For one, there was the period at the end of the client's name. Then, there was the "sent from my iPad" signoff—something she had never seen from this client.

Looking closer, she noticed the wire instructions were for a Michigan LLC and Minnesota bank account, neither of which the client had ever used before. When Enzensperger continued to follow her firm's verification policy and requested a verbal authorization, the supposed client wrote back to say they were traveling and couldn't call—another red flag. When a call finally came in, caller ID showed the client's previous home phone number, which was no longer valid. The evidence was overwhelming. Enzensperger was dealing with a fraudster.

A scam can seem obvious once you do a little digging. But too often we don't look hard enough. The level of ownership Enzensperger took to verify that she was dealing with her actual client might seem excessive to some. But it should be the rule.

"We tend to retreat, to back off, and to think that security is somebody else's responsibility," says John Sileo, a prominent cybersecurity, corporate fraud, and identity theft expert. "But the strongest parts of cybersecurity are the human beings and how we treat the data."

Cybersecurity is not just a technical issue—it's a business risk. And your staff is your best defense.

Security is part of client service

The technology and strategies used by fraudsters are always evolving, and the threats are constant. In a shifting threat landscape, it can be difficult to know what to do and what not to do. It's why, says Sileo, human error and manipulation are the leading causes of data breaches.

Verizon's 2023 Data Breach Investigations Report found that 74% of data breaches involved "the human element," which included social engineering attacks, errors, or misuse of data.1

But you can't create a security culture simply by writing a handbook. How you translate those policies, procedures, and expectations into behavior is what counts. When employees finish their training, are they truly prepared to protect themselves and clients?

A healthy security culture is built on the idea that managing data effectively and securely is an extension of your client service ethos. Your team takes tremendous care in building and managing portfolios, so why risk client trust by not making the same effort to ensure that client data and assets are safe?

"It's not about protecting data for data's sake. It's about securing the very real, very human lives that are connected to it—whether it's you, your family, or your clients," says Sileo.

Core principles for creating a cybersecurity culture

There are a few ways any firm can begin building a cybersecurity culture.

Establish clear expectations for employees
Security is everyone's responsibility, not just the IT department's job. Update your organizational vision and priorities to clearly articulate that security is a top business priority.

To get started, develop a document that explains your firm's vision of security and why security best practices affect the success of your business. Then circulate these documents and ask your entire staff to commit to upholding the vision.

Drive awareness through education
Ensure employees build a strong foundation of skills and follow up with ongoing training. Teach employees what strong passwords look like and go over basic security tenets such as avoiding suspicious links and sharing personally identifiable information (PII) in emails. Effective education can change behavior, but results don't happen overnight. Regularly scheduled training sessions help build and maintain momentum.

Create teachable moments
Conduct simulated phishing attempts with your staff. There are many services that can send fake emails and provide tips and insights for employees to mistakenly clicked on a link. Also, consider quarterly cybersecurity roundtables where you talk about common threats, run through social engineering scenarios, and talk about incidents in the news.

Award awareness activities
Recognize that your staff members have many objectives competing for their attention. Memos and PowerPoint presentations are an important starting point for establishing awareness, but they only work if they're interesting and memorable. If someone stops a scammer, make a big deal about it, consider awards or special perks to celebrate successes.

Communicate often with clients about evolving threats
Fraud is constantly evolving, and so should your cybersecurity program. Pay attention to industry headlines. What's the latest trick fraudsters are testing out? Does everyone at your firm know how to spot it? Good. Now ensure that your clients are aware. If clients get hacked, it can also affect your firm.

Communicate the protections you have in place and share your proactive approach. And provide cybersecurity education to clients to deepen trust and strengthen those relationships.

Don't go it alone
Working with cybersecurity experts can give you more time to focus on your core business while also enabling you to put stronger protections in place. It can also give you some peace of mind.

And make sure to check out the resources and self-guided tools linked at the end of this article.

If not now, when?

Many people think of cybersecurity as a defensive strategy— a series of investments and measures to ward off hacks, data breaches, and systems failures. However, building a proactive strategy through a strong and cybersecurity culture can also be a powerful approach to preventing fraud.

What you can do next

  • If you custody with Schwab:
    • Enroll in Schwab's Virtual Practice Management Strengthen Your Cybersecurity series for tips and tools to bolster your efforts to build and maintain a comprehensive cybersecurity program.
    • Visit our Cybersecurity Resource Center where you can browse action-oriented resources to help you plan and develop your cybersecurity program.
  • Consider a custodian that invests in your success. If you're thinking about becoming an independent investment advisor, contact us to learn more about the benefits of a custodial relationship with Schwab.

Related resources

(1023-3D5Z)

1. 2023 Verizon Data Breach Investigations Report, https://www.verizon.com/business/resources/infographics/2023-dbir-infographic.pdf

Read about privacy at Schwab at www.schwab.com/privacy.

The above mentioned firms and their employees are not affiliated with or employees of Schwab unless otherwise noted. They should not be construed as a recommendation, endorsement of, or sponsorship by Schwab. The views expressed are those of the third party and are provided for information purposes only. Experiences expressed are no guarantee of future performance or success and may not be representative of you or your experience.

For general informational and educational purposes only. Schwab does not provide investment planning, legal, regulatory, tax, or compliance advice. Consult professionals in these fields to address your specific circumstances.

Third party trademarks are the property of their respective owners and used with permission. Third party firms and their employees are not affiliated with or an employee of Schwab.

Schwab Advisor Services™ provides custody, trading, and the support services of Charles Schwab & Co., Inc. ("Schwab"), member SIPC, to independent investment advisors and Charles Schwab Investment Management, Inc. ("CSIM"). Independent investment advisors are not owned by, affiliated with or supervised by Schwab.

© 2023 Charles Schwab & Co., Inc. ("Schwab") All rights reserved. Member SIPC.