Cybersecurity: Your most effective firewall is your workforce
Cybersecurity: Your most effective firewall is your workforce
Behind every firm are people—your employees, your clients, and you—responding to communications and making quick decisions under pressure. Boost your firm’s protective policies and technologies by fostering a culture of security and giving your people the tools and training to combat cyber threats.
With cybersecurity threats continually on the rise, now’s the time to stay alert. As part of National Cybersecurity Awareness Month in October, we offer these resources to prepare your firm and your people.
It was a textbook case of a firm and its staff doing exactly what was needed to keep data and assets safe.
When Optivest Wealth Management’s Ashlee Enzensperger got an urgent email from a client requesting a wire transfer for over $200,000 to purchase an investment property, she knew something was off. For one, there was the period at the end of the client’s name. Then, there was the “sent from my iPad” signoff—something she had never seen from this client.
Looking closer, she noticed the wire instructions were for a Michigan LLC and a Minnesota bank account, neither of which the client had ever used before. When Enzensperger continued to follow her firm’s verification policy and requested a verbal authorization, the supposed client wrote back to say they were traveling and couldn’t call—another red flag. When a call finally came in, caller ID showed the client’s previous home phone number, which was no longer valid. Enzensperger had all the evidence needed to know she was dealing with a fraudster.
Scams like the one Optivest experienced are not unique. What is unusual, however, is the level of ownership this employee took to verify that she was dealing with her actual client.
“We tend to retreat, to back off, and to think that security is somebody else’s responsibility,” says John Sileo, a prominent cybersecurity, corporate fraud, and identity theft expert. “But the strongest parts of cybersecurity are the human beings and how we treat the data.”
Cybersecurity is not just a technical issue—it’s a business risk. And your staff is your best defense.
A culture of security: It’s not just an IT issue
The technology and strategies used by fraudsters are always evolving, and the threats are constant. In a shifting threat landscape, it can be difficult to know what to do and what not to do. It’s why, says Sileo, human error and manipulation are the leading causes of data breaches.
Your security culture doesn’t emanate from your company handbook but rather from how those policies, procedures, and expectations around security influence people’s behavior. It’s what happens to security when employees finish their training and are left to defend themselves and clients.
A healthy security culture must be more than an annual training or something that only your IT staff cares about. Your employees take tremendous care in building and managing portfolios, so why risk client trust by not making the same effort to ensure that client data and assets are safe?
“It’s not about protecting data for data’s sake. It’s about securing the very real, very human lives that are connected to it—whether it’s you, your family, or your clients,” says Sileo.
Fraud and cyber terms are numerous and can be hard to understand. Schwab can help.
Our Fraud Encyclopedia provides definitions and examples of common fraud techniques that you can use to educate yourself and your staff.
Core principles for creating a cybersecurity culture
Establish clear expectations for employees
Security is everyone’s responsibility, not just the IT department’s. Update your organizational vision and priorities to clearly articulate that security is a top business priority.
To get started, develop a document that explains your firm’s vision of security and why security best practices affect the success of your business. Feel free to use any of the resources linked below for inspiration. Circulate these documents and ask your entire staff to commit to upholding the vision.
Drive awareness through education
Build a strong foundation of skills, and follow up with ongoing training. Teach employees what strong passwords look like, and go over basic security tenets such as avoiding links and sharing personally identifiable information (PII) in emails. Effective education can change behavior, but results don’t happen overnight. Regularly scheduled training sessions help build and maintain momentum.
Not sure where to begin? Take the “Cybersecurity: Safeguarding Your Firm and Clients Assets” training course from Schwab Advisor University®.
Make it fun and engaging
Recognize that your staff members have many objectives competing for their attention. Memos and PowerPoint presentations are important for establishing awareness but only work if they’re interesting and memorable. And don’t stop there—get hands-on.
Create teachable moments. Conduct a simulated phishing attempt with your staff. Or consider quarterly cybersecurity roundtables, and bring doughnuts, coffee, and updates on the latest threats to share with staff.
Communicate often with clients about evolving threats
Fraud is constantly evolving, and so should your cybersecurity program. Pay attention to industry headlines. What’s the latest trick fraudsters are testing out? Does everyone at your firm know how to spot it? Good. Now ensure that your clients do too, because their behavior online is just as important.
Communicate the protections you have in place, and share your proactive approach with clients to deepen trust and strengthen those relationships. Visit the “Resources for You and Your Clients” section of the Cybersecurity Resource Center for best practices and sample talking points for communicating with clients.
Recognize that you don’t have to go it alone
Working with cybersecurity experts can free you to focus on your core business while also enabling you to put stronger protections in place. Your Schwab Relationship Manager can connect you to comprehensive support, the latest educational materials, and third-party vendors.
Explore Schwab’s self-guided tools, including our five-step methodology for organizing, developing, and strengthening your firm’s cybersecurity program. And remember to use your Relationship Manager as a thought partner. As seasoned guides, they can help foster your security culture with best practices, industry insights, and information about the latest fraud trends.
Don’t miss John Sileo’s engaging session, “Cracking the Art of Human Hacking and Fraud Training,” where you’ll learn how to:
- Identify the most common forms of social engineering
- Apply anti-social-engineering skills at work and at home
- Combat deceptive triggers
- Distinguish weapons of manipulation from beneficial tools of influence
If not now, when?
People often think of cybersecurity as a defensive strategy—a series of investments and measures to ward off hacks, data breaches, and systems failures. But building an offensive strategy through a healthy security culture can also be a powerful differentiator.
We hope these principles inspire you to instill a culture of security in your firm to protect against a cybersecurity breach.
If you're thinking about becoming an independent advisor, consider a custodian that invests in your success. Contact us to learn more about the benefits of a custodial relationship with Schwab.