Creating a cybersecurity culture

When Optivest Wealth Management's Ashlee Enzensperger got an urgent email from a client requesting a wire transfer of more than $200,000 to purchase an investment property, she knew something was off. For one, there was the period at the end of the client's name. Then, there was the "sent from my iPad" signoff—something she'd never seen from this client.

Looking closer, she noticed the wire instructions were for a Michigan LLC and Minnesota bank account, neither of which the client had ever used before. When Enzensperger continued to follow her firm's verification policy and requested a verbal authorization, the supposed client wrote back to say they were traveling and couldn't call—another red flag. When a call finally came in, caller ID showed the client's previous home phone number, which was no longer valid. The evidence was overwhelming. Enzensperger was dealing with a fraud attempt.

Most people don't want to create a fuss or risk offending a client by asking questions. Fraudsters know this and take advantage of it. They're counting on you to ignore your suspicions and to carry on with business as usual. Enzensperger couldn't ignore what she was seeing. She kept digging to verify whether she was dealing with an actual client. Her persistence saved her client (and her firm) a lot of money that day.

"Don't make the mistake of thinking of cybersecurity as only an information technology matter," says Adam Moseley, Director, Business Consulting and Education. "It is as much a human resources matter. The chance of your people being targeted is far more likely than your infrastructure being targeted."

In other words, cybersecurity isn't just a technical issue—it's a people problem. And your staff is your best defense.

Security is client service

The technology and strategies used by fraudsters are always changing. In a shifting threat landscape, it can be difficult to know what to do and what not to do. That's why human error and manipulation are the leading causes of data breaches.

Verizon's 2024 Data Breach Investigations Report found that 68% of data breaches involved "the human element," which included social engineering attacks, errors, or misuse of data.¹

But you can't create a security culture simply by writing a handbook. How you translate those policies, procedures, and expectations into behavior is what counts. When employees finish their training, are they truly prepared to protect themselves and clients?

A healthy security culture is built on the idea that managing data effectively and securely is an extension of your client service ethos. Your team takes tremendous care in building and managing portfolios, so why risk client trust by not making the same effort to ensure that client data and assets are safe?

Core principles for creating a cybersecurity culture

There are a few ways any firm can begin building a cybersecurity culture.

Establish clear expectations for employees
Security is everyone's responsibility, not just the IT department's. Start by developing a document that explains your firm's vision of security and why security best practices affect the success of your business. Then circulate these documents and ask your entire staff to commit to upholding the vision.

Drive awareness through education
Ensure employees build a foundation of cybersecurity skills. Teach them what strong passwords look like and go over basic security tenets such as avoiding suspicious links and sharing personally identifiable information (PII) in emails. Effective education can change behavior, but results don't happen overnight. Regularly scheduled training sessions help build and maintain momentum. Fortunately, this is a strength of many of the firms that work with Schwab. Schwab's 2024 RIA Benchmarking Study found that 97% of firms provide cybersecurity training to employees.

Create teachable moments
Conduct simulated phishing attempts with your staff. There are many services that can send fake emails and provide tips and insights to employees who mistakenly click on a link. Also, consider quarterly cybersecurity roundtables where you talk about common threats, run through social engineering scenarios, and discuss incidents in the news.

Award awareness activities
Recognize that staff members have a lot that's competing for their attention. Memos and PowerPoint presentations are an important starting point for establishing awareness, but they only work if they're interesting and memorable. And if someone stops a scammer, make a big deal about it. Consider giving awards or special perks to celebrate successes.

Communicate often with clients about evolving threats
Fraud is constantly evolving, and so should your cybersecurity program. Pay attention to industry headlines. What's the latest trick fraudsters are testing out? Does everyone at your firm know how to spot it? Good. Now ensure that your clients are also aware. If clients get hacked, it can also affect you.

As a trusted advisor, you're in a great position to communicate the protections you have in place, share your proactive approach, and offer guidance to clients. Taking the extra time to communicate with clients about cybersecurity—especially with older clients who are particularly vulnerable to attacks—can deepen trust and strengthen your relationships.

Don't go it alone
Working with cybersecurity experts can give you more time to focus on your core business while also enabling you to put stronger protections in place. Also, make sure to check out the resources and self-guided tools linked at the end of this article.

If not now, when?
Many people think of cybersecurity as a defensive strategy— a series of investments and measures to ward off hacks, data breaches, and systems failures. However, building a proactive strategy through a strong cybersecurity culture is also a powerful layer of protection to prevent fraud. The key is to put as much as you can into place now and to keep building on your progress.

What you can do next

• Explore our cybersecurity and fraud prevention resources, where you can browse action-oriented resources to help you plan and develop your cybersecurity program. If you custody with Schwab, you can log in to explore the full suite of resources.
• Consider a custodian that is invested in your success. Contact us to learn more about the potential benefits of a Schwab custodial relationship.