Contact us: 888-996-4642 | info@itegria.com

Cyber Security is Not a Technology Issue

At ĪTEGRIA®, we believe that cyber security is a social issue, not a technology issue. Cyber security at its heart is all about people and processes. Who has access to your firm’s important data? How are they accessing the network? Do they recognize suspicious behavior? If a breach does occur, what is the plan of action? When most firms think about cyber security they immediately start looking to technology to solve their problem but technology provides tools, not the desire, strategy, or controls needed to stay secure.

You can have the best technology money can buy, but if your people don’t follow security procedures or they are the victim of a sophisticated scam and don’t report it, your network is vulnerable.

For an RIA firm to truly protect itself, the entire organization needs to be committed to protecting the firm’s and the customer’s data. Cyber security needs to become part of the firm’s DNA or its core values. Every employee from the CEO on down needs to understand cyber risks, and embrace the controls necessary to protect the firm. But it doesn’t stop there. If you have suppliers who access your network, they need to be included in your cyber security policies, procedures, and training.

So to tackle cyber security as social problem, and create a culture of cyber awareness and preparedness, we suggest RIA firms walk through the following steps.

1. The CEO needs to own cyber security.

      You may designate someone internally to be the Compliance Officer or hire a Chief Information Security Officer but ultimately the buck stops at the top. The CEO needs be 100% bought into securing the firm. The first important role the CEO needs to assume is to KNOW the risks. Gather data to see where your network is vulnerable and understand what that means. (See below for how our new solution AdvisorGuard™ helps you gather data and identify the risks.) The second most important role you can play as a leader is to be a cheerleader for your IT security policies, knowing that those practices and procedures are there to protect you individually, as a firm, and most importantly for the people that you serve – your clients. Start evaluating yourself on your attitude, activities, and conversations. Do you talk about cyber security enough? Do people see you following the procedures? Bringing it up in meetings and employee communications will serve as a great reminder but also give the topic weight. By showing how important cyber security is to you, the rest will follow.

2. Get buy in from the management team. Stress how important it is for them to set the example for the rest of the organization. Are they adhering to the security protocols or policies during the work day? When they are working remotely? In front of customers? Are they all in? Are they embracing the policies and enthusiastically sharing them with their team frequently? Are they cultivating that culture of awareness? If management is committed, it will trickle down to all employees.

3. Commit to training employees. We recommend training every member of the firm, and even vendors, on what behaviors are expected of them to protect the network, how to identify a breach and what to do if they think the network has been compromised. Explain the potential impact a cyber attack may have on your firm’s operations and reputation, let alone what it might mean for your clients. Spell out employee obligations, particularly with the use of mobile phones or using Wi-Fi in public areas like hotels or conferences.

4. Make cyber awareness part of the company culture. Talk about it all the time. Put posters up on the wall. Add it to your core values. IT security procedures need to become so rote that no one questions them and they become second nature. Cyber security will quickly become the “way we do things” here.

5. Develop a plan to train new hires. Don’t schedule one cyber security training session and think you are done. Train every employee multiple times throughout the year on new threats to watch for as well as how to reinforce your firm’s policies and procedures. Make cyber security training part of your on-board training process for new employees. Don’t delay until the next scheduled training classes.  Minimize risk by making sure that EVERY employee with access to the network has the same level of training and awareness from Day One.

6. Take a look at vendors/ suppliers/ managed service providers. Any outside vendor, supplier, or managed service provider who has access to your digital footprint can create a threat. If you’ve read the news on some of the major cyber security breaches in the past two years, many of these compromises occurred because vendors working with the firm did not have the same level of security or standards in place. It is imperative that your firm assess the security level and policies of vendors who have access to your network. Don’t think this just applies to outsourced IT management firm. Go department by department and identify any external firm that has access to your network, like a payroll service provider, printer and scanner vendors, HVAC engineers, etc.

To help CEOs of RIA firms comply with the SEC’s OCIE exams in 2016, we have launched our new solution AdvisorGuard™, designed to give you the information to protect your firm and help meet the cyber security compliance mandates. Using a combination of best-in-industry diagnostic tools to identify threats to your system, this service will scan your system monthly to identify vulnerabilities; identify, track, and block suspicious URLs; as well as prevent malicious software from shutting down your system or creating a gateway for attackers to access sensitive data. AdvisorGuard will also give your system an extra layer of protection by deploying a multifactor authentication methodology to all of your workstations and servers. Get the data you need to make strategic decisions on how best to protect your firm.

If you would like more information about how our new solution AdvisorGuard helps you protect your firm, contact us here or give us a call at 224-563-3602 with any questions.

You May Also Like

Understanding the Cyber 6 Areas of Focus for the SEC Cyber Security Exams

3 Ways to Keep Your RIA Firm Cyber Secure When Employees Travel

How to Know if Your RIA Firm’s IT Network Has Been Compromised