Photo by weerapatkiatdumrong from Getty Images Pro
Cybersecurity in Advice Firms: 4 Ways to Improve Your Human Firewall
By Karen Stephens // Bcyber
Cybersecurity is hard and it’s filled with scary stories that can leave firms frozen in their tracks, unsure if they should be doing more. After all, what harm can happen by doing nothing and retaining the status quo, right? Well, for advice firms, this couldn’t be further from the truth. According to a KPMG Small Business Reputation & The Cyber Risk Report, financial services businesses are most likely to lose customers due to a cyber breach, with nearly two in five businesses (39%) surveyed seeing customers leave after a breach.
Cyber threats are always evolving and changing and many believe that it’s an issue only technology can solve. What most firms don’t realize is that improving cybersecurity requires strengthening not only a digital firewall but also the human firewall. It only takes one small, human mistake to lead to a big breach, so I propose that we examine cybersecurity from the human side. Let’s turn this perceived negative into a positive and look at four ways we can build your human firewall and strengthen your cybersecurity defense.
1. Build cyber awareness into your business cultures
It’s up to the business leaders to set the agenda for cybersecurity in the advice business and take charge of boosting its cyber resilience.
Initially, you can focus on just being “cyber aware” through regular training programs aimed to provide staff with the ability to make better decisions. The goal is not to create an entire business of cyber experts but rather, ensure that everyone from the mailroom to the c-suite and beyond has a basic understanding of cyber threats and what they should do if they come across one. Training and phishing simulations will help build “muscle memory,” but this is only the beginning. The end game is a cyber aware culture.
An important thing to note is that tick-the-box cyber training can lead to complacency and a false sense of security, whereas a cyber aware culture sinks into the firm’s DNA and takes time and effort. All staff needs to take part in the training and regular team cybersecurity discussions. This could mean adding it as a standing item to your regular team meetings and discussing what’s working, what needs to be improved and new ideas people may have. Once cybersecurity becomes top of mind, you are well on your way to having a strong cyberculture.
2. Practice good password hygiene
Passwords are such an important line of defense when it comes to protecting sensitive data, but many businesses leave the responsibility of creating and protecting these “keys” to their staff. This means that strengthening your human firewall requires everyone at your firm to understand and (hopefully practice) good password hygiene:
- Keep your passwords safe – don’t write them on sticky notes.
- Choose complex passwords – have at least 12 random characters (16 is better and 18 is better still) made up of upper and lower case letters, numbers and symbols.
- Use a password manager – don’t just tell staff to use them, show them how it’s done.
- Keep an eye on major breaches and leaks and send out quick alerts to staff and clients (but more about that in a minute) suggesting that they update their passwords if there has been a breach.
- Never use any personal details in your passwords – social media is a fount of information for cybercriminals.
- Never share passwords
Fun Fact: Jerry Hammond, once the FBI's most wanted cybercriminals was "undone" (and sentenced to 10 years jail time) by a weak password. It was his cat's name... Chewy 123.
3. Implement least-privilege access across the business
This is something that can be done very quickly and easily if you already know who has access to what systems. Simply review the access provided to staff and ensure that everyone has the lowest level of access they need to do their job. After all, not everyone needs full admin capabilities for every system (and this includes your website).
Implementing this is a great cyber risk mitigation and governance hardening action. According to a 2021 Financial Services Data Risk Report by Varonis on average, financial services staff have access to 13% of the company’s total files. Let’s put this into perspective, this means that even teams in the smallest firms have unrestricted freedom to view, copy, move, change and delete data for over half a million files — including almost 20% of all files containing sensitive employee and customer data. By limiting staff access, you limit the access cybercriminals can get should they manage to trick one of your staff into clicking a bad link, opening an infected file or visiting a malware-riddled website. It will also mean that if employees leave you know exactly what access to remove and don’t find out until too late that the “ex-marketing manager” is still on a business-sensitive email distribution list (a sad but true story).
4. Include your clients in your cyber awareness programs
Most cybersecurity discussions solely focus on training staff and having practical, accessible policies and appropriate antivirus software in place, but what about the client? In an advice world that is becoming increasingly homogenized, your business needs to stand apart (for the right reasons).
Your clients are humans, too, so they’re just as susceptible to making small mistakes that put themselves, and even possibly your business, at risk. Consider adding cybersecurity to your onboarding plans, annual reviews or even your newsletters and email communications. After all, do you know any advice businesses going the extra mile to ensure their clients are cyber safe? Hint: not enough, if any. Many clients may not understand phishing scams, the issues that arise when using personal email accounts as a data library, the importance of good password hygiene or staying up to date on the latest data breaches. Making sure they’re more cyber aware could be the best 5 minutes you spend with them.
Take the time to strengthen your human firewall
In the end, when it comes to solving cybersecurity risk mitigation for advice businesses, it takes more than just implementing a technology solution. Technology can help protect your data, files and information, and to some extent, it can protect your people, but your staff and clients are still vulnerable to making small mistakes that could lead to big problems. That’s why strengthening your human firewall is just as important as strengthening your digital firewall. Building a cyber-aware culture, limiting system access and practicing good password hygiene are some easy ways to do this, so why not get started today?
Protecting Your Firm: The Power of People, Process and Technology
About BCyber Pty Ltd
BCyber is a cyber risk mitigation company that works with advice groups to review and harden their cyber risk programs and grow their businesses. We use our own proprietary services and distribute a select number of innovative third-party solutions to strengthen cybersecurity postures. Each of BCyber’s co-founders has over 20+years in financial services before moving into the cybersecurity space. They speak and understand the language of the advice business and cybersecurity. Supported by the BCyber Chairman – Jack Diamond (a 20 year Board veteran) the team wants to bring cybersecurity out from the pure tech space into the advice world.
Learn more at bcyber.com