itSynergy: Blog

man happy with IT security training

The Simple, Reputation-Protecting IT Security Solution RIAs Need

All is not fair in love, war, or IT security.

When you walk into a Home Depot you, aren’t greeted by a massive, “We got breached in 2014” sign. Pop-ups on Target’s site tell you about deals, not their 2013 breach.

But RIAs are essentially forced to slap this kind of advertisement on their firm after an incident – and it jeopardizes your ability to attract high-net-worth clients.

When RIAs are Breached, the Firm is Branded with a Scarlet Letter

Any RIA that experiences a breach is required to report the incident to federal regulators and current customers. You could be forced to tell future clients before they sign on as well. Even if you aren’t, they could easily discover the incident on their own. The SEC filings are public and can be pulled up with a quick Google search.

This “scarlet letter” of a past breach will forever dog your steps and invite doubt

Target’s business model doesn’t depend on trust. Yours does. Once people question if their money and personal data are safe in your hands, you’ve lost.

IT security training can protect your reputation

This is not anecdotal. Through the IT security training program we run, we have data insights about our clients and industry averages. It shows that after training sessions and phishing simulations, people are less likely to open, click or download malicious content.

Fewer clicks, less risk

It’s time to reduce risk and put in place a well-designed training program. Using our most successful clients as a model, we’ve come up with 3 dos and don’ts for RIA firms that want to decrease the risk of a reputation-destroying incident.

The Dos and Don’ts of Successful IT Security Training Programs

Do find the right balance

Like the 3 little bears, you’re looking for “just the right” amount of training.

We recommend once per quarter

If you move to annual or semi-annual, too much time passes, and people forget what they learned in the last session. To prevent fatigue, sessions last a minimum of 15 minutes but don’t exceed 30. Everything is delivered online.

Don’t just check a box

Yes, training is required but going through the motion “just to check a box” doesn’t serve anyone. Your employees won’t retain any information shared during a 15-minute video they watch once a year. You might be compliant, but your RIA firm could be exposed to lethal cyberattacks.

Successful programs

  • Are formalized
  • Track participation and engagement
  • Use a quiz or other test to see if people retained what they heard

Do send quarterly phishing tests

Reports indicate that 1 out of 3 untrained employees falls for phishing scams. Overcome this with training that simulates a phishing email. In our program, we send a variety of messages and then track who opens, clicks links, opens attachments or downloads files they shouldn’t.

Build a Solid Cybersecurity and Compliance Foundation

See How to Do It

Don’t shame people who make a mistake

When a recipient clicks a link, downloads an attachment, or does anything they shouldn’t, we follow up without shaming. It’s an educational conversation. We share how they could have identified it as a scam so if a real threat makes it through to their inbox they don’t fall for the same trick.

Do give extra training, as needed

Anyone who falls for a phishing email automatically gets extra training. It’s not onerous. Instead of one class that quarter, they have a second session.

Don’t let people off the hook

Executive buy-in is the #1 predictor of success for IT security training. There should be a company-wide policy in place that has teeth. Managers should intervene with your standard disciplinary procedure when people don’t complete training courses.

Hands down, this client has seen the greatest drop off in clicks

One of our clients has rigid rules in place for their program. If someone doesn’t complete training, they lose access to email. Few employees at the company can function without email, so they complete the program and stop falling for scams.

No exceptions for superstars

There will always be people who try to get out of training. When one of those holdouts is one of your superstars with high net-worth clients, it’s tempting to make an exception. Don’t. If they accidentally click on a phishing link and you’re breached, everyone at your entire firm will suffer client attrition. At that point, you’ll wonder if it was worth it to let the top employee off the hook.

Get IT Security Training and Keep Your Reputation Intact

You shouldn’t find yourself in a position where an errant click brands you with the scarlet letter of a cyber breach.

We’re here to help you protect your clients, employees and reputation

Contact us to talk through setting up an IT security training program today.

Protect Your Reputation



itSynergy has been providing managed IT services and outsourced technology management to small- and mid-sized businesses for over 20 years. We are seen as trusted technology advisors by clients because we partner with them for success. Our philosophy is that when technology works as it should, it supports and enhances an organization’s ability to accomplish its goals and objectives and meet business growth goals.