All is not fair in love, war, or IT security.
When you walk into a Home Depot you, aren’t greeted by a massive, “We got breached in 2014” sign. Pop-ups on Target’s site tell you about deals, not their 2013 breach.
But RIAs are essentially forced to slap this kind of advertisement on their firm after an incident – and it jeopardizes your ability to attract high-net-worth clients.
When RIAs are Breached, the Firm is Branded with a Scarlet Letter
Any RIA that experiences a breach is required to report the incident to federal regulators and current customers. You could be forced to tell future clients before they sign on as well. Even if you aren’t, they could easily discover the incident on their own. The SEC filings are public and can be pulled up with a quick Google search.
This “scarlet letter” of a past breach will forever dog your steps and invite doubt
Target’s business model doesn’t depend on trust. Yours does. Once people question if their money and personal data are safe in your hands, you’ve lost.
IT security training can protect your reputation
This is not anecdotal. Through the IT security training program we run, we have data insights about our clients and industry averages. It shows that after training sessions and phishing simulations, people are less likely to open, click or download malicious content.
Fewer clicks, less risk
It’s time to reduce risk and put in place a well-designed training program. Using our most successful clients as a model, we’ve come up with 3 dos and don’ts for RIA firms that want to decrease the risk of a reputation-destroying incident.
The Dos and Don’ts of Successful IT Security Training Programs
Do find the right balance
Like the 3 little bears, you’re looking for “just the right” amount of training.
We recommend once per quarter
If you move to annual or semi-annual, too much time passes, and people forget what they learned in the last session. To prevent fatigue, sessions last a minimum of 15 minutes but don’t exceed 30. Everything is delivered online.
Don’t just check a box
Yes, training is required but going through the motion “just to check a box” doesn’t serve anyone. Your employees won’t retain any information shared during a 15-minute video they watch once a year. You might be compliant, but your RIA firm could be exposed to lethal cyberattacks.
- Are formalized
- Track participation and engagement
- Use a quiz or other test to see if people retained what they heard
Do send quarterly phishing tests
Reports indicate that 1 out of 3 untrained employees falls for phishing scams. Overcome this with training that simulates a phishing email. In our program, we send a variety of messages and then track who opens, clicks links, opens attachments or downloads files they shouldn’t.
Build a Solid Cybersecurity and Compliance Foundation
Don’t shame people who make a mistake
When a recipient clicks a link, downloads an attachment, or does anything they shouldn’t, we follow up without shaming. It’s an educational conversation. We share how they could have identified it as a scam so if a real threat makes it through to their inbox they don’t fall for the same trick.
Do give extra training, as needed
Anyone who falls for a phishing email automatically gets extra training. It’s not onerous. Instead of one class that quarter, they have a second session.
Don’t let people off the hook
Executive buy-in is the #1 predictor of success for IT security training. There should be a company-wide policy in place that has teeth. Managers should intervene with your standard disciplinary procedure when people don’t complete training courses.
Hands down, this client has seen the greatest drop off in clicks
One of our clients has rigid rules in place for their program. If someone doesn’t complete training, they lose access to email. Few employees at the company can function without email, so they complete the program and stop falling for scams.
No exceptions for superstars
There will always be people who try to get out of training. When one of those holdouts is one of your superstars with high net-worth clients, it’s tempting to make an exception. Don’t. If they accidentally click on a phishing link and you’re breached, everyone at your entire firm will suffer client attrition. At that point, you’ll wonder if it was worth it to let the top employee off the hook.
Get IT Security Training and Keep Your Reputation Intact
You shouldn’t find yourself in a position where an errant click brands you with the scarlet letter of a cyber breach.
We’re here to help you protect your clients, employees and reputation
Contact us to talk through setting up an IT security training program today.