How to Curb Your Biggest Cybersecurity Threat

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.investopedia.com/articles/professionals/080715/how-curb-your-biggest-cybersecurity-threat.asp

Morgan Stanley (MS) suffered its worst data breach in years last December,
when account information from about 900 of its wealth management
clients—including account names and numbers—were stolen and briefly posted
online. According to Forbes, the culprit was not an experienced hacker or
foreign government, but a rogue 30-year financial advisor who had recently
been promoted and may have been looking to sell the information to identity
thieves.

The term cybersecurity often evokes thoughts of viruses, hackers, and
spyware that’s preventable by installing anti-virus software and using
strong passwords, but as the anecdote above highlights, both malicious and
naïve employees are often left with free rein when it comes to client data.
At the same time, less than a third of financial advisors plan to invest in
cybersecurity, according to a survey by Investment News, creating a
potentially big security hole. (For related reading, see: 7 Cybersecurity
Tips for Advisors.)

In this article, we’ll take a look at how to train employees in order to
avoid accidental data leaks while implementing security measures to deter
malicious employees from taking any actions that could hurt the company.

Training Employees

The first step in preventing employee-related cybersecurity issues is
ensuring that they are properly educated when it comes to security. By
training employees with security best practices, companies can avoid
unintentional data leaks that can cause major cybersecurity scares, while
making life much more difficult for hackers looking to exploit weak
passwords and other “human factors” to gain access to confidential
information.

Some common issues to address include:

Virtual Private Network (VPN) – Ensure that users know how to securely
access a corporate VPN when they are working remotely.
Approved Password – Ensure that users generate strong passwords by
instituting password length and complexity requirements for all online
services.
Security Contact – Ensure that users know who to call when they think
they’ve made a mistake or have a security-related question. (For related
reading, see: SEC to Advisors: Implement Cybersecurity Plans.)

When it comes to phishing e-mails and similar scams, it can be difficult to
train employees to recognize them due to the evolving nature of the fraud.
The best way to prevent these problems is to improve system-level security
by implementing better spam filtering and other tools designed to alert
users, while encouraging users to immediately contact a security
professional when they suspect that they may have done something wrong.

Monitoring Systems

The second step in preventing employee-related cybersecurity issues is
implementing monitoring software to keep tabs on employees themselves.
While employers should generally be trusting of their employees, it’s never
a bad idea to monitor them when they’re using workplace machines, at least
on some level. Chief Compliance Officers or Chief Information Officers
should be responsible for these types of undertakings.

Some tips for tracking employees include:

Monitor Logs – Many cloud-based software solutions provide activity logs
for all advisor logins, which compliance officers should regularly check
for abnormalities.
Restrict Content – Companies can block certain websites or enable advisors
to only access white-listed websites to prevent unauthorized distribution
of data.
Track Everything – Some companies may want to install software to track
e-mails, IM sessions, and even log keystrokes to identify potential
problems in advance. (For related reading, see: Educating Your Clients
About Cybersecurity.)

Employees should be clearly advised about why and how they are being
monitored on their workplace machines. Unless a specific employee poses a
serious threat the requires covert monitoring, companies should outline
these details in an employee handbook or other form of hard documentation
that can be easily referenced. These documentation efforts can also serve
as a deterrent of their own against making malicious actions.

The Bottom Line

Most people think of viruses and hackers when considering cybersecurity,
but employees can equate to a commonly-exploited loophole. Financial
advisory firms should educate employees about security best practices in
order to prevent any accidental data leaks. Lastly, firms should consider
implementing security software and outlining their policies to deter any
malicious employees from taking action. (For related reading, see: Finding
and Retaining High Net Worth Clients.)

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!