Training your employees to be cyberaware and cybersecure
January’s initial flurry of activity is winding down, and you are likely beginning to think about your annual compliance review, including mandatory compliance training. At this time last year, we were eagerly awaiting the results of the SEC’s First Cybersecurity Sweep. The 2015 Exam priorities had been released, indicating that OCIE was going to focus on Cybersecurity, “examining investment adviser’s cybersecurity compliance and controls.”[i] The results of the cybersecurity sweep were released in early February, providing a statistical look at the industry. In April, the Division of Investment Management released their Cybersecurity Guidance, recommending that cybersecurity strategies be implemented through “written policies and procedures and training…”[ii] (For more on the DIM’s guidance, refer to our May 4, 2015 Post “SEC Offers Cybersecurity Guidance.”) To compound the import of the DIM’s guidance, the SEC issued a second cybersecurity Sweep Request with the following mention:
Without Proper Training, employees and vendors may put a firm’s data at risk. Some breaches may result from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured connection, or opening messages or downloading attachments from an unknown source.[iii]
The Sweep Request went on to say that “examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior.”[iv] Combining these documents, the SEC has issued its 2016 Exam Priorities letter, stating again, a focus on Cybersecurity.[v]
Taken as a whole, these separate warning shots paint a picture that you must include cybersecurity in any adequate training program. But, what should you be training your employees? We have previously touched on the issue in our June, 2015 Post “Training – Are You Doing Enough To Meet Regulatory Expectations?” Today, though, we’d like to offer these 5 clear, actionable cybersecurity pointers that you can share with your employees to create a safer, more secure workspace.
5 Simple Cybersecurity Steps:
Hover over links before clicking
Viruses and Malware can be installed through clicking on a malicious link. These links can be disguised to appear legitimate, especially when the reader is in a hurry. Train your employees to take their time and to hover over all links before they click on them to ensure that they are actually going to the purported location. Also, pay attention to the link itself, spoofing can be as simple as replacing an “l” with the number “1”. When they’re in a hurry http://www.fide1ity.com can look an awful lot like http://www.fidelity.com.
Utilize your VPN from Home or when Traveling
Your firm’s Virtual Private Network (should you utilize one) allows for secure transmission of files to remote workers across an encrypted tunnel. Utilizing a VPN can prevent attackers from snooping on your internet traffic and preserve the confidentiality of the information you are transmitting over the internet. When your employees are working from home, encourage the use of the Secure VPN. When employees travel and may connect to the internet from public locations, including coffee shops, airports, and hotels, REQUIRE the use of the VPN.
Don’t connect to Company Resources on Public Computers
It can be tempting to log into your company portal or Outlook Web Access from a kiosk computer in a hotel, airport, or other public location. Employees should be trained to not utilize these public computers for any business purpose. The main threat here comes from keystroke loggers and other skimming devices that will attempt to gain a user’s credentials when they type them into this public, insecure connection. It may be especially tempting to quickly login to corporate email to print a boarding pass, but remind employees that airlines don’t charge to print a boarding pass, so there’s no need to get a pass before heading to the airport.
Keep your Passwords Unique and Separate
Password security is paramount in any business environment, however most employees have a hard time remembering all of the passwords that they are supposed to use. If a business requires that an employee has multiple passwords, the temptation can increase to utilize the same password for multiple logins. This must be avoided. Perhaps of the greatest risk would be the sharing of passwords between business and private sites. There is a greater risk of infection or malware on an employee’s personal computer that is not administered by the firm. Should an employee utilize the same password across business and personal sites, a compromise of a personal device could easily lead to a compromise of the business network. Simply put: do not allow passwords in common. Employees can consider a password manager for their personal purposes, but remind them that the master password should, in that instance, be especially complex and itself maintained securely.
Report anything out of the ordinary
Despite your best efforts at training or the increased vigilance of your employees, mistakes can and do happen. Employees should be trained to not fear the IT department, or admitting to clicking on a link that caused a virus to get on a network. Employees should be trained not to try to fix the problem themselves, but rather to report the issue to your firm’s responsible party as soon as they identify a problem. By knowing that something is going wrong, the IT department can take proper steps to fix the issue and, if necessary, commence incident response and recovery plans – including forensics. If your IT department doesn’t know that anything has happened, there is a considerable risk that the attack could persist, undiscovered, for a longer period of time. The motto for your employees should be simple: when in doubt, report it. Only by sharing information within your firm can you hope to increase security.
Conclusion
There are many more steps that a business can take to be more secure, but these five points should be a good start to any comprehensive cybersecurity training program. Notably, the SEC’s second sweep has emphasized the applicability of training to an individual’s role within the firm. Those people within your firm that handle sensitive information should likely have different training from an administrative assistant. Notice we didn’t say more training, we said different training. The administrative assistant can be a vector for social engineering attacks as they are often the gatekeepers to the executive level. Training for these individuals should focus on their particular risks. In addition, training should be tailored especially to include any specific cybersecurity events that your firm has encountered. Utilize these moments (both good and bad) as opportunities. It’s important, whenever possible, to pull training out of the theoretical. By tying the regulatory focus to your firm’s specific events, you will create an engaging training that your employees will remember and carry with them into their daily tasks, leaving your firm more secure.
[i] SEC’s 2015 Exam Priorities – https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf
[ii] DIM 2015 Cybersecurity Guidance – https://www.sec.gov/investment/im-guidance-2015-02.pdf
[iii] OCIE’s 2015 Cybersecurity Examination Initiative – https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf
[iv] Ibid.
[v] SEC’s 2016 Exam Priorities – https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf