The Division of Investment Management’s recent cybersecurity guidance suggested that firms consider implementing training to provide guidance to officers and employees “concerning applicable threats and measures to prevent, detect, and respond to… threats and that monitor compliance with cybersecurity policies and procedures.” In addition, the Division suggested that firms “may wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.”
Starting or Measuring Your Program:
In its 20 Critical Security Controls, SANS has identified a security skills assessment as a key starting point for any cybersecurity training program. In order to determine where to best allocate resources for any program, it is essential that you first take the time to benchmark all of your staff. By figuring out what areas are sufficiently understood and which areas need improvement, you can target areas of real vulnerability, making your training modules smaller and more efficient, as well as engaging for the target audience. Keep in mind, as you are developing a framework to measure your baseline that roles may have different requirements. For instance, it may not be necessary for front-line employees to understand privilege management, but it certainly would be for network administrators or management.
Training Employees & Management:
Training your employees is an essential part of any cybersecurity program. Your staff can be the front line in an attack and a forewarned team can be a forearmed team, possibly stopping an attack or intrusion in its tracks before causing harm. As you are developing your training for employees consider the following points:
- Handling Confidential Information – if your employees don’t understand the expectations and procedures surrounding the handling of confidential information, they cannot be expected to adequately protect it. Ensure that your training program covers the basic points of Confidential Information including what constitutes confidential information and how it must be treated. Unless your baseline analysis has told you otherwise, you must start from the most basic points.
- Phishing Scams – Employees must be aware of phishing scams or general social engineering on two fronts: firstly, they may be the target of a scam or attempted attack to gain their credentials or other important confidential information. Secondly, an employee may find himself or herself in a position where a customer’s credentials have been compromised by an attacker utilizing a phishing scam or other form of attack. When constructing a training program, these human touch points are of great importance. Attacks that revolve around a give-up of information are cheap to execute and employees must expect to receive this type of attack at some point.
- Reporting and Escalation – Employees must clearly understand their responsibilities if they discover something that they believe to be out of the ordinary. Training in this area should focus on establishing clear communications channels and expectations in the event of any number of scenarios including the above-mentioned phishing attack. Other items that employees and management both must be trained on should include procedures in the event of lost hardware, including smartphones and laptops, among other items.
- Identity Protection – Employee training should take the time to address the importance of credential security. Under no circumstances should an employee utilize another’s username and password combination for any purpose. Additionally, employees should be trained to change their password in the event they suspect someone else may have access to it, even if they do not believe there to be any malicious intent behind such an act. Finally, employees must be trained to lock their computers when they leave their desks, as well as to set automatic lock-outs on all mobile devices and laptops. While these controls should be centrally administered, awareness of such common protective measures should always remain part of your training.
- Physical Security – Employees should be trained to notice any changes in the physical environment, as well as to notify superiors in the event that something in the physical office environment seems out of place. In line with the notion of empowerment, employee training should include effective challenges to strangers. A workplace can be made more secure with the use of keycards and other access controls, but at the end of the day, it will be the vigilance of an employee that will prevent an unauthorized physical breach.
Training Customers/Clients:
Your customers and clients are an integral part of your security posture. Although they can’t be forced to undergo mandatory annual privacy training, you can help them do their part by securing their access to your networks and portals. Consider the following suggestions:
- Remind Clients of your firm’s policies and procedures with respect to information sharing. Make sure that your clients are aware of what information you will ask for and what information you will NOT ask for either online or on the telephone.
- Enforce complex passwords and remind users to change their password frequently and not to use the same password for multiple sites.
- If your communication protocols forbid links in emails, you should remind your clients to never click on a link in an email that may appear to be from your firm.
- Remind clients not to connect to any portal you may operate from an unprotected network (such as at a coffee shop or at an airport).
- Remind clients to contact your firm immediately if they suspect their password or login credentials may have been compromised.
These pointers are merely tips to get your program headed off in the right direction. If you have any questions regarding conducting a baseline analysis or the development of effective, custom training for your staff and customers, please feel free to contact us at 860-248-4100 or Lyman@ArtemisSecure.com.
For Further Reading:
Division of Investment Management Cybersecurity Guidance
FINRA Report on Cybersecurity Practices
NIST SP 800-50 – Building an Information Technology Security Awareness and Training Program*
SANS 20 Critical Cybersecurity Controls
*Note – This publication, while helpful, is 12 years old at this point. We would not recommend basing a program solely off the guidance contained in this document.