“Folks generally know what to do if there is a disaster, but don’t know what to do if there is a breach,” Jacko says. “The most important safeguards are that employees have a conscious awareness of what creates a vulnerability and how to mitigate that. Firms need to take a tactical approach to security.”

New York-based cloud IT provider ExternalIT helps clients prepare for potential hacking attempts by engaging their employees in dry runs — a tactic that might also prepare them for the OCIE.

“Training is more about developing good habits than it is about where and hackers will breach,” ExternalIT president Sam Attias says. ”Over 60 percent of breaches occur just because employees are making mistakes.”

Last year, ExternalIT released a white paper identifying some of the more common cybersecurity deficiencies in the financial advising industry.

According to the whitepaper, firms are failing to control the internal movement of private or personal data.

“Most vulnerabilities we’re finding are a result of the end user not being aware and not taking steps to protect things like their mobile phone,” Jacko says. “While firms often have good security policies in the office, when they have a bring your own device policy with their employees a lot of vulnerabilities occur, and these are often unaccounted for.”

Part of the difficulty, Jacko says, is that it’s taken the financial services industry so long to catch up to modern innovations that allow clients to interact digitally with their accounts and financial information, and allow advisors to work from home.

“As we deploy new technology, we’re going to have to take additional steps to remain protected and compliant,” Jacko says. “Five years ago firms were worried about making sure they could keep going through a snow storm or an earthquake, and they were struggling with it. Now they have to protect information accessible through web servers and mobile devices, it’s like a Pandora’s box.”

Internal risks are most often caused by negligence, Attias says, as employees and vendors accidentally expose their networks to threats via malware and phishing.

Core Compliance and Legal Services teaches individual employees about cybersecurity best practices by having them first protect their personal devices, then apply those lessons to their office computers and networks.