In recent years, companies in nearly every industry have started buckling down on data security to protect against elusive hackers and phishers. But after a Morgan Stanley employee was accused of accessing the data of a whopping 350,000 clients and enabling a hacker to do the same, it's apparent that internal threats have become an equally devastating danger in the finance world and beyond.

In a survey of 438 IT professionals in U.S.-based companies, 77 percent cited employees as their biggest security vulnerability. Yet, according to a Ponemon Institute study, 71 percent of employees reported having access to data they shouldn’t. These are scary statistics for any business -- but they’re especially frightening for those in the finance sector, where trust is paramount to advisor-client relationships and a company’s bottom line.

In the case of Morgan Stanley’s clients, the story appears to have turned out OK: The data was recovered, and no one has reported a financial loss as a result. But even though Morgan Stanley may have retrieved the data, mending client trust won’t be as easy.

Client Trust Is a Valuable Commodity

Financial advisory firms aren’t the only ones giving too many employees access to private client data, but they do stand to lose the most. Client trust is much more difficult to come by in the financial world. And simply being in the advisory business makes you a more attractive target to both internal and external hackers.

Despite major security breaches, consumers have started filtering back into retailers like Target and the Home Depot. But in finance, restoring your image takes much more time and money.

After the U.S. financial crisis, a majority of finance execs cited negative perception as the primary reason that business declined 27 percent. And years later, this perception persists. Combine this with the fact that, on average, financial institutions suffer a 6.1 percent loss of business after a breach, and you have the recipe for serious long-term damage.

While most advisory firms have at least some form of security to protect themselves from outside threats, internal security tends to be more lax. Because you and your team need access to client information, you might have an “open door” data policy in place to improve productivity. Your firm simply may not recognize the elevated risk of malicious or accidental exposure to sensitive company information. Either way, safeguarding client information should be your top priority.

Manage Data Access to Keep Your Clients’ Trust Intact

You don’t need a giant security team to protect your clients’ data. By rethinking the way you treat data internally, you can help avoid a situation like Morgan Stanley’s.

Here are four ways to do that:

1. Get your IT security policies up to par.
Technology and threats have evolved dramatically over the past two years. If your firm doesn’t have a current IT security policy in place, now is the time to draft one and review it with other company stakeholders. It’s imperative to address how you handle any client information you are storing or using. A policy must be in place to cover which employee-owned devices are allowed in the workplace. BYOIT and wearable devices can introduce the risk of compromising your clients’ data. Devices can record audio or video of sensitive information presented on whiteboards or at internal meetings. Some devices can also connect to the Internet without your knowledge.

Rather than leave the data doors open to all employees, only allow access to relevant employees. Pay special attention to anything that can be considered personally identifiable information (PII), then determine which people have access to it and whether it’s properly encrypted. Establish an audit trail to make sure you know who has been accessing what. Push for internal protections and firewalls so employees can’t stumble across information they shouldn’t have access to.

Consider a separation of duties; don’t simply focus on the obvious pieces of sensitive data, like client log-ins and Social Security numbers -- that’s how Morgan Stanley got in hot water. Make sure any and all PII is encrypted and monitored, and never store, send, or print it in clear text. Remove confidential PII from internal reports and research to keep it out of the wrong employees’ hands.

2. Inform key stakeholders about security plans and threats.
This may be one of the most overlooked aspects of a solid security plan. Management, employees, business partners and even clients need to be informed about the security procedures you expect, as well as the processes for detecting and avoiding possible threats.

Inform your team members of the most common ways hackers try to infiltrate a system. They should know, for instance, that almost half of financial advisors have reported phishing attempts, with over 25 percent of those companies reporting losses. They should also understand the potential costs of these breaches. Sensitizing others to possible threats is a powerful way to encourage vigilance. Highlight rules around network usage, files and client information, along with the consequences for breaking those rules.

Lastly, but possibly most importantly, employees should know to always speak up with questions or concerns when it comes to security. The best and most cost-effective early warning can come from your own team members and clients. Make it easy for them to report any signs of suspicious activity.

3. Vet your partners.
Ideally, your partners shouldn’t add to your worries. In reality, many cyber attacks occur through third-party vendors’ relationships. A chain is only as strong as its weakest link, so make sure your business partners are just as diligent about security as you are. Ask to see their security policies, and review any outside audits of their processes. Ask whether they’ve ever been breached or filed an incident report. If so, find out what they’ve done to ensure it won’t happen again. Make sure your business partners and cloud vendors live up to your standards, not just theirs.

4. Prepare for the worst-case scenario.
No one wants to think about the worst-case scenario. But if a breach does occur, having an incident response plan can save your company from the debilitating aftermath of a hack.

Make a plan for the various severities of compromise, including the next steps, contact information, remediation plans and crisis communication notes to clients. Putting these plans in place in advance can mean the difference between a minor setback and a total loss of client trust and potential business.

Consider cybersecurity insurance as well. This will cover you in the event of a lawsuit and help you recoup some of the financial losses after a breach. It will also give you a competitive advantage: Only 9 percent of financial advisors currently guarantee that they’ll protect clients in cyber-related issues.

While Morgan Stanley’s security breach might leave a permanent scar on its reputation, your firm can avoid a similar fate. Don’t take internal threats lightly. Limit access to your clients’ valuable information, and you’ll protect your clients -- and your bottom line -- from the costly consequences.

Tom Smith is the VP of business development and strategy for CloudEntr by Gemalto, where he is helping to define and execute Gemalto’s identity and access initiatives in the cloud. Tom has over 30 years of experience with security, mobile, and cloud technologies, including founding executive roles at four technology companies. Read more about keeping client data safe on the CloudEntr Cloud Security Blog.