Here are four ways to do that:
1. Get your IT security policies up to par.
Technology and threats have evolved dramatically over the past two years. If your firm doesn’t have a current IT security policy in place, now is the time to draft one and review it with other company stakeholders. It’s imperative to address how you handle any client information you are storing or using. A policy must be in place to cover which employee-owned devices are allowed in the workplace. BYOIT and wearable devices can introduce the risk of compromising your clients’ data. Devices can record audio or video of sensitive information presented on whiteboards or at internal meetings. Some devices can also connect to the Internet without your knowledge.
Rather than leave the data doors open to all employees, only allow access to relevant employees. Pay special attention to anything that can be considered personally identifiable information (PII), then determine which people have access to it and whether it’s properly encrypted. Establish an audit trail to make sure you know who has been accessing what. Push for internal protections and firewalls so employees can’t stumble across information they shouldn’t have access to.
Consider a separation of duties; don’t simply focus on the obvious pieces of sensitive data, like client log-ins and Social Security numbers -- that’s how Morgan Stanley got in hot water. Make sure any and all PII is encrypted and monitored, and never store, send, or print it in clear text. Remove confidential PII from internal reports and research to keep it out of the wrong employees’ hands.
2. Inform key stakeholders about security plans and threats.
This may be one of the most overlooked aspects of a solid security plan. Management, employees, business partners and even clients need to be informed about the security procedures you expect, as well as the processes for detecting and avoiding possible threats.
Inform your team members of the most common ways hackers try to infiltrate a system. They should know, for instance, that almost half of financial advisors have reported phishing attempts, with over 25 percent of those companies reporting losses. They should also understand the potential costs of these breaches. Sensitizing others to possible threats is a powerful way to encourage vigilance. Highlight rules around network usage, files and client information, along with the consequences for breaking those rules.
Lastly, but possibly most importantly, employees should know to always speak up with questions or concerns when it comes to security. The best and most cost-effective early warning can come from your own team members and clients. Make it easy for them to report any signs of suspicious activity.
3. Vet your partners.
Ideally, your partners shouldn’t add to your worries. In reality, many cyber attacks occur through third-party vendors’ relationships. A chain is only as strong as its weakest link, so make sure your business partners are just as diligent about security as you are. Ask to see their security policies, and review any outside audits of their processes. Ask whether they’ve ever been breached or filed an incident report. If so, find out what they’ve done to ensure it won’t happen again. Make sure your business partners and cloud vendors live up to your standards, not just theirs.
4. Prepare for the worst-case scenario.
No one wants to think about the worst-case scenario. But if a breach does occur, having an incident response plan can save your company from the debilitating aftermath of a hack.
Make a plan for the various severities of compromise, including the next steps, contact information, remediation plans and crisis communication notes to clients. Putting these plans in place in advance can mean the difference between a minor setback and a total loss of client trust and potential business.