When Securities and Exchange Commission examiners evaluate a business’ cybersecurity preparedness, they may focus on how well you’ve trained employees to be responsible and how the education is tailored to specific job functions.
Make training intentional and keep staff updated. Instead of two hours of cybersecurity training a year, you might consider implementing 30 minutes of training each month with varying topics such as recognizing phishing scams and fake calls from the IRS or client pretenders.
Get employees involved in writing and revising your policies and procedures for the six key cybersecurity areas. It may also help to set up leaders with specific knowledge and response roles for different kinds of security events your business faces.
Extend Training to Clients
Internal education and communication about cybersecurity is necessary, but the responsibility extends to clients as well. The security of your operations is linked to the caution clients take with their information.
As you build client relationships, set some ground rules for secure communication; for example, emailing a client to set up a phone call when discussing certain material. Teach clients how to recognize phishing scams and other threats that are beyond your business operation reach, but could still affect you in asset loss and data breach claims. Easy ways to educate clients and staff include sending articles and podcasts (try Cyberwire and Security Now) that outline cybersecurity news and practices.
What to Do After a Cyberattack
Even with extra meetings and careful measures by staff and clients, data encryption and software updates, errors can happen. A study by the Ponemon Institute found that more than a quarter of all data breaches in the financial sector were a result of human error.
There are several resources to review when planning your incident response plan, including FINRA’s guide, which outlines steps to take in case of a security event.