On episode 63 of the CCO Buzz, Compliance Consultant Adam Stutz joins us to talk about the importance of cybersecurity training for employees as we begin the new year.
CCO Buzz: Hello and welcome back to the CCO Buzz! We hope you enjoyed the holiday season and have had some time to relax with family and friends. For this episode Compliance Consultant Adam Stutz is here to give us his expert advice on cybersecurity training, which is important as we enter into the new year. We hope you enjoy the episode!
Adam Stutz: Training is a cornerstone of any compliance program and well-trained employees are an essential mitigating control for any firm. Like any other area of compliance, employees should receive training on the firm’s cybersecurity policies and procedures. Cybersecurity continues to be a top area of concern for the SEC as well as investment advisers, and informed employees act as the first line of defense against possible cyber threats.
At a minimum, cybersecurity training should encompass some key components:
- Learning to identify cyber-threats, such as social engineering, phishing, viruses, malware and hacking;
- Implementing steps to develop good “protection” habits, including:
- Reviewing encryption protocols with all employees;
- Mandating strong password policies;
- Performing data backups;
- Not disabling anti-virus or anti-malware software; and
- Identifying cybersecurity threats and identity theft red-flags.
- Also, not using unauthorized devices to access your firm’s network;
- Understanding cybersecurity policies and user responsibilities based on an employee’s job function;
- Providing employees with continuing education and up-to-date resources on cybersecurity and cybercrime prevention; and
- Outlining and reviewing requirements of the firm’s incident response procedures with all employees.
Cybersecurity training should be informative and engaging, and can take many forms, for example, via webinars, live trainings, or educational modules. But what matters most is that employees are receiving consistent, up-to-date preparation at least annually to learn about cybersecurity threats, policies, procedures, and best practices.
Here are some tips and suggestions on how to strengthen your cybersecurity [training] program at your firm:
- Have a senior management person provide all employees with written notice via email that cybersecurity training is a required job function;
- Ensure that all employees, including senior management and independent contractors receive training;
- Meet with new employees to provide and discuss cybersecurity policy and incident response plans;
- Provide and document annual in-person cybersecurity training presented by the ISO, CCO, consultants and/or guess speakers, which could include law enforcement or cybersecurity experts;
- Require, and review, written acknowledgements of the cybersecurity policy and incident response plan from employees;
- Send out firm-wide updates on any changes to the policies and procedures that impact cybersecurity and threats;
- Mandate continuing education for employees on identifying various types of cybercrimes;
- Distribute articles and regulatory updates regarding cybersecurity to employees to help keep them abreast of current issues;
- Perform periodic mock phishing tests and annual quizzes to help gauge employee levels of knowledge and then provide additional training to any who failed; and
- Send periodic emails to employees providing up to date information on current cyberattacks and a reminder to be knowledgeable of the firm’s cybersecurity policies.
These are just a few suggestions that may help you in creating your own cybersecurity training program. It is important to remember that training programs should be customized based on the firm’s potential exposure to cyberattacks and vulnerability risks. While there is no one-size-fits-all solution for each firm, training that focuses on these core elements should help ensure employees have the knowledge needed to be effective gatekeepers. For additional assistance with your cybersecurity training program, please contact Core Compliance & Legal Services at (619) 278-0020 or visit us on the web at www.corecls.com.
CCO Buzz: Well that’s it for this week’s episode. If you’d like additional information, please check out our website at www.corecls.com. You can also follow us on Facebook, LinkedIn, or Twitter @CoreCls. Thank you, and we hope you tune-in to next week's episode of the CCO Buzz.