On this week’s episode of the CCO Buzz we discuss the hot topic of Cybersecurity and the value of Cybersecurity Training and Mentorship in today’s evolving industry.
CCO Buzz: Welcome Back! On this week’s episode of the CCO Buzz we have a Compliance Consultant. He will be discussing the hot topic of Cybersecurity, but more importantly he’ll be focusing on the value of Cybersecurity Training and Mentorship in today’s evolving industry.
Compliance Consultant: Today I’d like to talk about staying ahead of the cybersecurity curve. Cybersecurity and cyber-attacks continue to dominate the news and regulatory landscape in 2018 and it is projected that they will continue to remain prominent issues for financial institutions for the foreseeable future.
One of the cornerstones of mitigating the risk associated with cybersecurity issues and attacks is the formation of a detailed and rigorous training and mentorship program. Through employee education firms will have knowledgeable staff making informed decisions about cybersecurity issues and responding appropriately to cyber incidents.
Cybersecurity training is an important element of robust policies and procedures. And it is one of the items the [SEC’s] Office of Compliance Inspections and Examinations (“OCIE”) considers to be mandatory. It cannot be overstated how vital informed employees are in acting as a first line of defense against possible cyber threats. It’s essential for firms to make sure that their employees remain informed of cybersecurity policies by having a rigorous training program in place.
Important components to cyber security training include:
- Learning how to identify cyber-threats;
- Making sure to implement good “protection” habits – such as reviewing encryption protocols, mandating strong passwords, performing data backups, and not disabling and anti-virus or anti-malware software;
- It also includes not using unauthorized devices on the firm’s network;
- Understanding cybersecurity policies and user responsibilities are also important; and
- Providing employees with continuing education and up-to-date resources on cybersecurity and cybercrime prevention; and
- Making sure employees are familiar with the firm’s incident response procedures.
Cybersecurity Mentorship is also a great tool for improving employee awareness about cybersecurity and cyber-incidents. It can be extremely helpful to bring in experts, such as IT professionals and/or compliance consultants in order to impart in-depth knowledge about certain areas such an evolving cyber-threats and regulatory requirements.
However, mentorship doesn’t just have to be provided by subject matter experts; it can also be supervisors or managers providing periodic updates about cybersecurity issues and regulatory news.
Effectiveness of mentorship and training for incident response largely hinges on the individuals who are responsible for its implementation. It is incumbent upon the firm’s Information Security Officer (“ISO”) and the Chief Compliance Officer (“CCO”) to be able to provide staff with the tools necessary to address cyber incidents.
Consistent, detailed training is critical to ensure that the [Incident Response Plan] (“IRP”) will be implemented effectively. The IRP’s success largely depends on the staff of the firm knowing whom to contact, what steps need to be taken during a cyber-incident, and what corrective measures need to be addressed in the aftermath.
Here are a few tips and suggestions on implementing a cybersecurity training program:
- Have senior management provide all employees with a written notice via email that cyber security training is a required job function;
- Make sure to meet with new employees to provide and discuss cyber security policy and incident response plan training;
- Provide and document annual in person cybersecurity training – this could be presented by the ISO, the CCO, consultants, or guest speakers- such as law enforcement or other subject matter experts;
- It should also require a review and written acknowledgement of the cybersecurity policy and incident response plan;
- Make sure to perform period mock phishing tests and annual quizzes to help gauge employees’ level of knowledge and provide additional training to anyone that failed;
- Also, make sure to send periodic emails to employees providing up-to-date information on current cyberattacks and a reminder to be knowledgeable about the firm’s cybersecurity policies and protocols.
These are just a few suggestions that may help you in creating you own cybersecurity training program. Most importantly, training programs should be customized based on the firm’s potential exposure to cyberattacks and vulnerability risks.
For more information or assistance with cybersecurity policies, incident response plans, or mentorship and training please contact us at (619) 278-0020.
CCO Buzz: Well that’s it for this week’s episode. If you’d like additional information, please check out our website at www.corecls.com. You can also follow us on Facebook, LinkedIn or Twitter @CoreCLS. Thank you and we hope you tune into next week’s episode of the CCO Buzz.