How Can a Small Advisory Practice Economically Be as Cyber-Secure as Possible?
Cybersecurity is a risk that applies to firms both large and small without discrimination. Even very small advisory firms, which I’ll define as having one to five staff for purposes of this discussion, have a wealth of information worth safeguarding.
Cybercrime is often a crime of opportunity. Hackers are metaphorically going door to door (computer to computer) jiggling doorknobs to see which company is unlocked and a ripe target. At CSS, we are frequently asked by small practices about what steps they can take to improve their cybersecurity. My advice is to focus on the quick wins and the most cost-effective solutions. The goal isn’t to build Fort Knox, but to be a little more secure than the next company to take the target off your back. And it’s important to keep in mind that small firms are in fact a target. Many small firms believe they are not on a hacker’s radar, but hackers know that small firms are more likely to have weaker defenses.
Cost-effective solutions include:
- Keeping your software and operating system patched, so that vulnerabilities can’t be exploited
- Being aware of social engineering and phishing risks, and refreshing your ability to detect them through regular training, so that you think twice before clicking that email or opening that attachment you weren’t expecting, or that you call a client to verbally verify the wire instructions they emailed you before wiring money out
- Using encryption whenever feasible to send and store data. Bitlocker encryption at rest comes by default now on Windows 10 machines, for example, so if you have that and it’s enabled, your laptop is encrypted. Using secure file-sharing portals is generally more secure than sending clients confidential files via unencrypted email, because then if an email account is compromised, the data isn’t just sitting there in the email account.
- Finally, enabling two-factor or multi-factor authentication wherever possible
If you can tackle the above four bullets, you can greatly reduce your cyber risk without spending a lot. Once you have those items in place, it’s reasonable to consider next steps. The SEC and state regulators do expect even small firms to have cybersecurity policies and procedures, so that’s an area in which many firms turn to us for assistance when they’re ready.
I think the important thing to keep in mind is that some of the cyber best practices above can be implemented for free or for little to no cost. The practical approach is to get those cost-effective solutions in place first, and then as budget allows, try to tackle some of the other aspects. Hackers won’t take it easy on you just because you have a smaller firm. But for a large percentage of cyberattacks (other than highly sophisticated nation-state attacks, which even large firms have trouble defending against) you don’t need to be faster than the bear, just faster than the other guy running from the bear.
For more cybersecurity help, here are some helpful resources:
- Webinar – Getting Practical with Cyber, Part I: Testing & Validating Your Risk Controls
- Webinar – Getting Practical with Cyber, Part II – In the Driver’s Seat: Your Critical Role in Cyber Resiliency
- CSS Cybersecurity Solution – Shield
Ask us how we can help tailor a package to meet your needs. Fill out our form here and receive our free checklist for evaluating policies for cyber insurance coverage.
Subscribe to the CSS Blog
CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.