Empowering the Human Firewall: The Bedrock of Cyber Defense
By Michael Cocanower, CEO, AdviserCyber
The Evolving Cybersecurity Landscape for RIAs and Professionals
For Registered Investment Advisers (RIAs) and cybersecurity professionals who work in the space, navigating the ever-changing cybersecurity landscape is a continuous and evolving journey. One that is set to become even more complex with the impending SEC cybersecurity regulations.
These evolving regulations stress the need for continuous cybersecurity education including regular testing of security protocols. Such a commitment is crucial not only for compliance but also for embedding deep cybersecurity awareness within the very fabric of an organization’s operations. Greater education of cybersecurity complexity will not only reduce the likelihood of external threats, but will also allow workforces to recognize internal threats, such as employee negligence and use of unauthorized devices or software.
The key to all of this education is proactivity. Don’t wait until you’ve experienced some sort of breach. In this article, I’ll explore strategies and approaches that align with both existing and proposed SEC regulations.
Transforming Cybersecurity Challenges into Educational Opportunities
Proofpoint’s 2023 State of the Phish Report revealed that 84% of organizations experienced at least one successful phishing attack in 2022, highlighting the critical need for improved cybersecurity measures. In response to this growing threat and under proposed regulation from the SEC regarding reporting, RIAs may be required to disclose any breaches in security. To avoid potential reputation damage from a breach disclosure and ensure compliance, organizations must develop comprehensive training programs and adopt a robust approach to cybersecurity training and phishing testing, which will better prepare them to protect against increasingly sophisticated cyber threats.
What does this look like in practice? It requires a significant shift in perspective on how cybersecurity challenges, such as encountering a phishing simulation, are perceived. Instead of viewing an employee’s inability to recognize a phishing simulation as a failure, it should be embraced as a valuable, interactive learning opportunity that can be shared with the entire organization so the entire team can learn how to spot similar attempts in the future.
By transforming every cybersecurity challenge into a teachable moment, RIAs create an environment where continuous learning is not just encouraged but is integral to each employee’s professional development. This approach demonstrates a commitment to ongoing improvement and actively engages employees in risk management practices, emphasizing the importance of vigilance and continuous education in cybersecurity protocols.
In the dynamic world of cybersecurity, especially for RIAs and professionals in the field, cultivating a knowledgeable and adaptable workforce is just the beginning. As cyber threats evolve, so must our strategies to combat them. This means going beyond basic training to implement more proactive measures, such as regular integrated training sessions and tests. These steps are essential to ensure that teams are not only well-equipped to tackle future challenges but also remain compliant with the latest regulatory requirements. This proactive approach is crucial in addressing advanced cyber threats, such as identity impersonation and spear phishing, which leverage personal relationships and trust.
As we delve deeper into the complexities of cybersecurity, it becomes clear that a multifaceted strategy is necessary to build a resilient defense against these sophisticated threats.
Addressing Advanced Cyber Threats
Identity impersonation and spear phishing represent advanced tactics in the cybercriminal arsenal, leveraging the personal relationships and trust that form the bedrock of all businesses. In a business context, where communications and requests from colleagues and partners are routine, attackers take advantage of this trust. With the rapid development of AI technology, cybercriminals now have an easier path to more convincing phishing attacks. Recognizing this vulnerability, regulatory bodies will require financial institutions to confidentially report significant cybersecurity incidents, underscoring the critical importance of comprehensive and ongoing training to counteract these sophisticated threats — broad educational initiatives including routine training sessions, and phishing simulation tests — are crucial in equipping employees with the skills to identify and counteract these threats, and reinforce an organization’s defense against sophisticated cyber adversaries.
On top of increased educational initiatives, organizations can increase resilience against constantly evolving digital threats by nurturing a security culture dedicated to specific preventative measures like proactive identification, detailed analysis, and strategic management of cyber risks as well as adding real time detection to their arsenal. This consists of emphasizing the need to maintain detailed records of cybersecurity efforts as a critical complement to defensive measures themselves. This approach helps organizations go beyond mere compliance; they cultivate a forward-looking cybersecurity stance.
The Human Element and Measuring Training Effectiveness
The effectiveness of cybersecurity training programs can be quantified through various metrics, such as phishing click rates and the rate of training completion. These data points offer tangible evidence of a cybersecurity program’s reach and immediate impact. In the realm of finance, failing to meet these metrics significantly increases the risk to financial resources. Yet, the ultimate barometer of success lies in the sustained behavioral change among employees — the kind that leads to a tangible reduction in cybersecurity risk.
To gauge behavioral change in a workforce, managers will need to regularly monitor employees’ adherence to cybersecurity policies and practices over an extended period. It’s important to note that supervisors will need to strike a balance between effective observation and respecting employee privacy and maintaining a positive work environment. The objective is not to create a climate of fear but to cultivate an organizational culture deeply rooted in cybersecurity awareness.
This approach advocates for a well-informed workforce capable of contributing to the overall security posture of their organization, suggesting a blueprint for compliance and beyond. They serve to empower individuals within an organization to make informed decisions, recognize deceptive tactics, and take appropriate action when faced with potential cybersecurity threats, thus taking a few more steps closer to fostering a dynamic cybersecurity culture.
Cultivating a Dynamic Cybersecurity Culture
A robust approach to cybersecurity training and phishing testing must reflect a commitment to ongoing improvement and active participation in risk management. The shift from static policies to a dynamic, culture-driven defense strategy is only possible when all members of a firm prioritize cybersecurity equally. One of the best strategies is actively managing systems and configurations, which involves inventorying network devices and software, eliminating unnecessary components to minimize the attack surface, and continuously adapting and streamlining these elements to meet evolving security threats and enhance operational efficiency.
While embedding cybersecurity awareness internally is foundational, the complexity and sophistication of threats often necessitate leveraging external expertise to augment defenses, providing fresh insights and specialized skills that are critical for staying ahead of potential vulnerabilities.
According to Mandiant’s M-Trends 2023 report, 63% of organizations were notified of breaches by external entities in 2022—an increase from 47% the previous year, which means more companies are relying on external partners for cybersecurity expertise. Engaging with external cybersecurity experts allows for an impartial view and a continuously refreshed approach that matches the ever-changing landscape of cyber threats a critical consideration for sectors such as finance. These levels of vigilance and preparedness are not just about meeting compliance standards; it’s about fostering a cautionary security culture that prioritizes the identification, analysis, and management of cyber risks as an integral part of business resilience.
The Cornerstone of Cyber Defense
A comprehensive suite of cybersecurity tools and compliance consulting establishes a strong defense against cyber threats. Yet, the true cornerstone lies in empowering employees through consistent training and phishing tests. Such empowerment is crucial, as it turns every team member into a vigilant guardian of the organization’s digital frontiers. The SEC’s evolving regulations on cybersecurity risk management underscore the critical nature of this empowerment. They serve as a reminder that while technology is a powerful ally, the human element remains irreplaceable. Strengthening this human firewall is not a one-time event but a continuous process. The ideal time to have fortified this aspect of cybersecurity was in the past, and the second-best time is now — reflecting the urgency with which the industry must adapt to the changing regulatory and cyber threat landscapes to maintain operational integrity.
About the Author
Michael Cocanower is founder and chief executive officer of AdviserCyber, a Phoenix-based cybersecurity consultancy serving Registered Investment Advisers (RIAs). A graduate of Arizona State University with degrees in finance and computer science, he has worked more than 25 years in the IT sector. Michael, a recognized author and subject matter expert, has earned certifications as both an Investment Adviser Certified Compliance Professional and as a Certified Ethical Hacker. He is frequently quoted in leading international publications and has served on the United States Board of Directors of the International Association of Microsoft Certified Partners and the International Board of the same organization for many years. He also served on the Microsoft Infrastructure Partner Advisory Council.
