The security of your employee, customer and corporate data is critical to maintaining trust. As cyber threats intensify and their impact on corporate reputations, business operations and even regulatory risks grows, it’s important to understand that cybersecurity is not the sole responsibility of the IT department. It requires a coordinated approach that includes proper safeguards, training and employee participation.
Rachel Wilson, head of Cybersecurity for Wealth Management at Morgan Stanley and former senior executive at the National Security Agency (NSA), shares seven steps you can take to help protect your organization.
Your employees are both your first line of defense and your greatest point of vulnerability. Educate, train and test them to help protect against cyber threats, ensure compliance and respond appropriately—before an incident occurs. How should sensitive information be stored or transmitted? If an employee clicks on something suspicious, what should they do? Is access to sensitive information restricted to only those employees who require it to perform their job functions? It only takes a single person to make one very costly mistake. There’s no substitute for clear, enforceable policies and procedures.
Email is a cybercriminal’s favorite tool. If an employee clicks on a link or opens an attachment without thinking, they could be unwittingly downloading malware onto your network. Another popular cyberattack tactic is business email compromise (BEC), where a criminal impersonates an executive or client with the aim of getting the email recipient to send money or sensitive information. Sometimes the fraudster is simply spoofing a publicly available email address. In other cases, they have compromised a server or hijacked account credentials.
Whatever the method, the lesson is the same: Never reflexively trust an email you receive. Always rely on multiple methods beyond email to confirm the sender’s identity and intent before engaging, and never transmit sensitive information via unsecured email or text.
Virtually every business will face a data breach at some point. Companies need to prepare not only for how to prevent an incident, but what to do if one occurs. Incident response plans are critical to mitigating the consequences of a breach. They should delineate roles and responsibilities for key stakeholders both within the organization (IT, senior management, inside counsel, communications) and externally (outside counsel, computer forensics experts and public relations). Plans should be tested through various scenarios, practiced regularly, and reviewed and improved as appropriate.
Training employees to spot and thwart social engineering schemes is part of the puzzle, but technological safeguards also have a critical role. Start by running a reputable antivirus product on all computers being used for business activities and keep all software, operating systems and browsers up to date across your devices. Turn on automatic updates where available, as software companies often include security upgrades (called “patches”) in every update they release. This requires an accurate inventory of all devices and software the business is using.
Accessing information remotely poses a unique set of cyber risks and challenges. A good practice is to avoid using public Wi-Fi hotspots, which put you at risk of having your communications and internet traffic intercepted. Instead, create a personal hotspot with your phone and connect through an end-to-end encrypted LTE channel. You can and should apply additional protection in the form of a virtual private network (VPN).
When traveling, be picky about the devices you bring and never leave them unattended. You should also refrain from using public computers or publicly available charging cords or USB ports.
Password reuse is risky. When individuals reuse passwords across multiple accounts, a breach of one account threatens the others. To avoid this risk, the best strategy is to use complex, lengthy and unique passwords for each account. Understandably, such passwords are very difficult for anyone, let alone an office or group of individuals, to remember. This is where a password manager can assist. A reputable password manager will create strong passwords and then store them in a cryptographically sound way.
In addition to using strong passwords, enable multifactor authentication (MFA) whenever available, especially for your company’s high-consequence systems. MFA allows you to add additional verification—beyond a username and password—to confirm users’ identities and protect access to accounts. Registered trusted devices, biometrics (such as fingerprint or facial recognition scans) and security keys are all examples of MFA.
To ensure your cybersecurity protections are robust, you may wish to engage the services of an expert. A cybersecurity expert can conduct a vulnerability assessment, educate your staff and clients, evaluate your vendors, and advise on encryption tools, cyber insurance, document storage, network monitoring and much more.
With an end-to-end approach to workplace financial solutions, Morgan Stanley at Work provides a unique combination of thoughtful education, insightful advice and leading technology to help your workforce feel more invested and productive.