How a cyber spring cleaning can protect data, build client trust

As someone who spends 100% of his time thinking about information security compliance, I often get asked what firms should focus on regarding cyberattacks. Perhaps it's because such attacks show no signs of letting up; a recent study found that 88% of those involved in data governance and cybersecurity believe data security will become a higher priority in the next 12 months.

Financial services firms, in particular, face risks left and right, starting with added attack surfaces when digitalizing processes. The rise of software as a service tools to streamline operations and leverage the cloud, for instance, means sharing sensitive data with third parties and expecting them to safeguard it as much as your firm would. However, this isn't always the case, leading the financial services industry to have the highest volume of third-party breaches (alongside health care).

READ MORE: Financial institutions prioritize cybersecurity and customer experience on digital journey

When I ask the leaders of professional services firms, including financial services, how confident they are in their current security program, I typically hear one of three responses:

• "We are safe because all our data is stored using Microsoft or Google and other software products."
• "We don't have to worry about information security because our outsourced IT provider handles it."
• "We constantly worry about security, but we don't know where to start or have the budget to fix it, and nothing has happened."

Each response supports its own fallacy, but taken together they reflect the current state of data security: Business leaders want to focus on bringing value to customers by building better services or products before they tackle significant and often undiscovered cybersecurity risks. But in the next five years, in order to maintain customers' trust, companies will need to focus on convincing them that they take data security seriously. 

Given the nature of the data processed and/or stored by financial services firms, it is imperative that the industry not only build a robust compliance program but also be able to demonstrate to customers how they are keeping their data safe. 

But here's the good news: Whether it's internal staff or external consultants doing the implementation, a firm's data security odyssey can begin with simple steps. And when those steps are done right, operational bonuses — such as streamlined processes, documented procedures and the creation of consistent onboarding and offboarding activities, to name a few — come with them.

Take inventory and categorize tools, applications

Imagine trying to provide financial advice to a client without knowing anything about their family, investment accounts, liabilities or financial goals. It would be impossible. Assessing data security risks is no different — you can't improve or correct what you don't understand. 

READ MORE: Is your RIA's cybersecurity stack getting the job done?

Select someone with significant compliance experience in the firm to organize the systems (HR, IT, Ops, etc.) used in the business into lists. Then, for each system, categorize which tools are used and where core information is located. It doesn't have to be complicated; in fact, the simpler, the better. Creating a diagram of your tech stack is an easy way to accomplish this.

Then create a list of all software applications used by employees and firm leaders organization-wide. Next, select a product owner or someone heavily involved in the day-to-day maintenance of each application to categorize their uses and identify the individuals who have access to them. 

Once that is built, bring the product owners and company leaders together to evaluate what is currently in use and who needs access to each tool. More often than not, there will be tools that overlap, licenses that aren't needed and former employees who still have access to the information.

Review systems with like data points

From customer name to address, account information and employee details, identify areas that are being duplicated or lack a real "source of truth." Most firms have customer names duplicated across multiple databases. 

HEAR MORE: Seeking a single source of truth with Chris Zuczek

Such data sprawl creates information security risks, but the bigger and more present challenge is the constant updating and potential errors teams have to deal with. 

After identifying the different document storage locations, the goal is to set up rules for where information should be stored. To do this, address key questions such as:

• Is there a specific place for the most critical documents like contracts, sensitive client information and information for regulators/auditors? Does that information live in several different folders, drives or email inboxes, depending on the relationship? 
• If a core team member leaves the organization, is it easy to pick up their work where they left off? Or would employees have to dig through their hard drives, emails and client folders for months, stalling business continuity?
• Is there a "junk drive" containing seemingly useless information? Documents that might be needed (but almost never will be) can create chaos within file systems. 
• How many versions of that file exist in the chosen location, and which one should be kept? 

The end result is surprisingly feel-good, as control of data is returned to businesses and leaders and employees know where every piece of information is stored — and why. Not only will leaders become confident in their internal operations and be ready for even better data security practices, but they can make a straightforward and sound case to their clients that they are keeping their data safe.