This is the world of vulnerability management, which even has a Wikipedia entry: "The cyclical practice of identifying, classifying, remediating and mitigating vulnerabilities.'' It generally refers to software vulnerabilities in computing systems, but it can also include organizational behavior and strategic decision-making processes.
I began to think about this in terms of our financial advisory practices. We have plenty of exposure. We probably aren't aware of all of our vulnerabilities and most of us don't have a formal process to handle them even if we knew what they were.
The most obvious exposure revolves around the software we use, the handling of secure data and our continual connection to the Internet. Our managing partner Matt McGrath sent out a notice this summer stating that we should not use a password-protected PDF file to send reviews or account applications to clients. McGrath says that the firm uses a four-character passcode, often the last four digits of the client's Social Security number, to password-protect sensitive documents delivered through email.
He's learned that four characters is not long enough to protect against hacking. We had four separate incidents in which a client's email was hacked and bogus instructions were sent to our office to wire money. Fortunately, our firm always contacts a client to confirm. And we use a McAfee email encryption program. The client has access to a file in a secure cloud file so that it's not floating around the Internet with a basic - and easily hacked - password.
In our firm's early days, we believed we needed internal control over our back office. Someone handling activities in-house felt more secure. Let's face it, if big firms like Bank of America have trouble protecting their data, why would a small firm like ours have a better chance? Our overconfidence could have cost us a lot of time and money over the years. We now outsource when we can and hire specialists to protect us from our known exposures.
While security and data protection is of great concern, there are other vulnerabilities that we should consider that are not so obvious, such as human resources and compliance. Consider the human aspect. How do you hire and integrate new employees? Do your new hires sign a confidentiality agreement? One of the best ways to protect your data is to obligate your staff to protect it to the best of their abilities.
Do you have an operating policy so that your new hire knows his obligations and responsibilities to the firm? Do you mentor your staff so that they understand your philosophy and values? A value disconnect can create chaos and conflict within your firm and affect your relationship with your clients. My uncle told me that in college he learned there are business values and personal values. "Don't you believe it," he counseled. "Your values should never be compromised for a business position. Always be authentic. Your clients and your staff will trust you absolutely."
If you have a small firm with limited staff you are at risk when employees are out of the office because of vacation or illness. Cross-training your staff helps limit this exposure. Your support to your client should be seamless, regardless of who is executing it. Additionally, I've always advocated a checks-and-balances policy so that multiple eyes review the work product and participate in the process as it moves along.
GO WITH THE FLOW
Similarly, reviewing your processes doesn't just help you spot your vulnerabilities, it can also help your work product become more efficient. I always suggest employees plot their processes using a simple flow chart so that they can see how work is accomplished and where it flows from one staff member to another. Once they know how the flow goes, you can talk with staff to see how these workflow processes can become better and reduce your at-risk exposures.
What measures do you take to keep staff from accessing inappropriate Internet sites? Have you advised staff that business emails should be professional and kept separate from personal ones? Some photographs and questionable jokes do not belong in the workplace. They can create another risk to your firm.