For heavily regulated businesses, switching IT providers is one of the highest-stakes vendor decisions you’ll face. Adelia Risk helps regulated companies, from SEC-registered investment advisors and hedge funds to healthcare practices, law firms, and defense contractors, evaluate MSPs and manage the transition.

One pattern comes up in every engagement: the biggest barrier to switching IT providers isn’t the technical cutover. It’s knowing what to look for in a new provider, what to demand in the contract, and how to avoid the common contract gotchas in MSP agreements.

We built a free checklist that walks you through the full process, from recognizing the warning signs to executing a clean transition. This article explains the thinking behind each section of that checklist.

How to Know When It’s Time to Switch

The Real Reason Companies Start Looking

Across the regulated businesses Adelia Risk advises, the most common signs you need a new IT company aren’t slow helpdesk response or high monthly fees. The real trigger is a pattern: surprise project bills, chronically slow project delivery, and an MSP that struggles to deliver work beyond basic ticket resolution. You’re paying for managed services but receiving break-fix support.

That gap between what you’re paying and what you’re getting is usually what pushes companies past the tipping point. The MSP proposal promised proactive management. In practice, you have reactive ticket handling and a monthly invoice that keeps climbing.

The Security Gap Most Business Owners Can’t See

The bigger risk for regulated companies is a gap that isn’t visible from the helpdesk experience. When Adelia Risk audits MSP-managed Microsoft 365 environments in financial services and healthcare, we regularly find the same configuration failures: conditional access policies not configured, MFA not enforced for admin accounts and other privileged access, no mobile device management deployed, and tenant security settings left at insecure defaults.

The MSPs responsible aren’t malicious. They built their practices around desktop support and printer troubleshooting. Cloud security configuration is specialized work, and many haven’t made that transition. If your firm has financial services or healthcare compliance obligations, those missing configurations aren’t just IT issues. They can show up as audit or compliance findings.

Secure Your Assets Before You Give Notice

Why Ownership Matters More Than Anything Else

For companies switching IT providers, this is the section of the checklist we tell every client to complete first, even before they start evaluating replacements. If your current MSP registered your domain name or created your Microsoft 365 tenant under their partner account, it can slow down or complicate the handover. We’ve seen transitions stall for months because the outgoing MSP controlled assets that the client assumed they owned.

Do this while the relationship is still cooperative. Verify ownership of your domain, your email, and cloud storage tenant, and every other cloud service your business relies on. If anything is registered under the MSP’s account, start the transfer process now. Once you give notice, it’s common for responsiveness to drop.

What Every MSP Proposal Must Include

Named Security Tools, Not Marketing Language

When Adelia Risk evaluates MSP proposals for clients hiring a managed service provider, we look at the security tooling section first. “Enterprise-grade EDR” could mean anything from a consumer antivirus with a business label to a legitimate endpoint detection platform. “SentinelOne Complete” or “CrowdStrike Falcon” tells you exactly what’s being deployed, and you can verify whether it’s actually running on your machines.

The same principle applies to every security tool in the stack: email security, backup, vulnerability scanning, DNS filtering, SIEM, log management, security awareness training, and MFA. If the MSP won’t name the products, you can’t verify what you’re buying or compare proposals on a like-for-like basis.

An MSP Service Level Agreement That Actually Means Something

A useful MSP service level agreement does more than quote a response time. It breaks issues into clear priority tiers (for example, “Critical” when the whole business can’t work, versus “Low” for a single-user, non-urgent request). Each tier should include both a response time and a resolution target.

We see proposals regularly that offer a single response time for all issues and no resolution commitment. That means the same urgency whether your entire network is down or one person can’t change their default printer. For regulated teams, including healthcare, financial services, and professional services, that lack of prioritization creates real compliance risk when a security incident sits in the same queue as a password reset.

Contract Terms That Will Protect You or Trap You

The External Terms and Conditions Trap

One of the most common contract patterns we find when reviewing MSP proposals for regulated clients: a signature page that references Terms and Conditions hosted at the MSP’s website. This creates a version-control problem: the vendor can update the webpage, and it becomes harder to prove which terms you actually agreed to. Adelia Risk reviewed one proposal where the buyer would have been bound to contractual language they may never have actually read.

Insist that every binding term appear in the signed agreement. Not linked. Not floating on a webpage. Included.

Why Three-Year Contracts Are a Red Flag for New Relationships

A three-year commitment with a company you’ve never worked with is a gamble, regardless of industry. But for regulated businesses switching IT providers, the stakes are higher. If the MSP’s engineering talent doesn’t match what the sales team promised, or if they can’t handle your industry-specific compliance needs, your options are limited.

A one-year initial term gives both sides time to prove the relationship works. If things go well, renewing is easy. Two years is acceptable if you’re working from a strong referral. Three years before you’ve seen them deliver a single project is a red flag.

Compliance Obligations Stay With You, Not Your MSP

Regulators Hold You Accountable, Not Your IT Provider

When an MSP’s security gaps contribute to an incident, the regulatory fallout lands on the regulated entity. The SEC’s May 2024 amendments to Regulation S-P require a written incident response program (including service provider oversight) and customer notice as soon as practicable, but no later than 30 days after becoming aware of unauthorized access or use, or a reasonably likely incident (SEC Press Release 2024-58). “Our MSP handles that” is not a response SEC examiners will accept.

For healthcare organizations, HIPAA’s business associate rules mean your MSP has direct obligations too. But the covered entity can still be out of compliance if it knew of a pattern of activity or practice by the business associate that materially breached the agreement and didn’t take reasonable steps to fix it or end it (45 CFR). OCR has repeatedly emphasized the Security Rule’s risk analysis requirement in enforcement actions, including its Risk Analysis Initiative settlements (HHS OCR press release). If you want a practical view of how we set up vendor oversight and security governance in healthcare environments, here’s how our vCISO team approaches it.

Government contractors face another version of the same problem. If your MSP accesses, processes, stores, or transmits Controlled Unclassified Information (CUI), their services and systems can fall into your CMMC assessment scope. At a minimum, you need a clear customer responsibility matrix and evidence that they meet the relevant requirements (CMMC scoping checklist).

Cyber Insurance as a Practical Minimum Standard

In practice, cyber insurers and underwriters set a practical minimum bar for MSP security. Coalition’s 2024 claims reporting shows how often losses start with email-based fraud, which is why underwriters focus so heavily on basics like MFA and secure remote access. If your MSP isn’t deploying the controls that carriers require, you face both coverage gaps and potential claim denial during an incident.

Before signing with a new provider, compare their security stack against your cyber insurance carrier’s requirements. If there’s a mismatch, address it during contract negotiations, while you still have leverage.

Your Timeline for Switching IT Providers

Here’s how to prioritize the work, regardless of where you are in the process of switching IT providers.

Do Today

Do This Week

Do This Month

When Independent Oversight Makes the Difference

Switching IT providers is one of the few vendor decisions that can directly affect your cybersecurity compliance posture, your cyber insurance coverage, and your exposure to regulatory penalties. The checklist covers the mechanics, but some situations call for an independent perspective.

This is especially true if you’re in a regulated industry, whether that’s an investment advisory navigating SEC rules, a healthcare practice under HIPAA, or a defense contractor working toward CMMC. Having an independent advisor who isn’t selling MSP services review your proposals and help verify the new provider is meeting the standards you agreed to is worth the investment.

In March 2024, NSA and CISA noted that malicious actors, including nation-state groups, are known to target MSPs and may use their privileged access to pivot into customer environments. The agencies recommend due diligence assessments and ongoing monitoring of MSP security practices (CISA/NSA Cloud Security).

Adelia Risk’s Virtual CISO service helps regulated businesses evaluate MSP proposals, verify security claims, and provide ongoing oversight once the new relationship is in place. If you’re considering a switch and want a second set of eyes on scope, controls, or contract terms, we’re happy to talk.

Adelia Risk helps small and mid-sized businesses implement online banking security controls and corporate banking fraud prevention that reduce the risk of exactly this kind of attack. The church’s experience is common. The FBI reports $2.77 billion in business email compromise losses in 2024 alone, with over 21,000 reported incidents.

The attackers did not use advanced hacking here. They relied on a missing verification step. All they needed was a believable email and a payment process that did not require a call to confirm changes.

Below, you’ll find our complete online banking security checklist, followed by guidance on why each item matters and how to implement it. Feel free to use the checklist directly, or enter your email to get an editable version you can customize for your business.

Want the Editable Checklist?

Enter your email, and we’ll send the Online Banking Security Checklist with step-by-step instructions, questions to ask your bank, and red flag training for your team.

Your 10-Minute Priority Actions

Before anything else, these five steps address the most common attack patterns we see in client environments.

Do These First

Why These Come First

MFA is the highest-leverage setting on this list. It stops most credential-based account takeovers before they get started.

The alert and dual approval settings catch what MFA doesn’t: social engineering. When a criminal convinces your accounts payable person that an urgent wire transfer is legitimate, dual approval forces a second set of eyes on the request. Alerts notify multiple people when money moves, so fraud doesn’t go unnoticed until month-end reconciliation.

We recommend testing your verification process because most businesses think they have one until they actually try it. Send a test vendor bank change request through your normal channels. If nobody calls to verify before making the change, you’ve identified your biggest vulnerability.

Why Business Banking Is Different

If someone steals money from your personal checking account, federal regulations give you specific protections. Regulation E limits your liability to $50 if you report unauthorized transactions within two days.

Secure corporate banking doesn’t come with the same protection. Under UCC Article 4A, the legal framework governing business wire transfers, the liability calculation works differently. If your bank offered security procedures like multi-factor authentication, dual authorization, or Positive Pay, and you declined them, it can affect how losses are handled.

Our founder and CISO, Josh Ablett, saw this firsthand during his years as SVP of Fraud at RBS, back when it was the fifth largest bank in the world. Business owners would come in devastated after their operating accounts were drained. In some cases, the loss threatened payroll and cash flow. The legal protection simply wasn’t there, and too often, they hadn’t taken the time to talk to their bank and understand what security measures could prevent it.

After a major transfer fraud, businesses often look to the bank for recovery. The case law is mixed, and outcomes depend on the details.

In Experi-Metal v. Comerica, a Michigan court held the bank liable when it processed 97 fraudulent wires in several hours from an account that had done two wires in two years, ruling the bank failed to act in “good faith.” But in Studco Building Systems US, LLC v. 1st Advantage Federal Credit Union, the Fourth Circuit reversed a $558,868.71 judgment and held the beneficiary bank was not liable under UCC 4A-207 without actual knowledge of a beneficiary name and account-number mismatch.

The common thread: these disputes turn on the transaction pattern, what controls were in place, and what the bank knew (and when).

Online Banking Security Features to Enable

These features are typically free or low-cost, and as discussed above, declining them can affect how liability is handled after fraud.

Positive Pay Explained

Positive Pay is an allow list that helps catch unauthorized checks and ACH debits before they clear. You submit a file of checks you’ve issued, and the bank compares every presented check against your list. Mismatches get flagged for your review before the bank pays them.

ACH Positive Pay (sometimes called ACH Debit Filter or ACH Block) works similarly for electronic debits. You pre-authorize expected debits and reject everything else. If a criminal tries to pull money from your account using ACH, the transaction gets blocked unless you’ve specifically approved it.

The FFIEC issues guidance for financial institutions and encourages layered controls and strong authentication for online banking. Many banks offer tools like Positive Pay and ACH filters/blocks, but businesses still have to enroll and use them.

SMS vs. Authenticator Apps

SMS codes are better than nothing, but authenticator apps are safer. Attackers can sometimes bypass SMS codes via SIM swapping, where they persuade a mobile carrier to move your number to another SIM. Authenticator apps don’t rely on your phone number, so SIM swapping doesn’t work against them.

Frankly, we’re surprised more banks haven’t moved away from SMS entirely. SIM swapping attacks have been documented for years, yet SMS remains the default at most institutions. Ask your bank what multi-factor authentication options they offer beyond SMS. Look for authenticator app support (Microsoft Authenticator, Google Authenticator) or hardware security tokens.

Want the Complete Banking Security Checklist?

It includes step-by-step instructions for enabling each security feature, plus the exact questions to ask your bank’s treasury management team.

Internal Controls That Reduce Social Engineering Risk

Bank security features are only half the equation. Internal controls are your primary payment fraud prevention layer, protecting against the social engineering that causes most losses. Often, attackers don’t need to break into the bank. They trick employees into giving them money.

Internal Controls Checklist

The Stop, Call, Confirm Protocol

This simple protocol would have saved Elkin Valley Baptist Church $793,000. Before your finance team changes any vendor’s bank account information or processes an urgent payment request, they should:

The emails the church received looked legitimate. They included the contractor’s logos and existing email thread history. A phone call to the contractor’s known number would have revealed the fraud instantly.

At Adelia Risk, we help clients build verification protocols that prevent wire fraud and become second nature for their finance teams. A 30-second phone call is usually cheaper than hours of cleanup after a bad payment.

Red Flags Your Team Should Recognize

Verizon’s 2024 DBIR notes that pretexting incidents, most ending in Business Email Compromise (BEC), accounted for about one-fourth (24–25%) of financially motivated attacks. Payment workflows are a common target. Train anyone who handles payments to treat these as high-risk:

Why a Dedicated Banking Device Matters

Banking trojans are malware designed to steal online banking credentials. They spread through malicious websites, email attachments, and infected software downloads. Once installed, they can capture everything you type on your banking site or even modify what you see on screen.

Using a dedicated computer, Chromebook, or iPad only for banking reduces exposure. The device is used for banking only, not general web browsing, email attachments, or casual software installs.

Security researcher Brian Krebs recommends this as an online banking best practice for any business that moves meaningful funds electronically. At Adelia Risk, we recommend this to every client handling significant payment volume. A Chromebook or iPad costs a few hundred dollars. A wire fraud loss averages far more.

Questions to Ask Your Bank

Use this list during your next conversation with your bank’s treasury management or business banking representative. These treasury management security questions help you understand your options.

Document the answers. If fraud occurs, having a record of what security features were offered and what you enabled matters for liability disputes.

Under UCC Article 4A, banks must offer “commercially reasonable security procedures.” Keep records of which security features your bank offers, which ones you’ve enabled, and your security decisions. This documentation protects you if there’s ever a dispute over fraud liability.

Ongoing Maintenance

Prevention beats recovery every time. According to the AFP 2024 Payments Fraud Survey, only 22% of organizations that experienced fraud recovered 75% or more of their losses. That’s down from 41% in 2023.

When you do discover fraud, speed matters. The FBI’s Recovery Asset Team reports a 66% success rate in freezing fraudulent transfers when businesses report quickly. After that window closes, recovery gets much harder. This is why we emphasize having your bank’s fraud hotline saved in multiple phones across your organization.

Ready to Implement These Controls?

How Adelia Risk Can Help

Implementing online banking security controls isn’t technically difficult, but it requires coordination across your bank, your finance team, and your IT systems. Many businesses put it off because nobody owns the project.

At Adelia Risk, we help small and mid-sized businesses implement practical banking controls as part of our Virtual CISO service. We work with your bank to enable the right security features, train your team on verification protocols, and document your controls for compliance and insurance purposes.

If you’re looking for a banking security checklist you can implement yourself, download our free resource above. If you want expert guidance on implementing online banking security for your business, let’s talk. We’re happy to walk through your current setup and recommend the next best steps.

Your clients read these headlines. And when something suspicious happens with their accounts, they call you.

At Adelia Risk, we help wealth management firms prepare for exactly this moment. Account takeover fraud hit $2.9 billion in losses in 2024, with financial services seeing a 122% year-over-year increase in attacks. Americans 60 and older—the core demographic for many RIAs—lost $4.9 billion to elder fraud in 2024.

Here’s what we’ve learned working with RIA clients over the years: by the time you’re getting that panicked phone call, you’re already in damage control mode. The breach happened. The attacker got in. Now you’re helping your client pick up the pieces. This client account compromise response guide will help you do that effectively—but the harder truth is that most of these incidents are entirely preventable. We’ll come back to that.

Verify the Caller First

This sounds counterintuitive when someone is panicking, but attackers sometimes impersonate frightened clients to trigger account changes. It’s a social engineering tactic that exploits your instinct to help.

When the call comes in, acknowledge the urgency: “I hear you, and we’re going to handle this. First, let me call you right back at the number we have on file—this protects both of us.”

Use your firm’s callback verification. Hang up and call the client at a phone number you already have on file—not one they just gave you. JPMorgan’s guidance on callback verification emphasizes that this single step prevents a surprising number of social engineering attacks.

Yes, this feels awkward when someone is upset. Do it anyway. A legitimate client will understand once you explain why.

The First 60 Seconds Set the Tone

When you call Mrs. Henderson back and confirm it’s really her, two things are happening at once. She’s scared and looking to you for reassurance. And you need information to understand how bad the situation is.

Most advisors instinctively want to jump into problem-solving mode. Slow down. The first minute matters more than you think.

Start documenting now. Date, time, client name, everything they tell you. Your notes may become part of a regulatory inquiry, insurance claim, or legal proceeding. Write down what questions you asked, what guidance you provided, and what actions were taken.

Lead with Compassion

Fraud victims—especially older clients—often feel ashamed. They think they should have known better. Research from financial institutions shows that leading with blame or skepticism causes victims to shut down and withhold details you need.

Start with something like: “Thank you for calling me. You did nothing wrong—these criminals are professionals. We’re going to work through this together.”

That single sentence accomplishes three things: it validates their decision to call you, removes the shame, and establishes that you’re on their side. Now they’ll tell you what actually happened.

Ask the Right First Questions

With the client calmer and talking, you need to quickly understand the scope:

These questions give you the information you need to prioritize next steps.

Understanding What Actually Happened

Before you start telling the client to change passwords, you need to understand the scope of the account takeover. Rushing into fixes without assessment can actually make things worse.

The Email Question Changes Everything

Ask which accounts the client believes are affected. Get a list: email, brokerage, banking, credit cards.

Here’s the key insight: if their email is compromised, assume every account that uses that email for password resets is also at risk. Email is the master key. Attackers know this. They often target email first, specifically because it gives them access to everything else.

If the client says “just my Schwab account,” ask follow-up questions. How do they think the attacker got in? Did they click a link in an email? Enter credentials on a website that looked like Schwab but wasn’t? If phishing was involved, the email account needs scrutiny.

Check for Money Movement

Ask directly: “Have you seen any transactions you didn’t make? Have you received any confirmation emails for transfers you didn’t request?”

Speed matters here. The FBI runs something called the Financial Fraud Kill Chain, and they report a 66% success rate at freezing fraudulent wire transfers when they’re reported quickly. If money has moved, this becomes urgent.

Signs the Attacker Is Still Inside

Ask whether the client has received password reset emails they didn’t request, “new device login” alerts they don’t recognize, or been locked out of any accounts.

These signals tell you whether you’re dealing with a past breach that’s been contained or an active intrusion where the attacker is still inside. If the attacker still has access, everything you do next needs to happen faster.

The Right Order for Securing Accounts

Most people’s instinct when they’ve been hacked is to change every password immediately. That’s actually a mistake—and it’s why a structured client account compromise response matters. Order is everything.

Email First, Always

The email account controls password resets for everything else. If the attacker still has access to email, they can intercept reset links for banking, brokerage, and every other account tied to that address.

Have the client change their email password immediately. Then enable two-factor authentication. For clients who aren’t tech-savvy, explain it simply: “It’s a second lock on the door. Even if someone has your password, they also need a code from your phone to get in.”

But there’s a step most people miss. Have the client check their email settings for forwarding rules. Go to Settings > Forwarding and look for any rules they don’t recognize. Attackers routinely set up auto-forwarding so they continue receiving copies of the client’s emails even after the password changes. This is one of the most common persistence mechanisms, and it’s invisible unless you look for it.

Then Financial Accounts

Once the email is secured, move to brokerage and bank accounts. Change passwords—unique passwords for each, never reused. Enable two-factor authentication, preferably app-based (like Authy or Google Authenticator) rather than SMS, which can be intercepted through SIM swapping.

The Backdoors Most People Miss

Here’s something that isn’t in most client account compromise response guides: attackers often connect compromised accounts to third-party aggregation tools before they lose access.

Think about budgeting apps like Mint, or the data aggregators that power them like Yodlee. Once connected, these tools can view account balances and transaction history even after passwords change. The attacker creates a backdoor that persists through all your security improvements.

Have the client go to Security Settings > Third-Party Access (the exact location varies by platform) and revoke anything they don’t actively use. If they reconnect their legitimate budgeting app later, fine. But right now, close every door.

While you’re reviewing settings, check beneficiary designations. We’ve seen cases where attackers add themselves as contingent beneficiaries—it’s a long-game play, but it happens. Also, verify the trusted contact person on file hasn’t been changed to someone the client doesn’t know.

Beyond the Breached Accounts

Account compromise often leads to broader identity theft. The following identity theft recovery steps protect your client beyond the initial breach. The attacker who got into your client’s Schwab account probably saw 1099s, account statements, and enough personal information to cause problems far beyond that single account.

Credit Freezes Are Non-Negotiable

Have the client place credit freezes at all three bureaus. This is different from a fraud alert. A credit freeze actually blocks new account openings entirely. Fraud alerts just ask creditors to verify identity—and many don’t do it thoroughly.

Credit freezes are free to place and lift. The numbers:

The FTC has detailed instructions if the client wants to do this online instead.

The Database Most People Forget

Here’s one that almost everyone misses: ChexSystems. This is the database banks use to approve new checking and savings accounts. If the attacker has your client’s SSN and enough personal information (which they probably do), they may try to open “mule” accounts at other banks to launder money.

Have the client place a ChexSystems security freeze as well.

Tax Fraud Prevention

If the attacker saw 1099s or tax documents in the compromised accounts, they have what they need to file a fraudulent tax return and claim a refund in the client’s name.

This is something we see wealth management clients overlook until tax season, when they try to file and discover someone already did. By then, it’s a months-long IRS dispute.

Have the client apply for an IRS Identity Protection PIN. Once they have it, the IRS won’t accept any tax return filed under their SSN without that 6-digit code.

Official Reports Create a Paper Trail

The client should file reports with:

These reports feel bureaucratic, but they create the paper trail needed to dispute fraudulent accounts, support insurance claims, and demonstrate due diligence.

Your Firm’s Responsibilities

Your client isn’t the only one with work to do. For RIAs, cybersecurity incident response extends beyond the client call—your firm has regulatory obligations and tools that can help.

FINRA Gives You Cover to Act

FINRA Rule 2165 provides a safe harbor for placing temporary holds on disbursements when financial exploitation is suspected. This applies to clients age 65 and older, or those 18+ with mental or physical impairment.

The rule allows an initial hold of up to 15 business days, extendable to 55 business days total if proper procedures are followed. You need to document your reasoning and notify authorized parties within 2 business days.

This is a powerful tool. If you suspect the client is being exploited—or that an attacker is still trying to move funds—you can pause disbursements while everything gets sorted out.

Use the Trusted Contact

FINRA Rule 4512 requires firms to make reasonable efforts to obtain trusted contact information for accounts. Now is when you use it.

Reach out to the trusted contact to help address the situation, verify that the client’s contact details haven’t been changed by an attacker, or confirm the client’s status if you’re having trouble reaching them.

Add Verification Requirements

Place a “verbal confirmation only” flag on the account. No money movements, address changes, or ACH link requests should be processed without verbal confirmation from the client at a phone number you already have on file.

This is manual and inconvenient. That’s the point. You’re creating friction that an attacker can’t easily overcome.

Regulatory Reporting

Broker-dealers must file SAR-SF for suspicious transactions of $5,000 or more. Determine whether the cybersecurity incident triggers that requirement. The SEC’s 2024 amendments to Regulation S-P also require incident response programs and customer notification within 30 days for data breaches—make sure your compliance officer knows what happened.

The Follow-Up Matters

The crisis doesn’t end with that first phone call. Most victims spend around 100 hours resolving identity theft, with some cases taking up to 22 months.

Check In Within 48 Hours

Call the client to check on their emotional state. Fraud victims experience shock, anger, shame, and betrayal. These are normal responses to a crime. Acknowledge it.

Also, verify that all the security changes actually got completed. It’s easy for a panicked client to miss steps or get confused about what they did and didn’t do. Confirm: email password changed? Two-factor authentication enabled? Credit freezes placed?

Review for Quiet Changes

Attackers sometimes make changes that don’t trigger immediate alerts but set up future theft. Have the client check:

Set Up Ongoing Monitoring

Help the client enable comprehensive account alerts: new linked accounts, wire requests, ACH changes, address updates, and new device logins. Most platforms offer these notifications, but they’re often not enabled by default.

Remind them about the brokerage security guarantees. Schwab and Fidelity both offer protections against unauthorized activity—but they typically require reviewing statements within 30 days, and they may not cover losses if the client voluntarily provided credentials to an attacker through phishing.

The Uncomfortable Truth About Prevention

Everything in this client account compromise response guide is damage control. Important damage control, but damage control nonetheless.

The uncomfortable truth is that most account takeover incidents are entirely preventable. They happen because someone reused a password that was leaked in another breach. Or because they clicked a phishing link. Or because they didn’t have two-factor authentication enabled. Or because their computer was running unpatched software.

At Adelia Risk, we see this pattern repeatedly with our clients. After the crisis is handled, after the accounts are secured and the credit is frozen and the reports are filed, there’s a conversation about what could have prevented all of this. The answer is almost always: basic digital hygiene that wasn’t being followed.

62% of Americans reuse passwords. Your clients are probably among them. And every data breach—from LinkedIn to Marriott to whatever gets disclosed next month—feeds a database of credentials that attackers use to try logging into financial accounts.

Account takeover prevention isn’t glamorous work. The real work isn’t responding to the crisis; it’s convincing clients to take security seriously before the crisis happens. That’s harder. It requires ongoing education, periodic check-ins about whether they’re using a password manager, whether two-factor authentication is enabled on their email, and whether they know how to recognize phishing.

It’s also not billable, not exciting, and easy to deprioritize when there are portfolios to manage and markets to discuss.

But it’s the difference between getting that 2:47 PM phone call and not getting it.

Get the Complete Client Account Compromise Response Guide

We’ve created a printable Client Account Compromise Response Checklist that covers every step in this guide. It includes the exact questions to ask during the call, the correct order for securing accounts, all the phone numbers for credit bureaus and reporting agencies, and a documentation template for your notes.

Keep copies at every desk so your team knows what to do when that call comes in.

Building Prevention Into Your Practice

Responding well to client account compromise is one part of an RIA cybersecurity program. But the more valuable work is building the client education and security practices that prevent these incidents in the first place.

If you’re thinking about how to make digital hygiene part of your client relationships—or how to build the broader cybersecurity program that SEC Regulation S-P now requires—we can help.

Learn about our Virtual CISO service for wealth management →

At Adelia Risk, we’ve watched Mac malware incidents climb 73% in the past year alone, according to the Moonlock 2025 macOS Threat Report. The “Macs don’t get viruses” era is over.

How to Secure Your Mac for Business Use

Most Mac security settings take minutes to configure, and they’re free. But many of them are turned off by default. Unlike Windows, macOS ships with the firewall disabled. If you’re running Macs in a healthcare practice, financial advisory firm, or any regulated business, you’re likely missing basic protections that auditors and insurers expect.

This guide walks through the Mac security settings that matter most for small businesses. You’ll learn what to turn on first, which sharing services to disable, and how to document your configuration for compliance purposes. We’ve also created a free Mac Security Settings Checklist you can download and work through with your team.

Priority Mac Security Settings: Your First-Hour Actions

Before you get into the details, here are the six settings that matter most. If you only do these, you’ll be ahead of most small businesses.

Get our complete Mac Security Settings Checklist with all 27 items, step-by-step instructions for each setting, and a section for documenting your configuration for auditors. Use this Mac security checklist to track your progress and ensure nothing gets missed.

The Firewall Problem Nobody Talks About

We see this constantly during security assessments: business owners assume their Macs are protected because Apple has a good security reputation. Then we check, and the firewall is off. These Mac security settings are often overlooked because they assume everything is configured correctly out of the box. It’s not.

Enabling the firewall takes about 30 seconds. Go to System Settings > Network > Firewall and turn it on. Then click Options and enable Stealth Mode, which prevents your Mac from responding when someone scans your network for vulnerable devices.

Apple made a design decision years ago to ship macOS with the firewall disabled. The reasoning was that most home users are behind a router’s firewall anyway. But in a business context, especially with employees working from coffee shops and home networks, that assumption falls apart.

While you’re in firewall settings, consider enabling logging. Open Terminal and run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on. This creates records that can help during incident investigations.

What About Third-Party Firewalls?

The built-in firewall handles incoming connections. If you want to monitor outgoing connections too (which app is “phoning home”?), consider LuLu from Objective-See. It’s free, open-source, and trusted in the Mac security community.

Sharing Services Are Attack Surfaces

Every Mac has a list of sharing services in System Settings > General > Sharing. Most of them are off by default, but we regularly find offices where someone enabled File Sharing or Screen Sharing during setup, then forgot about it.

Each enabled service is a door into your Mac. SSH (Remote Login) lets someone run commands remotely. Screen Sharing gives full visual access. File Sharing exposes your documents to anyone on the network.

Just disable anything you’re not actively using.

One client we worked with had Screen Sharing enabled on every Mac in their office because their previous IT company set it up that way. Nobody was using it. It had been sitting there for three years, waiting for someone to discover it.

FileVault Is Not Optional for Regulated Businesses

If you handle client health records, financial data, or any sensitive information, FileVault encryption isn’t a nice-to-have. It’s a compliance requirement.

HIPAA requires encryption for electronic protected health information. FileVault uses AES-256 encryption, which satisfies this requirement. SOC 2 audits expect full-disk encryption on all endpoints. Cyber insurance applications specifically ask whether endpoints are encrypted.

Macs with Apple silicon (M1, M2, M3, M4 chips) do encrypt data by default at the hardware level. But FileVault adds something important: it requires your password at boot. Without FileVault, someone who steals your Mac while it’s in sleep mode might be able to access data. With FileVault, they hit a password wall.

To enable FileVault, go to System Settings > Privacy & Security > FileVault and click Turn On. You’ll choose a recovery method, either your iCloud account or a recovery key you store offline. Encryption happens in the background while you work.

The iCloud Compliance Problem

Something that catches businesses off guard: iCloud storage doesn’t meet the compliance requirements for most regulated industries. Apple will not sign a Business Associate Agreement for HIPAA, and similar issues exist for SOC 2, financial services regulations, and other frameworks that require specific vendor commitments.

If you’re storing client data in iCloud Drive, whether that’s patient records, financial documents, or legal files, you likely have a compliance gap. Use a cloud service that will sign the appropriate agreements for your industry and provides the audit trails your compliance framework requires.

The Settings Auditors Actually Check

When we conduct security assessments for clients preparing for SOC 2 or HIPAA audits, here’s what we’re looking for on their Macs:

We’ve seen assessments fail over something as simple as the screen lock timeout being set to 30 minutes. Document your settings, take screenshots, and keep them with your compliance records.

Network Hardening for Mobile Workers

Two settings matter especially for laptops that travel: Wake for Network Access and Power Nap.

Wake for Network Access allows your Mac to be woken remotely over the network. That’s useful for IT management but also means attackers could potentially wake your device. Unless you have a specific IT reason to leave it on, disable it in System Settings > Battery > Options.

Power Nap is trickier. When Power Nap is enabled, and your Mac is sleeping, it still connects to networks to check email, download updates, and sync data. But FileVault stays unlocked during Power Nap. Your “sleeping” Mac is actually quite awake from a security perspective.

For laptops that leave the office, disable Power Nap in System Settings > Battery. Your Mac will be a bit less convenient, but your encrypted drive will actually stay encrypted when closed.

How Mac Malware Survives Even If You Reboot

Every piece of Mac malware discovered in recent years uses the same trick to survive reboots: Launch Agents and Launch Daemons. These are small configuration files that tell macOS to run programs automatically at startup or login.

Legitimate software uses them too. Your VPN probably has a Launch Agent. So does Dropbox. The problem is malware hiding among the legitimate items.

You can audit these locations manually:

• ~/Library/LaunchAgents/ (your user’s startup items)
• /Library/LaunchAgents/ (system-wide startup items)
• /Library/LaunchDaemons/ (system services)

Look for unfamiliar entries, especially anything that appeared recently. If you’re not sure what something is, search for its name online before removing it.

For ongoing protection, install KnockKnock from Objective-See. It scans all persistence locations and shows you what’s set to run at startup. BlockBlock, from the same developer, alerts you in real-time when new items are added.

Mac Security Settings for Multiple Macs

The biggest mistake we see in mixed Windows and Mac environments is this: the Macs are completely unmanaged.

Most businesses with outsourced IT have their Windows machines locked down with an RMM tool (Remote Monitoring and Management). The IT company pushes updates, enforces policies, and monitors for issues. But when you look at the Macs in the same office, they’re often running on their own with no central management at all.

RMM tools designed for Windows don’t manage Macs well. They might be able to push a software update or run a script, but they can’t enforce FileVault encryption, lock down sharing services, or verify that security settings stay configured. Companies don’t realize this until they start digging into the settings on their Macs and find that everything is wide open.

If you’re managing more than two or three Macs, you need a Mac-specific solution. Mobile Device Management (MDM) built for Apple devices lets you push security policies to all your Macs, force settings to remain enabled, and verify compliance from a central dashboard. MDM makes macOS hardening consistent across your entire fleet.

Options for small businesses (pricing as of early 2026):

• Apple Business Essentials: $2.99-$12.99/user/month, native Apple integration
• Jamf Now: Starting around $4/device/month, entry-level but limited features
• Mosyle: Lower cost tier, simple setup
• Kandji: Starting around $10/Mac/month, 200+ pre-built automations

The investment pays off in time saved and compliance confidence. When an auditor asks “how do you ensure all Macs have encryption enabled?”, you can pull up a dashboard instead of walking desk to desk. And if your IT company says their RMM tool “handles” your Macs, ask them to show you exactly which security settings are being enforced. You might not like what you find.

Cyber Insurance Expectations Are Rising

Cyber insurance applications have gotten specific about endpoint security. According to an Allcovered industry survey, about 80% of insurers now require multi-factor authentication on all systems, and 65% expect endpoint detection and response (EDR) tools on all devices.

The built-in Mac protections (Gatekeeper, XProtect, the firewall) provide a baseline. But they weren’t designed for sophisticated targeted attacks or enterprise compliance requirements. If your insurance application asks about EDR, the answer should probably include something beyond the defaults.

EDR options for Macs include Jamf Protect, SentinelOne, CrowdStrike, and Huntress. The choice depends on your budget and whether you want managed detection (someone watching the alerts) or just the software.

In a Sophos survey of 5,000 cybersecurity executives, only 1% said they were fully compensated on cyber insurance claims, with the average payout covering just 63% of costs. Misrepresentation about security controls is a leading cause of denied or reduced claims. When you fill out that application, make sure you can back up your answers.

Do Today, This Week, This Month

Do Today

Do This Week

Do This Month

When to Get Professional Help

The settings in this guide are things any Mac user can configure. But some situations call for professional support:

You’re preparing for SOC 2 or HIPAA certification. An auditor will want to see documented policies, not just configured settings. You’ll need someone who understands both the technical configuration and the compliance documentation.

You manage 20+ Macs. MDM deployment and policy design benefit from experience. Getting it right the first time saves headaches.

You’ve had a security incident. Post-incident hardening should be thorough, and it helps to have someone who knows what to look for.

You’re unsure whether your current setup meets insurance requirements. Before signing that application, it’s worth having someone verify your answers.

At Adelia Risk, we help small and mid-sized regulated businesses configure and document their security settings. As part of our Virtual CISO service, we automatically scan your Mac computers for these settings and provide you and your I.T. team a specific, actionable report about how to fix each computer.

Download the Complete Checklist

We’ve packaged everything in this article into a printable Mac Security Settings Checklist. It includes all 27 configuration items, organized by priority, with step-by-step instructions and space to document your settings for auditors.

Get the Mac Security Settings Checklist and work through it with your team. Keep a copy with your compliance documentation.

Bookmark this and revisit quarterly. Apple releases major security updates with each macOS version, and your settings may need adjustment. Or, better yet, work with us to make sure your Macs are secure.

The engineer wasn’t being careless. He was trying to work faster. And that’s the real problem: your employees are already using AI tools, often without realizing the risks. As employees use generative AI for work more and more, clear policies are no longer optional. An AI acceptable use policy template gives you a way to say “yes” to AI while drawing clear lines around what’s off-limits.

As part of our vCISO work at Adelia Risk, clients have been asking in nearly every meeting, “How can our team safely use AI?”  As AI tools become more common and more powerful, it’s so critical for heavily-regulated companies to get this right.

Who Needs an AI Acceptable Use Policy?

If you manage people who touch keyboards, you need an AI policy. This isn’t limited to tech companies. Law firms, financial advisors, healthcare providers, government contractors, HR teams, marketing departments, and any group handling sensitive information need clear rules for AI use. We’ve found that most companies have many more people using AI than they think, and they don’t fully understand the generative AI security risks that come without proper management.  Having an AI policy for employees protects both your organization and your team members.

Specific roles that should care about this:

• CISOs and IT directors are responsible for data protection
• Compliance officers at regulated firms (SEC, HIPAA, CMMC)
• HR leaders drafting employee handbooks
• Operations managers overseeing productivity tools
• Business owners at companies with 20-500 employees

What usually triggers the need for a policy:

• A client asks about your AI practices during due diligence
• An auditor wants to see documented controls around AI
• Someone on your team asks if they can use ChatGPT for client work
• Your company adopted Microsoft 365 Copilot, and nobody talked about the rules
• You read about another company’s AI-related data leak

The good news is that you don’t have to write this from scratch. Below is a complete artificial intelligence policy template we put together for our clients, which you can adapt for your organization. We’ll walk through each section, explain why it matters, and show you how to customize it for your situation.

The Complete AI Acceptable Use Policy Template

Below, you’ll find our full policy template. Each section appears in a quoted block, followed by guidance on how to adapt it. Feel free to copy and paste, or enter your email to get access to a fully editable version.

Section 1: Introduction

Why this section matters: The introduction sets the tone. Notice it doesn’t lead with fear or restrictions. Instead, it frames AI adoption as something the company supports, within guardrails.

How to customize it: Replace “(COMPANY NAME)” with your organization’s name. If your company has specific strategic priorities around AI (like “becoming an AI-first organization”), you can add a sentence acknowledging that goal while noting the need for safeguards.

Common mistake: Writing an introduction that sounds like you’re trying to stop AI use entirely. Employees will ignore policies that feel out of touch with how they actually work.

Section 2: Purpose and Scope

Why this section matters: Scope defines who has to follow the rules. Without it, contractors and vendors might assume the policy doesn’t apply to them.

How to customize it:

If you use staffing agencies or offshore teams, call them out specifically in the scope
Review the “Integration” list—remove any policies your company doesn’t have yet
Add policies that are specific to your industry (e.g., “HIPAA Privacy Policy” for healthcare, “Investment Advisory Procedures” for RIAs)

For smaller companies: If you don’t have all eight of these policies, that’s fine. List what you have. This template assumes a relatively mature compliance program. A 25-person company might only reference their employee handbook and data handling guidelines.

Section 3: Definitions

Why this section matters: People often don’t realize that Zoom’s meeting summary feature, Gmail’s “Smart Compose,” and even Grammarly all count as AI. The definitions make it clear that built-in AI features are in scope—not just standalone chatbots.

How to customize it:

* If you use staffing agencies or offshore teams, call them out specifically in the scope
* Review the “Integration” list—remove any policies your company doesn’t have yet
* Add policies that are specific to your industry (e.g., “HIPAA Privacy Policy” for healthcare, “Investment Advisory Procedures” for RIAs)

For smaller companies: If you don’t have all eight of these policies, that’s fine. List what you have. This template assumes a relatively mature compliance program. A 25-person company might only reference their employee handbook and data handling guidelines.

Industry-Specific Additions:

Section 4: AI Acceptable Use Guidelines

Why this section matters: This is the heart of your policy. It tells employees what they can do without asking, what’s off-limits, and what needs approval. The three-tier structure (approved/prohibited/conditional) prevents the policy from being either too restrictive or too vague.

How to customize it:

For the Approved list:

* Be specific about what “non-sensitive” means by referencing your data classification policy
* Add use cases that match how your teams actually work (e.g., “Generating first drafts of marketing copy for internal review”)

For the Prohibited list:

* Call out specific data types that should never go into AI tools
* For regulated industries, reference the relevant rule (e.g., “Inputting data subject to SEC Rule 17a-4 retention requirements”)

For the Conditional list:

* Make the approval process clear (we’ll cover that in Section 6)
* Consider adding: “Using AI transcription during client meetings (requires advance notice to all participants).”

Size-Based Adjustments:

Section 5: Data Handling and Security

Why this section matters: This section addresses the question we hear constantly: ‘What happens to data I put into AI tools?’ Here’s a general rule of thumb:

1. If you’re using a paid, well-known LLM tool (like ChatGPT, Claude, and Gemini) that is administered by your IT and security team, then it’s usually safe to use any kind of data.
2. If you’re using a free LLM tool, or one that isn’t administered by your IT and security team, then generative AI data security really comes down to one simple rule: assume that anything you enter into these systems could become public.

The “Public Test” gives employees a simple mental model. If they wouldn’t post it on LinkedIn, they shouldn’t paste it into an AI tool that isn’t provided by their company.

How to customize it:

• Add industry-specific “Never Input” items:
• Healthcare: “Patient names, dates of birth, or any PHI as defined by HIPAA.”
• Financial services: “Client account numbers, portfolio holdings, or trade recommendations.”
• Legal: “Client names, matter details, or privileged communications.”

Please note that your list will look different.  You may have enough safety measures in place that you’re comfortable using your AI tools to process proprietary source code or sensitive client data.

A note on enterprise vs. consumer tools: Many employees don’t know the difference. Consumer tools (free ChatGPT, personal Copilot accounts) often use your inputs for model training. Enterprise tools with proper agreements typically don’t, but you need to verify this with each vendor. We’ll cover approved tools in the next section.

Section 6: Approved Tools and Access

Why this section matters: This answers several questions at once: “Do I need separate policies for ChatGPT, Copilot, and Zoom summaries?” (No—this section covers all of them.) “Can employees use personal AI accounts for work tasks?” (No—see Prohibited Tools.) “How do I handle AI tools embedded in software we already use?” (List them under Built-in AI Features with any restrictions.)

How to customize it:

1. Audit what you already have. Before filling in this section, inventory the AI capabilities in your current software stack. Microsoft 365, Google Workspace, Slack, Zoom, Salesforce, and HubSpot—most major platforms now include AI features. List them explicitly.

2. Distinguish between enterprise and consumer versions. For each tool, note which version you’re approving. “ChatGPT Enterprise” and “ChatGPT Free” have very different data handling practices.

3. Handle browser extensions carefully. Tools like Grammarly, Jasper, and dozens of others install as browser extensions and can see everything in the browser window. Either approve them explicitly with documented data handling practices, or add them to your prohibited list.

Enterprise vs. Consumer: A Quick Reference

Section 7: Roles and Responsibilities

Why this section matters: Policies are just words on paper until they’re put into action.  You need to make it clear who approves requests for new AI tools, who monitors for violations, and who keeps the policy updated.

How to customize it:

* Match these roles to your actual org structure. A 30-person company might have the CEO handling “Manager” responsibilities and an outsourced IT provider handling the “IT/Security Team” tasks.
* Add a review cadence: “This policy will be reviewed quarterly by the IT/Security Team and updated as new tools or regulations emerge.”

Section 8: Compliance and Regulations

Why this section matters: Artificial intelligence regulatory compliance varies dramatically by industry. A wealth management firm needs SEC/FINRA language. A healthcare company needs HIPAA language. A government contractor needs CMMC/FedRAMP language. Most companies can delete the sections that don’t apply.

How to customize it:

* Keep only your industry’s section(s). A dental practice doesn’t need the government contractor language.
* Add specific disclosure language. For financial services, consider adding: “AI-generated content in client communications must be reviewed by a registered principal before distribution. Disclosures should note when AI tools assisted in content creation, per current FINRA guidance on supervision.”
* Reference your retention schedule. If you have a records retention policy, cite it specifically for AI-related documentation.

Section 9: Built-In AI Features

Why this section matters: Companies often need to have different rules (which are often more lenient) around built-in AI tools, like Microsoft CoPilot, Google Gemini, Zoom’s AI features, etc.  The rationale is that these tools are “inside the walled garden” of platforms like Microsoft and Google, and comply with all of the same security programs as their email and productivity tools.

This also addresses an important legal and compliance question: “Do I need consent before enabling AI meeting transcription?” Short answer: yes. The participant notification requirement protects you from recording people without their knowledge, which has legal implications in many states.

How to customize it:

* List the specific platforms you use and their AI features
* For meeting transcription, add: “Recording and AI transcription must be announced at the start of each meeting. Participants may request that the recording be stopped for sensitive discussions.”
* Consider which departments should have AI features disabled by default (HR, Legal, and Executive teams often fall into this category due to the sensitive nature of their communications)

Frequently Asked Questions

What AI tools are my employees already using without my knowledge?

More than you think. A 2024 survey found that over half of employees using AI at work haven’t told their employers. This is exactly why an AI usage policy that addresses shadow IT is essential. The most common shadow uses of AI tools that we see with our clients include:

• ChatGPT (free version) for drafting emails and documents
• Grammarly for writing assistance
• AI features built into browsers (Edge, Chrome)
• Bing Chat / Copilot through Microsoft Edge
• AI transcription apps for meeting notes

To find out what’s actually in use, consider running an anonymous survey before rolling out your policy. Better yet, ask your I.T. team to use their monitoring tools to look for which AI tools people are using across the company.

What’s the difference between free tools and paid/business tools for data privacy?

Free tools may train on your data; business tools typically don’t (but verify this in the settings and legal agreement).

For example, when you use ChatGPT Free, OpenAI’s terms allow them to use your conversations to improve their models, unless you opt out in settings, which most people don’t know about. ChatGPT Enterprise and Team plans include contractual commitments that your data won’t be used for training.

This same pattern applies to most AI tools. The free version is the product testing ground, and your data and inputs help make it better. The paid version treats your data as confidential. Always ask for a vendor’s data processing agreement (DPA) and confirm training exclusions in writing.

Who is liable when AI-generated content contains errors—the employee or the company?

Both, depending on the situation. Here’s how to think about it:

The company is liable for harm caused by AI-generated content distributed to clients or the public. If your marketing team publishes an AI-written blog post with false claims, the company owns that liability.

The employee may face disciplinary action if they violate policy. For example, by failing to review AI outputs before publishing, or by inputting prohibited data into an AI tool.

This is why the “User Accountability” section of the AI acceptable use policy template states that the person using AI is responsible for verifying outputs. When someone signs off on AI-generated content, they’re taking ownership of it.

How do I handle contractors and third parties using AI with our data?

Add AI requirements to your vendor contracts and contractor agreements. At a minimum, include:

1. A clause requiring the third party to follow your AI acceptable use policy (or provide their own equivalent policy for your review)
2. Notification requirements if they intend to use AI tools with your data
3. Restrictions on which AI tools they can use and for what purposes
4. Data handling requirements that match or exceed your internal standards

For existing contracts, send a written notice clarifying your expectations. Some companies might find it appropriate to add an AI addendum to their master service agreements that all vendors must sign.

What training do employees need before using approved AI tools?

At a minimum, cover these three areas:

1. What data can and cannot be entered — Walk through specific examples. For example, “A client’s name” isn’t allowed. “A generic question about retirement planning” is fine.

2. How to verify AI outputs — AI makes confident mistakes. Train employees to fact-check statistics, verify cited sources actually exist, and check calculations independently.

3. How to request access to new tools — Make the approval process clear so employees don’t just sign up for consumer accounts on their own.

Many companies add a short AI awareness module to their annual security training. Others require employees to acknowledge the policy in writing before being granted access to AI tools.

Putting Your AI Acceptable Use Policy to Work

We hope this helps you get started.  Most organizations can adapt this AI acceptable use policy template themselves. Every AI policy for companies should be customized to fit the organization’s specific risk profile. Start by customizing the Sensitive Data definitions and Approved Tools lists for your situation. Get input from IT, Legal, and department heads who understand how your teams actually work.

And if you get stuck on the tricky parts—like what counts as ‘de-identified’ data or how to handle that one department that’s already using five different AI tools—we’re happy to take a look.  Get in touch, and we’ll see how we can help.

The kicker? Most ransomware attacks exploit security gaps that Windows 11 already has tools to close. You just need to turn them on.

I regularly audit Windows 11 security settings for small and mid-sized businesses, and here’s what stands out: about 70% of the companies I work with have the security features they need built right into Windows, but they’re not configured properly. We’re talking about businesses losing an average of $2.73 million per ransomware incident, when many attacks could be blocked with settings that take minutes to enable.

Start Here: Your Priority Windows 11 Security Actions

Before diving into comprehensive security configurations, here are the settings that prevent ransomware attacks most effectively. Each one addresses a specific vulnerability that ransomware groups actively exploit:

These aren’t just nice-to-have features. Insurance companies now check for these specific settings when determining premiums. Skip them, and you might find yourself uninsurable or paying astronomical rates.

Authentication: Your First Line of Defense

Windows 11 security starts at the login screen. Most businesses still rely on passwords alone, which is like locking your front door but leaving the key under the mat.

Windows Hello transforms authentication security by eliminating passwords entirely for daily use. Instead of typing characters that malware can capture, you authenticate with something unique to you, your fingerprint, face, or a PIN that never leaves your device. Here’s why this matters for preventing ransomware attacks: when the BlackCat ransomware group hit Change Healthcare, affecting millions of patient records, they likely started by stealing login credentials.

To enable Windows Hello, navigate to Settings > Accounts > Sign-in options. Choose your preferred method; most modern business laptops support fingerprint readers. If your device lacks biometric hardware, at a minimum, set up a PIN. Unlike passwords, PINs are device-specific and useless to hackers on other machines.

Two-factor authentication on Microsoft accounts adds another critical layer. Microsoft states this blocks 99.9% of automated attacks. When ransomware groups can’t bypass your second authentication factor, they typically move on to easier targets. Enable this through your Microsoft 365 admin center or individual account security settings.

Here’s what many IT consultants won’t tell you: using an Administrator account for daily work is asking for trouble. When ransomware executes with admin privileges, it can disable your antivirus, modify system files, and spread across your network unchecked. Create separate Standard accounts for everyday use. Yes, you’ll occasionally need to enter admin credentials to install software. That minor inconvenience beats explaining to customers why their data is being sold on the dark web.

Core Protection Settings

Windows 11 includes several Windows 11 security features designed specifically to stop ransomware, but they need proper configuration to work effectively.

Device encryption should be your absolute priority. If someone steals your laptop, unencrypted drives hand them everything: customer lists, financial records, and intellectual property. With BitLocker enabled, that stolen laptop becomes an expensive paperweight. Go to Settings > Privacy & security > Device encryption and turn it on. Save your recovery key somewhere secure but separate from the device; many businesses store these in password managers or locked filing cabinets.

A word of caution: I’ve seen companies lose data because they encrypted drives but lost the recovery keys. Treat those keys like you’d treat the combination to your safe.

Data Protection Configuration

Preventing data loss requires more than just blocking attacks. You need systems that protect your files even if ransomware slips through.

For businesses handling sensitive data, application control through Windows Defender Application Control adds another layer. While more complex to implement, it ensures only approved software runs on your systems, effectively blocking most ransomware from executing.

Implementation Timeline

Don’t try to implement everything at once. Here’s a practical rollout schedule that balances security urgency with operational reality:

Do Today – True urgent items preventing active threats:

Do This Week – Important configurations requiring planning:

Do This Month – Good practices that reduce risk:

When Professional Help Makes Sense

Windows 11 security settings provide solid protection, but they’re just one piece of comprehensive cybersecurity. You might need professional assistance when facing cybersecurity insurance requirements, industry compliance standards, or if you’re managing more than 20 computers.

Businesses in regulated industries, healthcare, financial services, and legal often discover that Windows security alone won’t meet compliance requirements. HIPAA, for instance, requires risk assessments, employee training, and documented security policies beyond technical controls.

When you’re handling credit card data, protected health information, or managing substantial customer records, the stakes justify professional security services. A Virtual CISO service can provide ongoing security management, vulnerability scanning, employee security training, and incident response planning that goes beyond Windows configuration.

Your Windows 11 Security Checklist

Getting Windows 11 security right doesn’t require an IT degree, but it does require attention to detail. Start with the priority actions: Windows Hello, encryption, and ransomware protection. These block the most common attack vectors.

Remember that 66% of organizations were hit by ransomware last year. The question isn’t whether someone will try to attack your business, but whether your Windows 11 security settings will stop them when they do.

Download our complete Windows 11 Security Checklist with step-by-step instructions for each setting. It includes screenshots, troubleshooting tips, and quarterly review reminders to keep your protection current. Your business computer security depends on taking action today, not after an attack.

The businesses that avoid becoming ransomware statistics aren’t necessarily the ones with the biggest IT budgets. They’re the ones that took the time to configure the security features already built into Windows 11. Which group will you be in?

Instead, we offer this Cybersecurity Policy Checklist for RIAs. This is designed to help you figure out what kinds of questions you need to answer in order to have an Information Security policy that both keeps you safe and would satisfy an auditor from the SEC.

Please note that some firms break some of the following cybersecurity policies into separate documents, and some prefer to keep them in a single document. Feel free to adjust the format based on what makes the most sense for your firm.

For personalized support and expert advice, Reach out and schedule a consultation. We’re here to support.

1. Introduction and Overview

We typically open the RIA cybersecurity policy with an overview of the firm, the scope of the policy, the applicable regulations (which your lawyer can help you determine), and the sanctions for employees that don’t follow the policy.

1.1 Purpose and Scope

• What specific business activities and assets does this policy cover?
• Which specific regulatory requirements must the policy address (e.g., SEC, FINRA, NYDFS, other state laws)?
• Who is subject to this policy (employees, contractors, vendors, etc.)?

1.2 Policy Management and Enforcement

• Who has ultimate responsibility for the policy (typically CEO, CFO, COO)? And is the day-to-day work delegated to anyone (typically CCO, IT Director, etc.)? This should be an employee.
• How often must the policy be reviewed and updated?
• What is the process for communicating policy updates?

1.3 Regulatory Framework

• Which specific SEC regulations does this policy address?
• What state privacy laws apply to the firm’s operations?
• How does the policy ensure FINRA compliance?
• Do any privacy regulations like GDPR or CCPA apply to your firm?
• What documentation is required to demonstrate compliance?

PRO TIP: if you have clients in New York, NYDFS has one of the most stringent privacy laws in the country.

1.4 Enforcement and Disciplinary Actions

• What constitutes a policy violation, and what are examples?
• How are violations reported and investigated (e.g., named person, whistleblower, etc.)?
• What is the escalation process for serious violations (typically ranging from warnings to termination)?

2. Data Classification and Handling

In this section of the RIA cybersecurity policy, we define what “crown jewels” the firm handles, where it’s stored, and the rules for where sensitive data can and can’t be stored.

2.1 Data Classification

• What kinds of sensitive data does the firm have (e.g., account numbers, social security, driver’s license, etc.)?
• Where is sensitive data allowed to be stored?
• Where is it NOT allowed to be stored?
• Who is allowed to access it?
• Is sensitive data tagged or flagged in any way and, if so, how?

2.2 Data Storage and Transmission

• Where can different types of data be stored (sensitive and otherwise)?
• Where should sensitive data NEVER be stored?
• How can sensitive data be transmitted internally and to external parties? What security and encryption requirements exist?

2.3 Data Retention and Disposal

• How long must different types of data be retained?
• What are approved methods for data disposal, and specifically destruction of media that contained sensitive data?
• How is data destruction verified?
• What documentation is required for data disposal?

PRO TIP: Data retention requirements are typically defined by your attorney in a records retention or books and records retention schedule. Then your I.T. team can take those requirements and implement them in various systems.

3. Roles and Responsibilities

This section of the policy spells out the key responsibilities for the security program for all levels of the firm.

3.1 Executive Management / Board of Directors

• How do executive management and/or the Board of Directors receive reports on the firm’s security program?
• What metrics are shared?
• How often are security briefings provided?
• Who is required to participate?

3.2 Security Team

• What are the CISO’s responsibilities?
• Who comprises the security team, both employees and external vendors?
• What security metrics are tracked?

PRO TIP: We find it’s helpful to build a security compliance calendar for the CISO of weekly, monthly, quarterly, and annual tasks as part of the policy.

3.3 Employee Responsibilities

• What are general staff security duties (e.g., some companies have their employees leave computers turned on a day a week to receive patches)?
• What trainings are employees required to participate in?
• How should they report suspected incidents?
• How should they report suspected phishing attempts?

PRO TIP: Most companies will create a signature form (or add a signature block) for employees to sign and acknowledge that they have read the security policy, and agree to abide by it.

4. Access Control and Authentication

In this section of the RIA cybersecurity policy, we describe who decides which employees can access which data, and what kind of password and MFA requirements are involved. We also define who has administrative/privileged access.

4.1 Access Management

• For the systems that house sensitive data described back in section 2, how is employee access granted and revoked?
• What is the process for requesting access changes? Who approves them (typically compliance), and who implements them (typically I.T.)?
• How are access rights reviewed?
• What access documentation is maintained?
• What process is followed when new employees are hired?
• What process is followed when employees are terminated or quit?
• Is the process different if it’s a “bad” termination?

PRO TIP: depending on your size and how often you add and remove staff, you may want to consider doing reviews of who has access to which systems quarterly or semi-annually. Smaller, more stable firms may only need to do this once a year.

4.2 Authentication Standards

• What are password requirements for your systems?
• How is multi-factor authentication implemented, and what type?
• What are lockout requirements on inactivity? Shorter is better!
• What are lockout requirements for multiple failed password attempts?
• Who is monitoring for frequent failed logins, and how?

4.3 Privileged Access

• Who can have administrative access? This question applies both to your staff and your outsourced vendors, and should be VERY limited.
• How is privileged access monitored and controlled?
• What extra controls exist for privileged accounts?
• How often is privileged access reviewed?

PRO TIP: It’s common in smaller firms to see employees who are also set up as Administrators. If a hacker were to get into your account, they’d have full control over all of your systems. A better practice is to set up a dedicated Admin account, and then separately have your “daily driver” account set up as a Standard user.

5. Network and System Security

This section of the policy describes technical measures that protect your network, computers, mobile devices, and remote connections.

5.1 Asset Management

• How and where are assets (computers, mobile devices, network equipment, etc.) tracked, and by whom?
• How often is the asset inventory? It’s preferable to do this automatically, but at a minimum should be done annually.
• What process is followed to buy and configure new assets?
• What process is followed to decommission and dispose of old assets?
• What process is followed when assigning old assets to new people?

5.2 Network Protection

• What network security controls are required (e.g., firewalls, SASE)?
• How is network access controlled?
• What network monitoring exists?
• How are network changes managed (requests, approvals, and changes)?

5.3 Computer Security

• What security tools are required to be on all computers?
• How and how often is the inventory of computers and the list of security tools reconciled to make sure there are no gaps?
• How are security patches managed, and by whom?
• What are the SLAs for applying security patches, based on the risk level?
• Are you following any computer hardening standards (like Microsoft or CIS) and, if so, who is responsible for implementing?
• How are computers monitored for security issues, and by whom?

5.4 Encryption Requirements

• When is encryption required?
• What encryption standards are used?
• How are encryption keys managed?
• How is encryption verified?

PRO TIP: When thinking about encryption, you need to consider both “encryption at rest” and “encryption in transit” for each of the systems that store or can access sensitive data. This includes computers, mobile devices, cloud services, network devices, etc.

5.5 Email Security

• Are employees allowed to email sensitive data and, if so, how is email encryption implemented?
• Are employees allowed to receive and store sensitive data in their email?
• What measures to prevent email spoofing (SPF, DKIM, and DMARC) are in place?
• What email monitoring exists?

5.6 Mobile Device Management

• What mobile devices are permitted? Do you only allow company-owned phones, personal phones, or a mix?
• What security controls are required?
• How are mobile devices monitored and managed?
• How are new mobile devices approved, and by whom?
• What happens if devices are lost or stolen? What should users do, what should I.T. do?
• Are there any minimum configuration standards (e.g., passcode length, encryption, patching) that must be applied to mobile devices before they can access work systems?

PRO TIP: most companies manage this using software called Mobile Device Management, which is easy to implement in both Microsoft 365 and Google Workspace.

5.7 Cloud Security

• What cloud services are used to store or process sensitive data?
• What kind of MFA is used for each?
• How and how often are their security settings reviewed?
• How are they monitored for security issues, and who responds to alerts about suspicious activity?
• How does each manage encryption?
• How is the security of each cloud vendor evaluated before making the decision to work with them?
• Where are you storing any security notifications or incident notices received from cloud vendors?

PRO TIP: It’s critical to include your cloud applications in the access control reviews described above.

5.8 Remote Access Controls

• Who is allowed to request remote access, how is it approved, and who implements it?
• What security is in place for secure remote access?
• How is remote access monitored?
• What external vendors are allowed remote access (e.g., I.T. company, HVAC company).

5.9 Wi-Fi

• Are there any restrictions on use of office Wi-Fi?
• How are employees trained on keeping their Wi-Fi safe at home?
• Will the firm pay for Wi-Fi access points for home work, that are securely managed by I.T.?

What our clients say

6. Incident Management

This section of the RIA cybersecurity policy is usually fairly long. It spells out who does what during cybersecurity incidents, and also steps that the firm will take to prepare for and lessen the impact of incidents. This article on our site points to helpful templates.

6.1 Incident Response Plan

• What is the definition of a security incident?
• What are common examples of security incidents?
• What is the escalation process that should be followed if a security incident is suspected?
• Who is the team that will convene to evaluate and respond to the incident? Both employees and vendors.
• How can these team members be contacted if the security incident affects your email, chat, etc.?
• Who is responsible for documenting the incident, and where are the reports and evidence stored?
• Who has the authority to engage outside experts like cybersecurity insurance, legal counsel, digital forensics, etc.?
• Who will make the decision about notifying outside parties (clients, partners, vendors) about an incident?
• What is the order of operations of handling the incident? For example, the safety employees is probably the highest priority, while the post-lesson debrief is probably one of the last things you will do.

PRO TIP: The SEC wants you to specifically address a few unusual incidents in your policy:

• What happens if someone unauthorized joins a video call (like Zoom or Teams)?
• What happens if you’re attacked by a Denial of Service attack?
• Vendor-related incidents should be tracked and logged like internal incidents.

6.2 Business Continuity

• For each core system, how are backups managed?
• Are backups encrypted and have very limited access? If so, by whom?
• Are backups kept in a place that’s disconnected from your corporate network, to protect against ransomware?
• Who is allowed to declare a “disaster” or “business continuity” event, and in what order are people called?
• How and how often is your business continuity tested? Should be at least once a year.
• If your main work area is not available due to a disaster, where are people meant to work? And what safety protocols are in place to make sure that the security in the new location is same as the old location?
• How often are tabletop exercises performed, and how? Should be at least annually.

PRO TIP: Some RIA firms have an annual “work from home” day as a business continuity test.

7. Security Awareness

In this section of the RIA cybersecurity policy, define how you train your team to follow good security practices.

7.1 Training Program

• What security training is required, and how often?
• How is training effectiveness measured?
• How are new employees trained upon joining the firm?
• What training records are maintained?
• How is completion tracked?
  

7.2 Security Awareness

• Who is responsible for sending security updates out to staff, and how often?
• As a firm, do you want to send cybersecurity updates out to clients? If so, how often?

7.3. Social Engineering Tests

• How and how often are phishing tests sent to employees?
• Are other social engineering tests (like QR codes, SMSishing, Vishing, etc.) sent to employees?
• What failure rate metrics are you targeting?
• What process will you follow when employees fail social engineering tests?

PRO TIP: This article explores our experience with addressing employees who fail tests.

8. Third Party Vendor Risk

This part of the RIA cybersecurity policy describes how you onboard new vendors, and how you make sure that your existing vendors are protecting your firm’s data properly.

8.1 Vendor Inventory

• Where is the vendor inventory stored?
• Who updates it and how often?

PRO TIP: The SEC has some specific requirements for vendor inventories. A few of them include:

• What kind of MFA is used for cloud vendors
• What kind of data is handled by these vendors
• A risk rating of each vendor
• A list of both current and terminated vendors, with contract and termination dates.

The SEC expects to see both current and terminated vendors. How is vendor inventory maintained?

8.2 Vendor Security Risk Assessment

• How do you assess each vendor for cybersecurity risk and how often? Should be done at least annually.
• How do you assess new vendors for cybersecurity risk? Should be done before any contracts are signed.
• What documentation is required from each vendor for the security reviews?
• What contract stipulations should you put in your vendor or subcontractor agreements related to cybersecurity?

8.3 Cloud Vendor Security

While this is mentioned in section 5.7, above, most breaches these days are coming from misconfigured cloud systems (like Microsoft 365 and Google Workspace).

We want to reiterate that it’s urgent to properly configure the security of these cloud systems.

9. Funds Transfer Security

For this section of the RIA cybersecurity policy, we want to document the controls that are in place to protect both client funds and the firm’s funds.

9.1 Client Account Access

• How are client accounts protected, and what authentication is required?
• Are clients using MFA? If not, should they be encouraged to?
• Who is monitoring client account access for suspicious activity?
• What processes are in place to identify suspicious funds transfers?
• What is the funds transfer request process?

PRO TIP: We’re already seeing RIA firms targeted by very sophisticated attacks. When discussing funds transfer, be sure to imagine a world in which attackers have significant time, access to your client’s emails, and the ability to deepfake client voices.

PRO TIP #2: The SEC wants to see that you have a formal process for receiving and handling client complaints.

9.2 Firm Transaction Security

• How are requests for payment verified? Remember, attackers may have access to your vendors’ emails.
• Is MFA required to initiate electronic payments like ACH or wire?
• Have you set up your online banking to require multiple approvals for large, outbound payments?
• Have you set up alerting notifications for large, outbound payments?
• Have you set transaction limits for ACH and wire payments?
• Have you talked to your bank about other fraud and security measures that they offer?

10. Physical Security

In this section of the RIA cybersecurity policy, we want to describe what keeps your firm physically safe, both in the office and at home.

• How do you control who can access your offices?
• How are visitors signed in, and are they escorted?
• How are unmonitored contractors (like cleaning staff) vetted before being allowed unescorted access to your offices?
• Is any monitoring in place, like cameras or alarms?
• Are there any security concerns related to Internet-of-Things smart devices like cameras, alarms, thermostats, etc.?
• Should employees follow any security standards at home, like locking offices, locking computers, shredding paper, etc.?
• How is paper shredding handled in the office?

11. Cybersecurity Documentation and Validation

In this section of the RIA cybersecurity policy, we want to define how we know that your cybersecurity is working, and how to handle exceptions.

11.1 Cybersecurity Program Documentation

• Where is your cybersecurity policy stored in a way that all employees can access it?
• Where is your business continuity policy stored in a way that it’s available if your systems are down?
• Where is your cybersecurity insurance policy stored in a way that hackers can’t access it if they breach your systems?
• Rather than the whole policy, do you have an employee-facing summary that is more directly related to their job? If so, where is it stored?

11.2 Exception Management

• If an employee doesn’t want to or can’t follow your policy, how do they request an exception?
• Who approves the exception, and where is it logged?
• How often are exceptions reviewed?

PRO TIP: Exceptions are a tricky subject. Sadly, we often find that executives are the people who are most likely to want to skip complying with some parts of the Information Security policy. This is unfortunate because executives are often the highest-risk targets, both because they have a public profile and because of the information that they can access. They also can have direct, personal liability if found not to be exercising due diligence or due care. This is an area where we add value as part of our vCISO service.

11.3 Cybersecurity Assessments and Audits

• Who is validating that your Information Security is effective, and how often? This is another part of our vCISO service.
• Who is performing an annual security risk assessment and reviewing it with your leadership team?
• How often are you performing penetration tests to see what an external attacker sees?
• How often are you performing vulnerability scans to find missing security patches?

12. Acceptable Use

In this section of the RIA cybersecurity policy, we’ll spell out what employees are allowed and not allowed to do.

• Are employees allowed to use work computers for personal use?
• What about the work Internet or Wi-Fi?
• Are employees allowed to try to bypass the firm’s security tools?
• Do employees have any right to privacy on work systems?
• Are employees allowed to download and install their own software?
• Are there types of inappropriate behavior that employees should never engage in, such as pornography, gambling, off-color humor, etc.?
• What are the consequences of violation?

13. Removable Storage Devices

This part of the RIA cybersecurity policy defines how the company manages removable storage devices like USB drives, thumb drives, CDs, DVDs, etc.

• Are removable devices allowed? If so, what kinds?
• Are employees permitted to use any removable devices, or only those provided by the company?
• Are the removable drives protected by encryption?
• Are employees urged to never plug untrusted removable devices into their computer?
• If removable devices are not allowed, what technical measures are in place to block them?

14. Data Loss Prevention

In this section of the RIA cybersecurity policy, we’ll define the methods we use to detect sensitive data leaving the company. This applies to both employees who may look to steal data or hackers who take over the accounts of your employees.

• How will you be alerted if sensitive data is sent outside the company via email?
• How will be alerted if sensitive data is sent outside the company through an external file share (e.g., Sharepoint, OneDrive, Google Drive)?
• How will you be alerted if sensitive data leaves through chat (like Teams, Slack, etc.)?
• Are you happy just to alerted when this happens, or do you want to block it when it happens?
• What is the process you will use to investigate alerts about data leaving?

15. Application Security

PLEASE NOTE: This section of the RIA cybersecurity policy only applies to your company if you’re developing software, paying vendors to develop custom software, or using Infrastructure as a Service (IaaS) vendors like Amazon Web Services, Google Cloud Platform, or Microsoft Azure.

• If the application is Internet-facing, what penetration tests are performed to validate there are no security issues?
• What tools are in place to scan for security issues in the source code that your developers are writing?
• What tools are in place to scan for vulnerabilities in the servers and/or containers that your developers are using to deploy?
• What tools are in place to scan for security configuration issues at your IaaS vendor (AWS, GCP, Azure)?
• What processes are in place to confirm that a single developer can’t check in malicious code?
• What processes or segregation of duties are in place to confirm that a developer can’t steal your data?
• What logs are being gathered to spot security issues, who is monitoring them, and for what?

Appendices

RIA Cybersecurity Policies will often include references to more detailed documents that are relevant to the cybersecurity policy.

Here’s a list of common appendices:

• Asset/hardware inventory (updated at least annually)
• Software inventory (updated at least annually)
• Network diagram
• Vendor inventory
• Data flow diagrams
• References to any policies or procedures that exist in separate documents
• Checklists for employee hiring and termination
• Copies of any forms used by the Information Security program

What our clients say

Mobile Security Management Overview

Let’s clarify MDM vs. MAM:

• Mobile Device Management (MDM) provides comprehensive control over mobile devices in an organization. It typically involves installing software on devices, allowing IT administrators to manage various aspects of device functionality and security.
• Mobile Application Management (MAM) focuses on securing specific applications rather than entire devices. This approach is often less intrusive and easier to implement, especially for Bring Your Own Device (BYOD) scenarios.

Both MDM and MAM address mobile-specific cyber risks, prevent data breaches, ensure regulatory compliance, and maintain organizational security.

Selecting MAM or MDM for Cybersecurity

When choosing between MAM and MDM, consider these factors:

MAM: The Recommended Option — for most clients of our Virtual CISO Service, MAM is preferable due to its ease of installation and less intrusive nature. It’s particularly suitable when:

• Remote wipe capabilities aren’t necessary for the entire phone, but just for corporate data
• You’re targeting specific business applications, most commonly tools like Outlook, SharePoint, Gmail, etc.
• You have a BYOD policy and prioritize employee privacy

MDM: For Comprehensive Control — MDM becomes necessary when you need:

• Remote FULL wipe for lost or stolen devices
• Complete device settings and configuration control
• To meet strict compliance requirements

For Microsoft 365 users, InTune is a versatile solution supporting both MDM and MAM functionalities. It’s particularly useful for implementing Conditional Access policies, which can block email downloads to native mail apps and ensure only protected apps access corporate data.

For Google Workspace users, MDM and MAM features are built right into the product.

Key Mobile Security Features

Look for these essential features in MAM or MDM solutions:

1. Device Encryption: Protect all devices to safeguard data if lost or stolen.
2. Strong Password Policies: Require complex passwords or PINs. For mobile devices, mandate at least six characters, with FaceID and thumbprint as acceptable alternatives.
3. Operating System Control: Limit OS versions, typically supporting the current release and one previous version.
4. Remote Lock and Wipe: For MDM solutions, include the ability to remotely lock or wipe devices when necessary.
5. App Management: Control app installation and interaction with corporate data.
6. Conditional Access: Restrict corporate resource access based on device status and user identity.

MDM Cybersecurity for SMBs

Implement mobile security in your small or medium-sized business with this approach:

1. Evaluate Your Requirements: Consider your industry, regulations, and workforce habits.
2. Select Your Method: Choose between MAM and MDM based on your assessment. Remember, MAM is often sufficient and less intrusive for many scenarios.
3. Pick a Solution: For Microsoft 365 users, InTune is a solid choice as it supports both MAM and MDM cybersecurity. Other vendors offer tailored solutions for different needs and budgets.
4. Plan Implementation: Develop a phased rollout, starting with critical applications or high-risk users.
5. Train Your Staff: Educate employees on new policies and procedures for smooth adoption.

Mobile Security Best Practices

Enhance your mobile security with these practices:

1. Use Strong Passwords: Require at least six characters for mobile devices, with complexity rules. Allow FaceID and thumbprint as alternatives.
2. Prevent Jailbroken/Rooted Devices: Block these vulnerable devices from accessing corporate resources.
3. Require Encryption: Ensure all devices accessing company data are encrypted.
4. Review Policies Regularly: Update your policies to address new threats.
5. Monitor and Report: Use your MAM or MDM cybersecurity solution’s reporting features to track compliance and identify issues.

Challenges to Consider

Be aware of these potential hurdles:

• BYOD Policies: Balance security needs with employee privacy. MAM often provides a good middle ground.
• Compliance in BYOD Scenarios: Implementing strict controls like NIST 800-171 on personal devices can be challenging and may raise privacy concerns. For handling sensitive data or meeting stringent compliance requirements like NIST 800-171, consider providing company-owned devices.
• User Resistance: Some employees may resist perceived intrusive controls. Clear communication about security measure importance can help.
• Threat Landscape: Mobile threats evolve quickly. Regular training and policy updates are key.

Compliance and Regulations

For many businesses, compliance drives mobile security decisions:

• SEC Guidance: The Securities and Exchange Commission stresses the need for mobile device controls, particularly in financial services.
• SOC2 Compliance: Service organizations often need to demonstrate robust mobile security measures. This includes mandating encryption, blocking jailbroken devices, and requiring strong passwords.
• NIST 800-171: Government contractors may need stringent controls to protect Controlled Unclassified Information (CUI). Full implementation on personal devices can be challenging, so company-owned devices might be more practical for these scenarios.

Platform-Specific Approaches

Different mobile platforms require tailored strategies:

• iOS Devices: Apple’s built-in security features simplify management, but MDM cybersecurity remains crucial for enforcing corporate policies. While Apple’s iCloud site offers some features similar to MDM, we still highly recommend that companies implement a solution they control.
• Android Devices: The open nature of Android requires more active management. Google’s Device Policy App is essential for enforcing MDM cybersecurity policies on Android devices. This app should prompt for installation when syncing a Google account.
• Windows and Mac Laptops: These devices often contain sensitive data and require robust MDM solutions with features like BitLocker for Windows and FileVault for Macs.

Closing Thoughts

Whether you opt for MAM or MDM, implement a solution that fits your needs, meets regulations, and protects your data. For many organizations, MAM provides a good balance of security and user privacy, especially in BYOD scenarios. However, when remote wipe capabilities or stringent compliance requirements are necessary, MDM cybersecurity becomes essential.

Remember that mobile security requires ongoing attention. Regular reviews, updates, and employee training maintain a strong security posture.

By proactively addressing mobile security, you protect your data and safeguard your business’s future. Take time to assess your needs, choose the right solution (whether it’s MAM, MDM, or a combination using a tool like InTune), and implement strong mobile security practices. Your business will benefit from enhanced protection and peace of mind.

If you’re unsure about which approach is best for your organization, or if you need help implementing and managing your mobile security strategy, consider reaching out to a team of experts. At Adelia Risk, we offer Virtual CISO services that can guide you through every step of this process, from initial assessment to ongoing management and compliance.

One of the most common challenges we see for clients of our Virtual CISO service is how to manage the risk of using freelancers and small contracting firms.

The use of freelancers and contractors is very common, especially in areas with specialized skills. We commonly see them in the form of CRM experts, financial experts, I.T. experts, and even cybersecurity experts!

Contractors Can Be Frustrating (from a Cybersecurity Perspective)

These relationships can be frustrating for our vCISO service clients. These small firms are often too small to be put through a formal “third party vendor risk” survey process. Honestly, they’d probably fail if we tried.

On the other hand, these smaller contracting firms are often too independent and maintain their own systems and processes. This makes it difficult to ensure they’re doing all the right things to protect your data and your business.

We think a strong tool in this discussion is the contract you have in place with your freelancers and contractors. By adding cybersecurity contract clauses, this gives you the opportunity to set clear expectations without being too prescriptive.

Why Add Cybersecurity Contract Clauses?

Three reasons, really:

1. They clearly communicate your expectations for what security measures your freelancers will have in place.
2. They set the stage for clear communication on both sides of the relationship.
3. They help you to ensure that your business information is being properly handled.

Let’s cover some key clauses that we think you may want to add.

Essential Cybersecurity Contract Clauses

(1) Data Protection and Confidentiality

This clause should clearly state what information is considered confidential, where it is stored, and how the contractor should handle it. For example:

“Contractor agrees that all data housed in Salesforce.com is confidential and will not share, sell, or use this data for any purpose other than fulfilling the contract.”

(2) Minimum Security Standards

Spell out the basic security measures you expect. Consider including specific requirements like:

• Up-to-date antivirus software, preferably Endpoint Detection & Response (EDR)
• Firewalls (either software or hardware)
• Encryption enabled on any computers they use
• Encryption for any services or sites they use for transferring data
• Go through your own Information Security policy and you might see a few other ideas.

(3) Password and Access Management

Strong, unique passwords and MFA are a must! Consider a clause like:

“Contractor will use strong, unique passwords for all accounts related to client work and will enable multi-factor authentication (MFA) for all accounts used for client work.”

(4) Incident Reporting

If something goes wrong, you need to know fast. Try a clause like this:

“Contractor will report any suspected or confirmed data breaches to the client within 48 hours of discovery.”

(5) Right to Audit

It’s good to trust, but even better to verify. Include a clause that lets you check up on your contractor’s security practices, like this:

“Client reserves the right to conduct security audits or request security attestations from the contractor with reasonable notice.”

Even if you decide not to to exercise this right, having it in the contract ensures that you have the option to verify compliance if needed.

(6) Data Handling and Storage

Be clear about where and how your data should be stored:

“Contractor will only store client data on approved, secure devices and will not use public cloud storage without prior written approval.”

(7) Training and Awareness

Help your contractors help you by requiring some basic training:

“Contractor agrees to complete annual cybersecurity awareness training provided or approved by the client.”

(8) Background Checks

We recommend having any new contractors or employees pass a criminal background check:

“Contractor agrees to complete a criminal background check before members of their team are granted access to client data.”

Making It Work: Implementing Your Clauses

Having great cybersecurity contract clauses is just the start. Here’s how to make them really work:

• Be clear and specific: Avoid jargon and spell out exactly what you mean.
• Keep it reasonable: Remember, your contractors are often small businesses. Don’t ask for enterprise-level security if it’s not needed.
• Offer help: Consider providing resources or tools to help contractors meet your requirements.
• Stay up to date: Cyber threats evolve, and so should your clauses. Review and update them regularly.
• Foster a security-minded culture: Encourage open communication about security concerns.
• Offer help: You might consider providing resources or tools to help contractors meet your requirements.

Challenges You Might Face

Implementing these clauses isn’t always smooth sailing. Here are some bumps you might hit:

• Pushback from contractors: Some might see these clauses as too demanding.
• Monitoring compliance: It can be tricky to check if contractors are following through.
• Keeping up with tech changes: New threats and solutions pop up all the time.

The key is to stay flexible and keep the lines of communication open.

We Are Not Lawyers

Nothing in this article is meant to be legal advice.

A lawyer, especially one experienced with privacy and information security matters, will likely have lots of other suggestions on what to add. Confidentiality and indemnification are two areas that come to mind, and that might have some relevance to what cybersecurity contract clauses end up in your final contract.

Also, it’s important to work with your attorney to determine which cybersecurity and privacy regulations might “flow down” to your contractors. If you work in areas like HIPAA, CMMC, and PCI, there are very specific rules you’ll need to follow.

In Conclusion

To keep your company safe, your cybersecurity program needs to work whether you’re working with large vendors or small vendors. By using smart cybersecurity contract clauses, you can “right-size” your approach to working with vendors who are too small to go through a formal third party vendor risk review.

With these tips and clauses in hand (and after a proper review from your attorney), you’re well on your way to a more secure business relationship with your contractors.

If you’d like help with any aspect of your cybersecurity program, consider meeting with us to discuss our Virtual CISO service.