Phishing is the most common initial access method into a network for threat actors, and email compromise is the most common threat faced by enterprises, according to the Kroll Threat Landscape Report. That’s a big reason why Pine Advisor Solutions has prioritized the mission of raising cybersecurity awareness among its client base of financial services customers.

Pine provides institutional-quality outsourced support services to private funds, mutual funds, exempt and registered investment advisers covering Chief Financial Officer (CFO), regulatory compliance, fund/advisor launch and operations. It serves as compliance, financial and operational experts for its customers, allowing them to focus on managing portfolios and growing the business. With so much money being managed by these firms, it became clear that Pine had a duty to help its clients protect their funds by upping their cybersecurity game.

Keeping its customers secure

Pine’s ongoing compliance programs are ingrained with an information security mentality. The company helps its clients develop information security, cybersecurity and disaster recovery policies. Integral to these policies are programs for security awareness training.
“We noticed that many of our clients were not educating users by sending out phishing and cybersecurity training videos,” said JB Blue, managing partner at Pine Advisor Solutions. “Those doing it were sending out material that was not specific to investment managers.”
 
He partnered with Infosec IQ to fill the gap. Pine began integrating awareness training and doing phishing simulation exercises with its clients. The company understood its clients — their businesses, the banks they use, their administrative practices, their information workflows. They created tailored social engineering and simulated phishing programs specific to each business.
 
Blue explains how it works: Three simulated phishing emails are sent out over the course of a month. These emails evaluate how employees respond to real-world phishing threats and help raise awareness of the threats each business faces. The following month, three to five short training videos are sent out highlighting certain things to watch out for, trends in phishing traffic and areas users need to improve upon. The training content is not only entertaining and informative but also selected based on what style of video might resonate best with the company’s culture. 
 
“A slow drip of information throughout the year has proven to be better than lengthier annual training, which people tend to forget rapidly,” said Blue. “People know our videos are short, so they are more willing to view them. Once you start asking for an hour of people's time, it gets a little bit harder.” 

Phishing simulation is in demand

As ransomware threats intensified in recent months, Pine noticed a surge in demand for phishing simulation and security awareness training. In tandem, the U.S. Securities and Exchange Commission issued guidance on cybersecurity best practices, including training employees to increase their awareness of their cybersecurity responsibilities.
 
Pine Advisor Solutions typically represents smaller firms, ranging from one to thirty employees. They are often so busy managing financial assets that they lack the resources and time to dedicate to cybersecurity maintenance. Hence, they often turn to managed service providers (MSPs) for support.
 
“As we didn't see a lot of these firms training and protecting their employees, we decided to incorporate it into our core compliance service,” said Blue. “It’s an enhanced service we provide our clients at no added cost.”

Keeping financial cybersecurity top of mind

While some industries are penalized by downtime or loss of business due to a ransomware attack, financial firms operate constantly with the looming threat of theft. Though small, the firms Pine Advisor Solutions work with manage millions of dollars. If a hacker tricks a user with a phishing email and compromises an account, it can lead to many negative outcomes for the organization and individuals. Imagine a bank wire of $250,000 being diverted by a cybercriminal to the wrong account. Simulated phishing campaigns and security awareness training keep cybersecurity top of mind and serve to minimize the chances of a cyberattack.
 
“Everyone thinks that they aren't ever going to click on a malicious email or enter their username and password into a malicious web page or attachment,” said Blue. “But the reality is that in the heat of the moment and when time is short, many fall prey to phishing scams.”

Achieving email vigilance

The tailored Infosec IQ campaigns that Pine Advisor Solutions offers provide clients with data such as the number of times employees clicked on a fake phishing message and what types of phishing emails received the most clicks. The company can show how the campaign is going and demonstrate improvement in employee cybersecurity awareness over time. Blue said he sees positive results based on the number of emails he receives from clients asking if a particular message is real or fake.
 
“The better we do to make people extra observant over their email, the better success will be,” he said. “Everyone seems to appreciate the program and understand its importance.”

Future plans

Over the next 12 months, Pine Advisor Solutions plans to increase the number of clients it reaches with monthly training. Pine will continue to provide Infosec IQ as a free added-value service to their clients to raise awareness about the importance of security awareness training.
 
The company plans to add further customization for its clients, currently taking advantage of the Infosec IQ videos and phishing simulation tools. For example, during March Madness, it created fake emails using March Madness subject lines to educate learners about timely, targeted phishing attack examples.

Based on this important work in work in building a culture of security across its client base, Pine Advisor Solutions is a deserving winner of Infosec’s Impact Award.