Indeed, employees must be able to avoid a variety of cyber assaults, such as emails that are designed to spread malware and phone calls placed by hackers claiming to be technology workers who have legitimate reasons to need access to password-protected data. The bottom line is that a simple human error can result in a cyber breach that can lead to theft of clients’ identities and substantial reputational damage to advisory firms.

With that in mind, advisory firms need to ensure that they have sufficient procedures for employees to follow in order to maintain Internet security. Firms should also ensure that workers are properly trained on procedures for safeguarding data and that security practices are part of a firm’s culture. For small firms, providing such training can be a challenge—especially when considering that many firms lack sufficient security procedures in the first place.

Indeed, a National Cyber Security Alliance study concluded that 69% of small businesses handle sensitive data, yet only 37% provide Internet safety training to employees. Furthermore, just 23% have written procedures for Internet security.

Procedures should cover a variety of employee activities. One obvious step is to require that employees implement strong passwords for their computers and portable devices. The procedures should also specify that employees use encrypted protocols when emailing sensitive data and what actions to take when portable devices are lost. The loss of such devices is a critical issue as some cyber experts estimate that up to 10% of laptops and other portable devices are misplaced each year.

Most firms, of course, have firewalls and other technology that can filter out suspicious emails that may contain malware or may be phishing scams that seek to trick employees into providing passwords or other sensitive information. Yet, employees should still be trained on how to avoid being snared by such scams in the event that nefarious emails make it past firewalls.

Firms’ procedures should also specify how employees should respond upon receiving telephone calls from individuals seeking passwords. Broadly speaking, such requests should be forwarded to technology employees or other workers who have had specific training on verifying the identity of callers before providing password information. Such procedures are crucial as telephone calls don’t have to pass through firewalls. Procedures should also specify the type of Internet security programs that must be in place with firms’ vendors to ensure that business partners don’t become a weak link.

Firms should also implement a variety of practices that will make Internet security an integral part of their culture. For example, when conducting training meetings, firms should seek to generate interest in cyber security by asking their employees about the types of sensitive personal data that they may have on their home computers and the harm that could happen if their computers are hacked.

Firms should also consider producing routine newsletters or emails that discuss cyber threats and what employees can do to maintain data security. Making such communications a routine matter is important because many adults won’t retain information unless they are exposed to it numerous times.

Firms should also consider testing their procedures. One way to do that is to have technology department employees call workers and claim they need individuals’ password so that they can fix their computer. At that point, the technology workers can assess if employees follow the appropriate procedures for ensuring that callers’ identities are appropriately verified.

Tech workers can also draft phishing emails and see which employees fall for the trick. Such practices will increase awareness of cyber scams while also identifying which employees may be the weakest link in a cyber defense program.