Staff turn-over and managers that believe they are exceptions to rules are the weakest links in a company’s cyber security defense, according to Cyber Collective founder Fraser Jack.
“The weakest links are the new people that start and the CEO that thinks they don’t have to follow the rules, if you think of the bell curve,” Jack said at the Professional Planner Licensee Summit earlier this week in Katoomba.
“The weakest link is definitely new staff that don’t understand the process and you really want to turn those weakest links into your frontline of defense.”
Jack said the culture of the business is important, and it needs to start at the top and trickle down to the support staff.
“What inevitably happens is you’re training the front line who are having ongoing communication with the client,” Jack said.
“What you really want to get to is that point where they’re training their clients how to behave and what to do.”
He added there is a “huge gap” between adviser expectations and the reasons clients may leave a practice.
“If people believe that firm invests in security, they’re less likely to leave than if there’s been no communication between the support staff and the clients,” Jack said.
Jack said planning for cyber-attacks is essential, and businesses should conduct regular “cyber drills” to train staff to instantly respond to them and ensure cyber security remains at the front of their minds.
He explained cyber drills should be sharp, focused, and targeted – and be held over a five- to ten-minute period once a fortnight.
Take it from the top
RI Advice Group CEO Peter Ornsby is well-versed in the issues that can arise from lack of proper cyber safeguards after the licensee was fined by ASIC last year for having insufficient risk management systems in place.
“As a licensee, you’ve got to have all the controls around it,” he said, adding that the time commitment to ensure advisers’ practices are safeguarded from cyber attacks begins at the board level.
Boards are where “many of the liabilities are had”. Ornsby said they must have a risk framework, because cyber-attacks can happen easily and quickly and “you could be up for millions and millions of dollars”.
“[It seems] the discussion [around cyber security] is becoming more prominent now, which I think is a really good thing for the industry.”
RI Advice’s breach of license obligations for cyber security became a test case for the financial industry.
It resulted in ASIC and the courts dictating that RI Advice must partner with a cyber expert to identify measures necessary to adequately manage cybersecurity risks across the firm’s authorised representative network.
“[This] gave the industry some explicit guidelines in terms of what the expectation of the regulator was,” he said.
“Right now, we’re seeing [cyber security] awareness grow and grow.”
Despite this, Ornsby claimed individuals and businesses are still only starting their cyber security journeys at the practice level.
“A lot of people don’t understand the levels you have to go to make sure that their business is fully protected,” he said.
“It’s not just about setting up your practice with [anti-virus software] and so forth. For [RI Advice], it means telling practices exactly how they need to manage vendors, what sort of applications they can use on their hardware, and so forth.”
