Building cyber confidence in professional services firms
Do you take a Band-Aid approach or a structured approach to cyber security? Discover why you need a comprehensive cyber security framework, so you and your team know exactly what to do before, during and after a cyber threat.
How confident are you that you could protect your business against a cyber attack? Incidents are becoming far more common, meaning for most businesses it’s a case of when rather than if.
In Australia, there was a cyber security incident reported every six minutes, on average, during FY 2022-23. And not all incidents are reported. What’s more, financial services firms are 300 times more likely than other companies to be targeted by cyber attacks.
Fraser Jack, Founder of The Cyber Collective, says that most business owners manage their cyber security with what he calls a ‘Band-Aid approach’, which means applying a fix rather than focusing on prevention. He recommends using a structured approach instead.
“A good cyber plan should detail what you’re going to do before, during and after an attack,” Fraser said. “Have a plan for what to before your business gets attacked, followed by a business continuity or an incident response plan to guide you through it. After an attack, outline the process for getting yourself into a better position and letting your colleagues and stakeholders know what they need to do.”
Fraser has three pillars that he says are essential to get right so you can start building cyber confidence in your business:
1. Set the tech
Fraser’s first pillar, setting the tech, is about understanding where the risks come from and what technology exists to defend your business against them.
“I liken this pillar to plugging every single hole in a sieve,” he said. “None of the steps are that difficult, but there’s a lot of them. Having a structured list will help you go through every item with your tech person so you can make sure everything is set up properly.”
Part of this pillar involves committing resources to cyber security, investigating your supply chain, doing a tech audit, and understanding how your team uses the tech you have in place.
“Knowing how your team uses your tech is a big part of this,” Fraser said. “If they’re unsure how to use it, or they’re not using all the features because they consider it annoying or time consuming, it’s not going to work and it’s not going to help your business or your clients.”
2. Train the team
The second pillar involves making sure you have the right culture and mindset in your business, where every team member is willing to get involved and understands the importance of regular security upgrades and testing.
“For about 90% of the problems and hacks that happen, there’s a human involved,” Fraser said. “It might be because somebody didn’t follow a process, or they made a mistake. The weakest links in any business tend to be the newest team member, and the CEO or business owner who thinks they don’t have to follow the rules like everyone else.”
A huge part of training the team is making sure everyone establishes good habits for setting strong passwords, updating them regularly, and never reusing old passwords. Fraser advises every business owner to lock down their team’s logins using a password manager and multi-factor authentication.
He said, “Getting through security walls and the technology is hard for hackers. The easiest way is to go through the most vulnerable part of the business, which is the humans. Being able to log in on behalf of somebody is a great way for hackers to access business information. They download this information and take anything they can sell on the dark web.”
3. Provide the proof
As we’re seeing from recent court cases, ASIC is no longer lenient towards professional services firms that don’t have proper cyber security measures in place. Fines have increased substantially, and ASIC is not accepting excuses from businesses that don’t have adequate cyber security measures in place.
This is why Fraser’s third pillar is being able to cover yourself from a governance perspective by proving that you’ve done all you can to keep your business safe.
“Providing the proof is important from both a regulatory and compliance perspective, all the way through to having conversations with clients about what you’ve done to protect their data,” Fraser said. “You must be able to report on your plans and prove that you’ve taken reasonable steps, as the regulators call it, to establish and maintain secure practices.”
At a minimum, Fraser recommends having daily backups, multi-factor authentication, disabling macros, setting up firewalls, restricting your admin privileges, staying on top of security patches, and having high quality antivirus protection.
Why cyber liability insurance is essential
Fraser stresses that cyber liability insurance is a must for every professional services firm. For most businesses it will cost less than a few thousand dollars a year, but this is nothing compared to the level of support you’ll receive if something happens.
“Cyber liability insurance acts as both the fire brigade and the rebuilder for your business,” he said. “The insurer will appoint a lawyer to set up and run your incident response team. Your claim will cover forensic IT and accounting costs, public relations and communications to your clients and stakeholders, and all your business expenses, litigation costs and fines. They’ll mop up everything for as long as it takes, which could be several years.”
Treat your clients’ data like diamonds
Fraser’s final word of advice to business owners is to think of their clients’ personal information as something precious and of immense value.
He said, “Treating your clients’ data like a diamond will have a very different effect on the way you behave. For example, when you send personal identifiable information over email, it’s not a safe environment.
You’re taking valuable information and transferring it through a bunch of commercial servers throughout the world. There’s a similar risk with keeping personal client information in your email inbox. You wouldn’t store diamonds in the mailbox at the front of your house. But that’s essentially what you’re doing if you’re not keeping your clients’ data in a safe place.”
Find out more about securing your business and clients against cyber threats at The Cyber Collective.
The information contained in this document is provided by Class Pty Ltd ABN 70 116 8023 058 (Class), which is a subsidiary of HUB24 Limited (HUB24) and is current as at the date of publication. It is factual information only and is not intended to be financial product advice, legal advice or tax advice, and should not be relied upon as such. This information is general in nature and may omit detail that could be significant to your particular circumstances. Accordingly, before acting on any of this information, the viewer should consider the appropriateness of the information having regard to their or their clients’ objectives, financial situation and needs. This information is provided in good faith and derived from sources believed to be accurate and current at the date of publication. The information given in this document is in summary form and does not purport to be complete. While reasonable care has been taken to ensure the information is correct at the time of publishing, superannuation and tax legislation and circumstances can change from time to time. Accordingly, neither Class, nor HUB24 nor any of their related bodies corporate make any representations or warranties as to the completeness or accuracy of the information in this document and none of these entities is liable for any loss arising from reliance on this information, including reliance on information that is no longer current. We recommend that you seek appropriate professional advice before making any financial decisions.