Blog Post

Future Fit Advice
3 MIN READ

Cyber crime: a driver of sleepless nights?

Darren_Smith's avatar
Darren_Smith
Icon for Advisely Board rankAdvisely Board
3 months ago

Running an advice business compliantly and successfully requires the management of lots of moving parts. One of the new kids on the block that is emerging as a genuine threat is cyber related events.

Advice businesses across Australia are all faced with the increased threat of cyber incidents.

Many hold data that is very sensitive about a client’s situation – whether it be health, tax or banking. Despite the increase in automation, there are still emails and files that can compromise a business. Sometimes these can be initiated from a client or a centre of influence and left in the inbox without being archived to a more secure environment.  

We have been conditioned to be more comfortable with limited human interaction in the process and to rely on digital interactions or communications. Working out where and when we maintain identity security, either face-to-face contact or verbal confirmation will become even more important. 

Licensees frequently raise these concerns within practices so that they understand the basic protective measures that can be put in place. Checklists highlighting particular at-risk elements like personal information changes or withdrawal of funds, for example. Or dual-factor authorisations, which are now the norm rather than the exception.

For a number of these, though, common sense and staff diligence remains the best defense. 

Scammers are becoming more sophisticated, and while specialty insurance is available, the significant increase in incidents will likely drive these costs up. 

Better licensees have engaged ongoing training for their teams by external companies in this area and staff are regularly put through fake scenarios to see how many get caught.  A reasonable proportion still get caught by phishing events.

While I am certainly no expert is this space, I have seen situations where businesses have been exposed by an event. When it happens, it can require the complete focus of the practice and this can go on for an extended period – weeks if not months. Cyber insurance providers often engage forensic experts to understand the extent of the intrusion and risk; this is expertise that does not exist within many practices.

A couple of key questions to consider:

  • What protections do you have in place both in terms of policy but also in terms of infrastructure and operational practice?

  • With changes in more digital exchange of information, what additional measures have you put in place?

  • With more staff working remotely, what changes have been put in place?

  • With many back offices being very busy, are processes still followed?

  • If you operate under a licensee, have you fully adopted their policies and practices in this area?

  • If you operate your own license, what policies and practices have you put in place?

  • To what extent have you had this externally reviewed and how often do you get this done?

  • To what extent do you have regular training in this area for your staff, both onshore and offshore, if these services are used?

  • What is your archiving policy when it comes to your email system or network? Could this be done more regularly?

Being cyber-alert is the responsibility of everyone in your business: the board, the leadership team and every team member.  A spotlight on all business operations with this lens is so important. This is an area where you should engage your licensee if you have not already done so. 

If someone is impacted, there is also a reluctance to report and share for a range of reasons. In some cases, there is no choice dependent on the breach of information or incident.

There are three things that I think will start to emerge in this area that you should keep in mind: 

  1. Greater sharing of incidents from insurers to lift awareness.
  2. Mandatory adoption of cyber insurance for every practice, either by regulators or by licensees
  3. Increases in premiums for this cover as well as adoption and validation of IT environments to qualify to participate, which will also lead to increased costs for practices.

If this is not on your radar for 2024, it should be.  

It's also not an area where you can take some initial steps and then decide the work is done. Cybersecurity evolves very quickly and requires constant review.

Updated 2 months ago
Version 6.0

2 Comments

  • DebKent's avatar
    DebKent
    Icon for Advisely Board rankAdvisely Board

    Darren_Smith Cyber security is always a top-of-mind topic for our business, back at the height of Covid with everyone working remotely we engaged an IT consultant well versed in security at that time we implemented a lot of security such as ESET, which is great to protect our emails, BitLocker's on all laptops and PCs and generally ensuring we have good protection, he also educates our staff regularly.  Everything we do now we ensure that we check with our expert before looking at say a piece of software, just recently we were looking at a program to put in place however after extensive investigation we felt uncomfortable putting it on due to potential risks. It can make it hard to implement programs that create efficiencies if the risks out way the benefits.  Running a business and making software decisions is a bit like Covid we know it's out there, do we stop going out?  No! but we understand the risks.  My advice is getting expert advice, so you make informed decisions about your business.

  • fraser-jack's avatar
    fraser-jack
    Icon for Advisely Partner rankAdvisely Partner

    So many great points Darren_Smith  it's definitely not a set-and-forget. Sharing stories, empathising and learning from previous experiences is how we evolve, and cyber security is a quickly evolving space. 

Related Content

Index