3 Tips for Improving Cybersecurity in Advice Firms
By Karen Stephens // Bcyber
Traditionally, small and medium financial advice businesses have been left behind when it comes to cybersecurity. They’re considered too small by the big consultants or they’re unable to afford the measures or staff available to big businesses. Yet these advice businesses are the gatekeeper to the two true loves of the cybercriminal — large amounts of client money and information. If you haven’t been asked about the strength of your cybersecurity defence by a client it is only a matter of time and you need to be ready.
The opportunity for cybercriminals are greater than ever before as working from home has become the new norm and the stakes are higher than ever — the 2020 IBM Cost of Data Breach Report had the average cost of an Australian data-breach sitting at $2.15M USD and in the U.S., this increases to $8.64M USD.
Working on the assumptions that you want to be ready when your clients ask about your cybersecurity plans and you don’t have a spare $2M+ USD laying around, we recommend that you not wait until your firm is compromised to improve security. For a more proactive approach, here are three things an advice business can do today to harden their cybersecurity defence:
1. Evaluate your firm’s cyber risk
Just like your regular client reviews, in order to understand the areas you need to improve in, it’s worthwhile reviewing your overall corporate cyber health. This is often made harder and more complex than it needs to be. For example, if you look at the gold standard Cybersecurity Framework from the US National Institute of Standards and Technology (NIST), you’ll see that it has over 900 unique security controls that encompass 18 control families.
Let’s be honest, no small or medium business is going to do that — you have neither the time, money, nor staff, but that doesn’t mean you shouldn’t do something.
Check out BCyber’s complementary health check. This health check can be the first step in your cyber journey and provides you with a quick snapshot of where you are at, in relation to the NIST framework and the Australian Cyber Security Centre’s Essential 8. This is a quick, pared-back snapshot with around 54 “yes or no” questions that will identify your vulnerabilities. With this, you’ll have your starting point.
Tip: Once you have identified your vulnerabilities, you can make incremental changes to harden your security defence by simply addressing the areas of improvement that have been identified. Becoming harder for the cybercriminal to breach might be enough to encourage them to leave you alone and move onto the next softer target.
2. Establish a technology register
This sounds a bit techie, but it isn’t. It’s just like doing a “fact find” when you are giving financial advice, so you know what the client has in place and can develop a strategy to optimise their financial position. The theory behind an assets register is the same. You put together a list of all assets (aka “devices”) that interact with your business and the internet to better understand your cyber attack surface (i.e. all the spots where cybercriminals can potentially access your business).
Keeping track of what you own, their capabilities, warranties, updating and replacement schedule should be integral to any IT planning or budgeting. This list may also come in handy when applying for cyber insurance, if you want to hire external IT support, or if you want to gain a better understanding of what your own internal IT team is up to and/or up against (Note: cybersecurity is a business problem and not a technology one, but that’s a discussion for another day).
Once you have the list, you need to review what’s on it and determine whether they’re needed. After all, you don’t want to be paying for something that you don’t need. Costly legacy devices that are not used by anyone can leave you with an additional opening for cybercriminals to breach. Once this is done, you’ll know what needs to be protected and you’ll have taken a big step in securing your business.
Tip: A good starting point is a simple list which records all technology assets and their basic details (e.g. device type, brand, model, serial number, software licenses, IP address, warranty details, responsible staff member, purchase and life expectancy dates). And remember, if it interacts with the internet, you should include it. So it’s not just laptops and computers, but also (potentially) printers, photocopiers, servers, business mobile phones, etc.
3. Strengthen your human firewall
And I mean that literally.
Your staff are your best first line of defence, but they’re also your weakest link. The days of the annual one-hour cyber training session (and job done!) are long gone. You need to provide your employees (top to bottom) with the tools to be able to identify and know what to do should they be confronted with cybercriminal activity. It’s more than just saying “don’t click the link” (although that’s a good start, but these days it’s not only the links that can release a virus, they’re also embedded in pictures!).
All staff members need to take part in regular training — ideally, monthly. It doesn’t have to cost the earth, but it does have to happen consistently. That way, should the inevitable happen they know what to do. A bland “set and forget” education program might tick the audit box, but it won’t help shore up your defences.
Tip: Not sure about your training program? Here’s a checklist of things you should be doing. If you can’t check all these off, then your training could be stronger. 1. My staff have monthly training and phishing exercises 2. We review the monthly training results so we can identify staff that need a “little extra help” 3. We review our training provider at least triannually (ie you see what is out there on offer once every three years)
Cybersecurity is now an all-too-real threat to advice businesses. It’s no longer a matter of ‘if’ a business will be breached, but ‘when’. Making your business cybersecure is a journey which we should all be on, and there’s no reason you can’t begin today. With the tips above, you can better identify your vulnerabilities, track your technology and educate your staff. Each improvement you make gets your business one step ahead, so start on your journey today — you have no time to lose.
>> Need a little help? Book a meeting with BCyber.
Get our latest insights delivered straight to your inbox.
About BCyber Pty Ltd
BCyber is a cyber risk mitigation company that works with advice groups to review and harden their cyber risk programs and grow their businesses. We use our own proprietary services and distribute a select number of innovative third-party solutions to strengthen cybersecurity postures. Each of BCyber’s co-founders has over 20+years in financial services before moving into the cybersecurity space. They speak and understand the language of the advice business and cybersecurity. Supported by the BCyber Chairman – Jack Diamond (a 20 year Board veteran) the team wants to bring cybersecurity out from the pure tech space into the advice world.
Learn more at bcyber.com