Facilitated and written by: Lawrence Emm – Better Business Insights Expert: Vincent Tiseo – Goldman Sachs Asset Management
Headline Finding 1:
The topic was introduced by explaining that:
- cyber security is relevant at both a firm and client levels – this is the focus of the discussion
- to establish effective cyber security you need to engage professional specialists – this is outside of today’s brief
Attendees were also interested in understanding:
- how to explain to a client how secure the firm’s systems are and how safe client data are
- how to influence staff to take this issue seriously – especially Appointed Representatives
Headline Finding 2:
Cyber security is a real and growing issue that is not going away. Criminals are becoming more believable, especially, from an adviser’s perspective, in relation to identity theft and fraud.
A potential cyber-attack is like getting older, you cannot avoid it but you can take effective steps to make it better. Even governments recognise that they cannot prevent cyber-attacks (and they have huge resources available to them), but we can all take steps as firms and as individuals to mitigate the success of a cyber-attack.
Headline Finding 3:
Is it right to assume that Windows Defender or other software is doing its job effectively? Yes, we have to make that assumption. In reality, the weakest links in the chain are human. It is what people do, or don’t do, that tends to make a firm or a client vulnerable to attack, for example:
- weak passwords
- failing to log off systems
- sharing passwords and terminals
- accessing non-business or insecure websites via business technology
- using insecure personal technology to access business systems
Headline Finding 4:
Firms need to establish clear policies and protocols and ensure these are routinely and universally adopted by employees and by any third party users such as marketing consultants, representatives, external trainers.
Importantly, once these protocols and policies are established, the two most effective steps to prevent or reduce the likelihood of a cyber-attack are education and training for employees (and third parties who support the business) and education for clients. Although it is recommended that this is introduced gradually but that it is constantly reviewed and reinforced.
Headline Finding 5:
The session focused on a Workshop Checklist to identify the most common threats:
- viruses
- social engineering
- phishing
- identity theft
The session then used the Workshop Checklist to look at how different forms of protection can be put in place by a firm and individuals to mitigate these threats as well as the importance of internal training and client education and management. It was suggested that the Workshop Checklist could be used to support client education. This was felt to be an area that the majority of delegates would implement as client education in relation to cyber security has largely been overlooked as it is a relatively new issue.
Delegates shared their experiences and highlighted weaknesses such as ‘hidden’ columns and charts can be easily unlocked and the source data exposed within excel spreadsheets making them insecure.
Some delegates have taken out ‘cyber-insurance’.
Some delegates intend to use the Workshop Checklist to demonstrate value within their client proposition by sharing the information with their clients.