Why you need to build a cyber fortress around your practice

Speaking at the Adviser Innovation Summit in Sydney and Melbourne, Fraser Jack, founder of The Cyber Collective, said the consequences of a cyber attack are more impactful than most advisers realise, including the amount of clients that could be lost.

“The reportable breach regime that ASIC have introduced, when you have to report a breach, that notification is going to be published for all to see,” Mr Jack said.

“Core Data did some stats really recently around what clients would do in the event of a data breach on their financial advice practice. This was specific to financial advice practices, though I’ve done other surveys that come up with similar results for accountants.

“But they basically said that 60 per cent of clients would leave their financial advice practice, which is not what advisers thought. Around 95 per cent of advisers thought they might lose up to 11 per cent of their practice in the event of a cyber or data breach.”

He added that while the impact depends on how bad the breach is, how much information is lost, and what impact that has on the client, there is a clear disconnect between perception and reality.

This extends to whether small businesses would even be targets of hackers, which Mr Jack explained is another misconception, stressing that it’s not just the big guys that get targeted.

“What’s happened is these major cartels, we call them cyber cartels, are paying young developers extreme amounts of money to create sophisticated malware to attack these large businesses,” he said.

“What they’ve done is they’ve taken these malware products that they’ve created, they put them on the dark web and just offer them now as a software service. Any hacker in their backyard can pick it up, go after a small financial advice firm or a small business, and just pay them a percentage of what they ransom.

“So there’s the tools out there for hackers and getting involved and going after small businesses. It’s just incredible.”

Mr Jack added that it often takes a long time before the malware is even found, with the average length that hackers are inside a business’ system sitting at 211 days.

“It’s nearly seven months of somebody going through your data and information in your CRM before you find out that they’re there,” he said.

“The financial services sector is 300 times more likely. So, you’re right in that sweet spot with regard to running a business, not having the budget of a bank to look after your cyber security and then still being a target.

“I’m of the opinion that it’s not if, it’s when somebody comes looking at your business.”

The cyber expert said advice businesses shouldn’t be focused on making it impossible to hack their system, rather just deterring hackers from putting the effort in.

“It’s not about making your business super tight so that nothing can get in because something’s always going to get in if they try hard enough. You can’t do that,” Mr Jack explained.

“But you have to make it to the point where it’s hard to get in so they move on to the next person.”