Powered by MOMENTUM MEDIA
  • subs-bellGet the latest news! Subscribe to the ifa bulletin

Why advisers need to urgently tackle the cyber threat challenge

“Advisers should be banking in security from the very get-go of their digital journey,” Major General (Ret'd) Marcus Thompson AM said at the Adviser Innovation Summit in Melbourne.

Speaking at this year’s Adviser Innovation Summit, Dr Thompson, former head of information warfare for the Australian Defence Force (ADF), warned that cyber security complacency has no place in advice, noting that the threat is very real.

“We need to accept upfront that in the cyber space there is a threat, the threat is real, it is active, it is incredibly capable, and it wishes you harm,” Dr Thompson told a room full of advisers on Wednesday.

“You might not be interested in cyber security, but the cyber threat is definitely interested in you,” he said.

“You are all now legislatively obliged to be interested in cyber security,” Dr Thompson added, referencing recent legislative changes that have extended the reach of the Security of Critical Infrastructure Act 2018 (SOCI Act), which requires owners and operators of Australia’s critical infrastructure to take steps to protect that infrastructure.

Among the newly captured sectors is the financial services sector.

Dr Thompson explained that the Australian-first RI Advice ruling best portrays just how culpable advice businesses are to holes in cyber risk management strategies.

==
==

On 5 May, the Federal Court ruled that AFS licensee RI Advice breached the law by failing to protect confidential client information from numerous cyber attacks between June 2014 and May 2020, “that allowed third parties to gain unauthorised access to sensitive personal information”.

The court heard that nine incidents occurred where hackers infiltrated the servers of RI Advice using methods such as hacked web servers, ransomware, brute force and phishing emails.

“It is imperative for all entities, including licensees, to have adequate cyber security systems in place to protect against unauthorised access,” ASIC deputy chair Sarah Court said at the time.

According to Dr Thompson, businesses need to learn from RI Advice and prioritise the enhancement of their cyber security posture.

“If you have any assets, any information that a criminal might be able to monetise, then you need to be thinking about its security,” Dr Thompson said.

As for practical steps advisers can take today, Dr Thompson swears by an approach that addresses three crucial pillars of cyber security - self-defence, passive defence and active defence.

“It’s a conceptional framework to help you order your thinking and under each heading you can ask those questions of yourself, your team and your third-party providers. It’s everyone’s responsibility," he said.

“Self-defence is don’t be that person that clicks on the link in phishing email, don’t be the person that finds a USB stick in the carpark and out of curiosity plugs it into your system. What are you posting on social media?

“Passive defence is questions to ask of your technical staff if you have them in-house or your third-party providers if you’re contracting it out,” Dr Thompson explained.

This pillar of defence also includes dusting off your business continuity plan and rehearsing crisis management procedures.

“Active defence is the smaller numbers of highly trained people that are sitting on or near your infrastructure, actively seeking out and countering threat activity,” Dr Thompson noted.

And according to him, staying on top of one's cyber security is "actually not that complex", but not doing so is profusely dangerous.

Dr Thompson will be speaking at the Sydney leg of the AI Summit on 8 June.

Find out more here