Prepare now to save regret later: How a cyber breach can ding a firm's reputation

National airline Qantas was the victim of a headline-grabbing cyber security breach last week that was the result of a social engineering project against one employee at a call centre. Despite the seemingly small chink in the cyber armour, hackers managed to get access to the information of millions of customers.

Beyond the potential financial fallout, a breach such as this is a valuable lesson in reputational damage.

“I think the biggest issue around that is actually the loss of trust,” Fraser Jack, founder of The Cyber Collective, said. “Losing that trust relationship, or damaging that trust relationship, then takes a long time to try and recover or get back.”

Jack, who specialises in cyber security for financial advisers, highlighted how the Qantas breach serves as an effective case study for reputational damage management: “Qantas came out instantly and said, ‘We’re very sorry’, which was good. There’s some empathy-based conversation [you need to have], letting people know exactly what’s happening and keeping the transparency up.”

For financial advisers, where personal client relationships are foundational to business, the reputational fallout of a data breach could be disastrous. Client loss of trust, seeking advice from competitors or a damaged brand image could cost a firm significantly in the wake of a breach.

“[You will end up with] many years of client interactions will be instantly assessed as were they secure enough, or weren’t they secure enough?” Jack said.

The best way to protect your reputation in the wake of a cyber security breach, he said, is to simply ensure that your firm is insulated from the possibility of one ever occurring in the first place.

This includes selecting the right products that will protect your systems from hackers. However, as Jack highlighted, a lot of firms “spend 95 per cent of their budget on [digital security], but 95 per cent of breaches are because of human error”.

Social engineering scams, where criminals attempt to gain the trust of an employee to get access to confidential information such as passwords, are one of the most common types of attacks, and was the type used to gain access to information held by Qantas.

“The first step is to make sure that the tech is set up right, that closes a lot of the doors and windows. The next step is to make sure your team understand who they’re letting into those doors and windows and why,” Jack said.

While having the appropriate security measures and educating staff on how to spot a potential criminal will go a long way to protecting one’s firm and its reputation, human error is still unpredictable and can still lead to a breach.

If this does happen, Jack highlighted that it is important to be seen to be taking action.

“Things like reissuing copies of ID, passports, driver’s license (are important),” he said.

“When money’s stolen, make sure that new accounts are set up, that you change providers, not using the same platform [that was impacted], not using the same passwords and making sure that everything gets changed.”

As financial advice groups continue marching into the digital age, turning more to technology to ease and facilitate services for their clients, the risk of being targeted by cyber criminals and the potential for reputational damage also increases.

As Jack explained, advisers need to approach their cyber security like they approach advising a client: “Look at strategies based on a risk assessment, then find the product [that best suits your needs] at the end.”