HLB Mann Judd urges firms to take cyber security more seriously

According to the firm, the average self-reported cost of cyber crime per report was ~$33,000 per individual (up 8 per cent on last year) and ~$80,850 for businesses (up 50 per cent on last year) – with large businesses reporting a cost of ~$202,700, up 219 per cent on the last year.

“Cyber crime continues to rise in both frequency and sophistication, and no business is immune,” said Kapil Kukreja, partner of risk assurance and consulting.

“For many businesses, the question is no longer if they will face a cyber incident, but when.”

Financial advice businesses are also attractive targets for cyber criminals, due to the vast amounts of information they hold about clients.

“Just having one client means that you have so much information on them,” Fraser Jack, founder of The Cyber Collective, told ifa.

“All of their investment information, their banking information, their tax information, their estate planning information, their beneficiaries, their company structures [are all available to cyber criminals].”

Many smaller advice practices also lack the appropriate cyber security infrastructure to protect themselves and their clients from attacks, making them “low-hanging fruit”, according to Jack.

One of these important infrastructural elements many firms lack is adequate staff training, leaving them susceptible to social engineering tactics that are favoured by many cyber criminals.

“Human error remains one of the most common causes of data breaches, whether from clicking on phishing links, to mishandling sensitive information,” Kukreja said.

“Building a culture of awareness and accountability across all levels of an organisation is just as important as investing in security systems.”

Kukreja made several recommendations for financial businesses looking to increase cyber security:

1. Ensuring your business has defensible architecture. For example, zero trust principles (never trust always verify), strong authentication such as multi-factor authentication.

2. Build a supply chain and supplier risk strategy.

3. Invest in identity and access controls. Regularly review accounts for inactive users and immediately revoke access to former employees or contractors.

4. Make staff training on risks an ongoing part of professional development, not just a one-off.

5. Regularly review and update your technology stack.

6. Invest in identity and access controls. Regularly review accounts for inactive users and immediately revoke access for former employees or contractors.

“Cyber security is no longer an IT issue, it’s a business responsibility and a shared responsibility. Businesses must protect their people, systems and customers. That means modernising technology, strengthening access controls, continual staff training and keeping a close eye on emerging threats,” Kukreja said.

He added: “The reality is clear – cyber risks are growing and businesses that prepare today are the businesses that will thrive tomorrow.”

Jack offered similar sentiments, highlighting breaches only happen when planning is inadequate, and is a worthwhile investment.

“I would say that, just like estate planning, if you don’t have things in place and they go wrong, it’s going to cost you 10 to 100 times more to fix than it would to protect.”