Australian Signals Directorate (ASD) data shows a cyber crime was reported every six minutes and cost small businesses $46,000 on average in the last financial year.
Research shows financial services firms are 300 times more likely to experience cyber attacks than other institutions.
As advice practices review their processes and turn their attention to cyber security, Selin Ertac, an advice consulting expert from Tangelo Advice Consulting – which offers practical compliance support for AFSLs and advice practices – shares three key ways you can stress-test your cyber plan.
1. Undertake a personal information audit
A solid starting point for advice owners is to undertake a thorough review of the personal information they are storing. “And more importantly,” Ertac says, “where it is being saved, how it is accessed, and by whom.”
She continues: “Sometimes we see contractors being given access to systems and their access isn’t revoked post job completion.
“There are also instances where staff may save sensitive information to local drives/email client information to their personal email addresses which exposes the business to unnecessary risk.”
An audit of personal details can form part of a wider risk assessment.
2. Test your response plan
There are two main ways to test your cyber security measures. The sophistication of your cyber measures should inform which method you choose.
A tabletop exercise typically involves getting your employees together to discuss, revise and practise your incident response plan. This method is more suited to practices earlier on in their journey to cyber safety – they tend to be less confronting.
The other option is a walk-through (or simulation test). This offers a more hands-on way for advisers to stress-test their cyber plans. These tests employ real recovery actions. They are usually more expensive and require more preparation.
One example of a cyber attack “simulation” would be the sending of dummy phishing emails to understand how your employees respond.
“Most Managed IT Service providers have this as part of their service offering,” Ertac adds.
The need to test emails in particular aligns with recent data from the Australian Signals Directorate (ASD). Email compromise and business email compromise (BEC) fraud both placed in the top three cyber crime types affecting businesses.
It’s a view shared by AUCloud CEO Peter Maloney. As cyber threats become more sophisticated, Maloney says organisations must equip their workforce with the necessary skills to identify and mitigate potential risks: “We see an average fail rate of 30% for initial phishing simulations, and by providing regular cyber security awareness training we see clients reduce their phishing score by 98%.”
3. Follow tips and existing resources
New cyber threats are always emerging. You’ll want to stay up-to-date and regularly engage with resources. The government has a range of materials you can utilise through its Cyber Security Centre. The Exercise in a Box tool is particularly useful for SMEs.
It’s important to be collaborative and share information within your practice. “Everyone in the business should be aware of the cyber plan and what’s expected of them if an incident arises,” Ertac says.
At Advisely, we’re hosting a webinar on cybersecurity later this month. We’ll be sharing expert insights on creating a robust cyber strategy, how to identify vulnerabilities in your business and more.
Advisely Team