A recent breach of Capital Partners’ network was a wake up call for the business to step up its cyber security. Charmaine Lamprecht explains how the firm undertook this challenge.

‘Cyber attack’ – they’re two words likely to strike fear in any business. We’ve all heard stories of somebody clicking on a seemingly innocuous link in an email or open an attachment, only to later find they have unknowingly allowed a cyber criminal to access their online network.

It was exactly this scenario that occurred for Capital Partners Private Wealth Advisers. A seemingly legitimate link in an email, turned out to be a case of phishing. The Perth-based practice’s online systems had been breached. 

The cyber criminals began monitoring a company email address. They intercepted communication between the company and a client, and made fraudulent requests to transfer money.

However, due to Capital Partners existing processes and verification procedures, the business realised quickly this was not a legitimate request and was able to prevent the transfer of funds. It was, nonetheless, a wake up call for the firm, which highlighted just how easily cyber attacks can happen.

Today, global cyber threats continue to evolve at an astonishing pace, with an ever increasing number of data breaches reported each year. A report by Risk Based Security – a U.S. business involved in vulnerability intelligence, breach data and risk ratings – revealed that 7.9 billion records have been exposed to data breaches in the first nine months of 2019. This figure is more than double the number of records exposed in the same period in 2018.

And no business, sector or individual with an online footprint is immune from the threat of cyber attack, with the cost of cyber crime globally predicted to reach $6 trillion by 2021, costing worldwide spending on cyber security solutions by governments and businesses an estimated $229.2 billion by 2023, according to International Data Corporation.

It’s a threat that Capital Partners takes very seriously, with the firm’s founder and managing director, David Andrew AFP^® warning that as the incidence of cyber threats increase, cyber security will progressively become a massive risk and issue for the financial planning profession.

As the Chief Operating Officer at Capital Partners responsible for rolling out the firm’s current cyber security framework, Charmaine Lamprecht supports this view.

“Cyber security is challenging but it’s absolutely crucial for all businesses operating in the financial services sector,” Charmaine says. “We hold so much personal and financial information in the one place and therefore, we are a very large target for cyber criminals. Cyber attacks are a very real and constant risk to our business and to our clients.”

Identifying the problem

When it comes to an advisory business properly identifying if it has a cyber security problem, Charmaine believes it’s not a case of ‘if’ but ‘when’, and strenuously advises businesses to accept that the threat of cyber attacks is a norm of conducting business today.

“I believe all businesses have a cyber security problem or risk. Being breached is the worst case scenario.”

She believes businesses need to realise that cyber security is an issue now and they should properly plan for it. The best place to start is by adopting a security framework that is appropriate for your business.

Capital Partners uses the National Institute of Standards and Technology (NIST) framework, which covers five areas, including:

• How to identify risks;
• How to protect against these risks;
• How to detect risks;
• How to respond to these risks; and
• How to recover from an incident.

“By applying a framework to your business, it helps you better understand what your cyber security gaps are and where you need help,” Charmaine says.

Other types of frameworks that advisory businesses might also consider using include the ISO security standard 27001, the PCI DSS standard (a security standard for organisations that handle branded credit cards from the major card schemes), and APRA frameworks.

“The most important thing is to pick an appropriate framework, apply it to your business and conduct a regular assessment against this framework. This will give you a sense of what your priorities, in terms of development, should be,” Charmaine says.

It’s worth the investment

The phishing email that breached Capital Partners’ internal systems was a game-changer for the business, prompting it to undertake an overhaul and significant reinvestment in its cyber security.

Within 24 hours it had conducted a detailed investigation of the breach, however, the questions Capital Partners was asking its IT company surrounding the breach, were questions the IT company couldn’t answer. They simply didn’t know how long Capital Partners had been breached and what information had been accessed. Clearly, the IT company wasn’t the right partner for the firm’s cyber security requirements.

“This really scared us as a business,” Charmaine says. “We take seriously the responsibility of securing our clients’ information, so when we realised we were at a much bigger risk to cyber attacks than we had thought, it became our number one priority.”

Thankfully, because the business was able to detect the phishing attack almost immediately, it was able to mitigate all risks by taking the network offline, changing passwords, and seeking the help of a cyber security specialist.

“We engaged with a cyber security firm in Perth. They promptly did a vulnerability assessment of our network. They helped us understand the risks across our information flow within the business. Once we understood these risks, we were able to act on them.”

Today, Capital Partners’ entire network is monitored 24 hours a day by an external monitoring organisation based onshore. The firm’s systems can only be logged into via a Capital Partners’ device and within its secure network.

“As a result of this scare, we have now separated the cyber security and IT providers, and they work alongside each other. The cyber security company is hooked into our network and monitors all the traffic, both internally and externally,” Charmaine explains.

However, she concedes that part of the problem of working within the Cloud environment is that while it’s efficient, it comes with different risks and if a business doesn’t mitigate these risks, it can be far less secure than an on-premise server.

“So, our cyber security partner monitors all our traffic. For example, we use Xplan for a lot of our client information, so our partner monitors all that data going between our network and Xplan’s network.

“In addition, our cyber security partner is constantly looking at all of the cyber threats that are happening around the world and it then checks our network for these threats. It’s also looking for what’s happening within our network, like spam emails, and ensures these emails have not been actioned.”

However, rolling out a cyber security framework doesn’t come cheap. For a mid-sized company, like Capital Partners, it costs about $50,000 per annum for the managed cyber security service.

On top of this, Charmaine says there are always incidental costs, like network and software upgrades. For example, Capital Partners conducted a recent overhaul of its infrastructure, so that if there was a breach in one part of Capital Partners’ network, that breach would be segmented, preventing access to any other part of the network. This upgrade came at an additional cost of $50,000.

“Cyber security doesn’t come cheaply, but what’s the cost to the business and your clients if you don’t invest in robust cyber security systems?”

Selecting the right partner

Charmaine speaks highly of the cyber security company Capital Partners works with, but choosing the right type of cyber security specialist for your business does require homework and due diligence.

When dealing with any new provider, Capital Partners conducts detailed due diligence. This means the third-party provider needs to measure up against rigorous standards, including how they store information, who has access to this information and what their privacy policy looks like.

“A recent problem I had with a third-party provider was it allowed many of its staff to work from home, but the provider had no understanding of how secure each staff member’s individual internet connection was. The company had no control of these individual connections, so it didn’t know if the data moving between its server and its staff was secure or if it was being intercepted.

“These questions are all about taking it to the ‘nth degree’. Only by doing so, do you realise just how many links there are in the chain or how many risks there potentially are.”

Other types of questions Charmaine recommends advisory businesses ask their cyber security partner include: what is their own approach to cyber security; what framework do they use or recommend; and what framework do they assess you by.

“With our cyber security, we would only go with a company that is ISO accredited with the global standard ISO 27001, and we wouldn’t even consider engaging a company that isn’t accredited with this standard. By complying with this global standard, companies have to meet and adhere to an extensive criteria, and they are regularly audited.”

Assess, manage and monitor

However, Charmaine admits that having a cyber security partner doesn’t mean you can take your ‘eye off the ball’ when it comes to the threat of cyber attacks.

Capital Partners meets with both its IT company and cyber security partner every month, where statistics and data are reviewed. This includes how many alerts were identified across the system and how many ‘brute force’ attempts occurred.

“We look at these statistics and work out where these attacks are coming from, if we were targeted specifically or if it was random, and if there is more we could be doing to protect our business from these attacks. We are constantly assessing the activity that’s happening and we’re also assessing what’s changing within the business,” Charmaine says.

“For example, are we putting in a new piece of software, do we have new team members starting, what level of knowledge do new team members have about cyber security, have we properly educated them, is anything changing within the business that we need to consider from a cyber security perspective.”

Get in the cyber security experts

If there is one tip Charmaine wants to impart on any advisory business looking to update or roll out their own cyber security program, it is – ‘get in the experts’. She warns against falling into a sense of security that you can do-it-yourself.

“Cyber security is constantly evolving, so you need to be working with specialists that are across this. However, make sure they are separate from your IT company, but can work well with them. We have never come across an IT company that was specialised enough in cyber security.”

But that doesn’t mean there’s nothing a business can’t do itself to limit the threat of cyber attacks. Simple things like using multi-factor authentication that uses two or more authentication factors for verification, can be easily implemented. Multi-factor authentication can include passwords, fingerprints or even iris scans, for accessing emails, phones, apps or other digital devices that involves the protection of client information.

“It sounds simple but use strong passwords and a password manager, so team members never reuse the same passwords. Passwords need to be random, so you only ever need to remember one very complex password for your password app, and that should have really good two-factor authentication on it.”

And is there anything Capital Partners would do differently with its cyber security?

“Absolutely,” says Charmaine. “We would have done it earlier!

“We assess our business risks every year, like the risks to our premises, the risks to the market, the risks to the economy, but we weren’t thinking enough about cyber security. It took this initial phishing scare and breach of our network, to realise how big a risk cyber attacks are.

“As the incidence of cyber attacks increase, cyber security will increasingly become a massive issue for the profession, particularly over the next 5-10 years. Advice businesses should not underestimate this risk.”

Charmaine Lamprecht is Chief Operating Officer at Capital Partners Private Wealth Advisers. Capital Partners has been an FPA Professional Practice since 2011. Capital Partners was the FPA Professional Practice of the Year for 2017 and 2019.

 

***

Practice: Capital Partners Private Wealth Advisers

Established: 1999

Licensee: Capital Partners Private Wealth Advisers

No. of staff: 30

No. of practitioners: 10

No. of CFP^® practitioners: 7

FPA Professional Practice since: 2011

***

Cyber safety tips

The need for businesses and individuals to protect themselves from cyber threats has never been greater. Here are eight easy tips to improve your safety.

1. UPDATE YOUR SOFTWARE AND OPERATING SYSTEM

By doing so, you automatically benefit from the latest security patches.

2. USE ANTI-VIRUS SOFTWARE

Anti-virus software will detect and remove cyber threats. Keep your software updated for the best level of protection.

3. USE STRONG PASSWORDS AND A PASSWORD MANAGER

This ensures your passwords are not easily guessable and random.

4. USE MULTI-FACTOR AUTHENTICATION

Use two or more authentication factors, like passwords and fingerprints, for accessing emails, phones, apps or anything that involves the protection of client information. This is an excellent defence against phishing.

5. DATA ENCRYPTION

Enable encryption on all emails and devices. If devices are lost, data is still secure. Intercepted data cannot be read without the encryption key.

6. DO NOT OPEN EMAIL ATTACHMENTS FROM UNKNOWN SENDERS

These attachments could be infected with malware.

7. DO NOT CLICK ON LINKS IN EMAILS FROM UNKNOWN SENDERS OR UNFAMILIAR WEBSITES

This is also a common way that malware is spread.

8. AVOID USING UNSECURE WIFI NETWORKS IN PUBLIC PLACES

Unsecure networks leave you vulnerable to man-in-the-middle attacks.

***

 Cyber crime in Australia 2019

$1 BILLION

The amount cyber crime is costing the Australian economy annually in direct costs

$1.9 MILLION

The average cost of a data breach

TOP 3

Cyber crimes affecting Australian businesses

Ransomware 18%

Phishing 19%

Malware 18%

74%

The percentage of consumers who would switch providers following a data breach

45%

Of Australian businesses have been hit by cyber crime

54%

Of businesses do not have an incident response process

Source: Stanfield IT

***