Ajay is the founder of StickmanCyber, a business that helps companies mitigate their cyber security risks. He was selected to join the 2020 NSW Government's Cyber Security Task Force & contributed to the 2021 NSW Government Cyber Security Strategy.
Your financial planning business needs to have protections in place across your IT systems to ensure client and business data is secure. But effective cybersecurity also relies on the choices and actions of your team in response to potential attacks.
So how can businesses design security training and processes that will actually stick, as opposed to a quick meeting that’s forgotten in a flash? Gamification is currently a big buzzword in the cyber security space, but we personally have not seen any evidence of better knowledge retention via this approach.
Show, don’t tell
Instead, storytelling via sharing examples and scenarios based on the roles and responsibilities of staff members seems to work well. By basing your training on examples and scenarios that your staff can actually visualise, your staff will be able to better appreciate the huge negative consequences of a cyber security attack.
For example, when training finance and accounting teams, try using examples of how business email compromise has led to funds being transferred to fraudulent bank accounts. There are many examples of companies inadvertently transferring funds to hackers who are impersonating their vendors, partners, or clients.
In cases like these, hackers gain access to real emails being sent between the customer and supplier and interject with their fake emails. They claim the supplier’s bank account has changed and request funds to be transferred to a different, untraceable overseas bank account.
Get to know cyber threats
In order to deeply ingrain the importance of cyber security into your business, staff should have a good understanding of the different types of cyberattacks, and how they can happen. It’s vital that your entire team have a good understanding of what you’re up against. Some of the most common forms of attack include malware, phishing, ransomware, trojan, keystroke logging, an insider threat, drive-by download, spear phishing, and person-in-the-middle attacks.
Ransomware, for example, has become a cyber pandemic, plaguing a number of businesses including Nine, JBS Meats and many others. Ransomware is a type of malicious software designed to block access to a computer system until a specific amount of money is paid. Many companies end up having to pay the ransom to regain access, but this doesn’t completely eradicate the future risks. Hackers could easily have installed other types of malware that may get activated at a later stage in order to launch new attacks.
Recently, we have even seen examples of ransomware being actively offered as a service by cybercriminals. For a certain price, anyone can hire them to run a ransomware attack on a selected target. Ransomware attacks are the worst of their kind. Victims are brought to their knees and forced to pay up – or risk losing their entire business, data and reputation. This is why cyber security is not just an IT issue, but a whole business issue.
Another common way for cybercriminals to target unsuspecting staff members is known as ‘typosquatting’. Also called URL hijacking, or a fake URL, this is a form of cybersquatting. You might receive an email from someone posing as your boss, using a domain that is almost exactly identical to their real domain. For example, ‘moneyanlife.com.au’ instead of ‘moneyandlife.com.au’.
Train for awareness
Thoroughly train your staff on these various forms of cyberattack, and help them to understand the best techniques and practices to protect the business. For example, to better protect yourself from phishing, be cautious about all communications you receive, don’t open any attachments contained in a suspicious email, and never enter any personal information on a pop-up screen.
Organisations have traditionally used either enforcement or encouragement to get staff to take cyber security more seriously. The most effective option, however, is to use a combination of the two. Enforcement in certain areas like training and awareness campaigns should be made mandatory, followed up with encouragement and guidance that helps team members feel supported and comfortable. The goal is to deeply embed cyber security awareness into the very heart of your organisation, stopping attackers well before they get a chance to wreak havoc.
Subscribe for updates
Join 12,000+ of your peers! Get the latest strategy and practice management insights delivered straight to your inbox.