This is the second post in our series recounting the in-depth conversation on Cyber Security from our September Investment Forum with expert panellists Matthew Smith from St. James’ Place and Tony Challands from Benchmark Capital. This section focused on the balance of security and usability, educating advisers and clients about cyber security, and improving client communication.
We’ve had feedback that there isn’t enough security resistance from focus groups. It’s important to take into account how you’re interacting with clients when putting security together.
Matthew Smith:

So I can give a bit of an anecdote. It’s only because we’re redesigning the workflow for our clients, getting onto our online wealth account application. And as part of that, we’re looking at our registration process we’re looking at the step-up authentication mechanisms.

So, to your scenario of authorising a dress change and whatever else and actually with today’s technologies, when we’re looking at sort of seamless authentication and minimising the security barriers, actually some of the queries we’ve had from focus groups says there’s not enough security resistance. So despite meeting the regulatory and requirements for PSA2 and other financial transactions, actually, security restrictions can almost be too seamless and it almost feels like an experience where there’s not enough security being applied by you as a service provider. So there’s swings and roundabouts to the security being a blocker.

One thing I will say about it is that when you implement security controls to sort of support that kind of client communication, so whether that’s email encryption, the state can tend to be how you do it. So it’s something to think about how that solution actually works for the client. Too many email encryption services, for example, get blocked at corporate gateways because it’s an encrypted messaging into the corporate network. So it’s thinking about actually how you’re how you’re going to interact and how are you going to share that information with clients? It’s absolutely right that the sort of the right robust controls are in place, but it’s thinking about the experience as well from the client’s perspective.

So taking security, but also working with your whether you have an experienced team or whether you’re just thinking about actually how is this going to work for my clients, who receive this information? Because the right amount security should get the confidence of the client that you’re putting the appropriate controls in place, but isn’t such a resistance or such an annoyance that actually advisers and people take those security steps off because the client doesn’t want to go through that painful experience? So it’s very much a balancing act.

There’s always a usability vs. security trade-off, but working out that balance and really thinking about the client’s whole experience is really important to me. And the other aspects of more than the education piece, I think it’s just being very much aware of the risks. So a lot of fraudulent activity that will take place against accounts will come from the client side and they’ll come from generally the compromise of the client’s identity. So whether it’s the source of the items that Tony and Eddie mentioned around social media and getting enough information to pretend to be the client or what we see more typically is a compromise of the client’s email address.

Now again, because that’s taken as that’s how they communicate. They like to email. They like to email on their lunch break. Whatever that is, that’s taken enough sometimes by an adviser is enough to authorise perhaps some steps or take some actions. And it’s just thinking about actually, how do we sort of make sure that actually the clients are taking responsibility for their own security and being aware of the risks? So and also yourselves being aware that actually email is not a trusted medium.

We try to use the client portal as much as possible as well as encrypted messaging to try and keep personal information out of email as much as possible.

Tony Challands:

Let me tell you some of the things we do in Benchmark and across our own adviser community. There’s a couple of things, from our perspective and maybe we’ve evolved and invested a little bit in this, and it’s been easier for us to do that, maybe. There’s two things that we do apart from the education piece, that we put out there to try and help the client, the real client here, apart from trying as much as possible, wherever possible to tell them about the worries of cyber and data information going amiss. We certainly have the ability for clients to put confidential information straight into our own platforms. That becomes really useful.

Now there’s a mixture there because some people won’t do that easily or don’t want to do it. But that’s one of the things we can do, and we could work with our investment firms as well, where we can do that on behalf of the client. So that’s one thing, but the one thing we’ve also done, which I don’t believe is very expensive, but you need to be the judge of that. We use an encrypted messaging service, but it’s a standard one. We use a product called Send Safely. There are many others out there that do the same thing, but it enables anybody to use an encrypted portal to put a piece of information up into a safe place where it can be collected and vice versa. So we push out to our clients any information that contains personal information does not go on email.

That’s our policy. We’ve actually got some tools in place that actually detects if we receive email with personal information on– national insurance numbers and driving licence numbers and a few other things we can actually detect if it’s there. Now that can be expensive. But what we do, we have a policy where we won’t send anything on email that’s got personal information in it. The very least you should do is put it inside a file and password protect it, which is which is free. You know, you can go on to Word and Excel, and I think most people would have access to those, but I appreciate not everybody. And you can password protect those things. At least you’re doing a little bit of control to stop personal information being easily accessed.

Inside an email, it’s the worst place it can be. So we have a product called Send Safely, and it allows us to send something to an email address that says “We’ve got a secure message for you.” The banks are using this all the time now, aren’t they? And I’m sure a lot of our provider colleagues are using those tools as well. We send it to an individual that says we have some information for you. It might be the fact find information or getting them to confirm it. Send it to them. They click on a link. Multifactor authentication kicks in again and they get sent a link to their own email. They have to click on it. Multifactor in there so that word again, and then it enables them to pick it up securely.

So we try our hardest not to let stuff go into email, which is the worst place any personal information can be. Because, as Matt says, if that’s going to be compromised, that’s probably the one thing. And it’s not necessarily the corporate or your company email, it’s the user. It’s the client’s email which is likely to be picked off. So education without scaring your client.

As Matt said, nowadays, the feedback you’re getting is there’s not enough visible security. What have I got to do differently to make this secure? So by bringing that to your attention and talking about it to them, it does help. Yeah. So there are some tools out there. They’re really expensive, but they’re absolutely at the end of the day, education is the first piece without scaring them, trying to get them to rethink.

We could do with creating some industry standards around encryption services, but I do think that is a challenge that will be beaten in time.

Tony Challands:

I think from the large company point of view where they’ve decided on their own method of communication, it is frustrating [when all companies all use their own encryption system]. And you know, I have that challenge across my company now where people come to me and saying, “I’ve got another one to register for surely I don’t need 15 different mechanisms. Why can’t they use ours? Or why don’t they use something centralised and popular?”

I think the only the only lever we’ve got to push as an industry is to push back the discomfort that causes and to try and push back and create those common standards. 10 or 50 years ago, technology had this problem all the time about systems talking to each other. It was very similar. And maybe I’m showing my age, but you say you go back 10, 15 years ago, people were using lots of different systems and keeping the same amount of information on the mode, and none of them talked to each other.

You just don’t get that now because there’s a much better set of standards of how data is kept and recorded. And maybe there’s been some dominance of some players in the market. We’re all talking on Microsoft Teams, and there are some product sets that actually have become the norm. But I think the challenge will be beaten. But I do understand the frustration. I feel it. I don’t think there’s anything we can collectively say we’ll do now or we could do individually or together. That would say that problem would go away. But it’s a challenge.

There are lots of easy encryption tools available, but it would be great to have a standard.
Eddie Humphries:

From what you were saying about the insurance companies, oh my God, that’s a nightmare. I think from what you were saying is, “look, what can we use?” And I think really the rule of thumb is some security is good, but any security may not be the answer. Ok. And what I would like say is do look to the best practise standards here for the levels of encryptions that you should go to things like AES 256, for example, for encrypting your message and using those standard Microsoft tools like you were sort of saying about using Word to encrypt things, which is actually quite strong.

Encryption is probably the right answer here because everybody should be a little bit compatible with Microsoft Office anyway. It’s what we use, right? So but I think, from a standard, I’d love to set a standard of something like, PGP or something like that as an encryption protocol. But, within Office 365, you do have a standard encryption of your email. So if we’re advising that people use Office 365, there is an encryption protocol right there for you.

Do you see this as an opportunity for better client communication by way of portals?
Alan Easter:

It’s the language we’re using the kind of feels like this is a challenge and this is a problem for us. But I just wonder whether the experts at the panel think that this is an opportunity, especially around client communications, to have a more enriched client journey by the use of portals and gamification in order to bring the client into the data collection processes. Instead of sticking the fact find in the post to them or sticking policy documents in the post to them and creating stuff that people don’t read, how do you how do you feel portals etc. Are going to develop in order to embrace this and make the client journey that much better?

I do see the secure client portal as the best answer. Email was made thirty years ago, everything designed to make it secure was added on.
Matthew Smith:

I think absolutely. So that’s where I sit. I think for us as businesses, we tend to see both. So we see that the business communication, that needs securing and that sort of business to client communication. And the business to client communication, the answer to me is a portal, a secure portal. That’s where you do document sharing. That’s where you do your fact-finding information. And that’s the way you serve its clients and that sensitive information. Email is a specification they wrote thirty years ago with no comprehension of security or requirements. And so everything we do to secure email is a bolt on, and it feels like it. So it was never designed to be secure and so that, in my view, is where we focus the method. I think the other point that you raised around the challenge of all these providers [having their own encryption services], I don’t have an answer. Unfortunately, that is the marketplace we’re in at the moment; securing email there are lots of vendors. I’ve named a different one on this call and that’s the fragmented place we are. So I think, business to business communication, I don’t see an answer unless it, as Ian mentioned, comes as a collective and people as a group come down on a standard.