This is the final post in our series documenting the discussions from our September Investment Forum on Cyber Security featuring expert panellists Matthew Smith from St. James’ Place and Tony Challands from Benchmark Capital.

Security should be considered a benefit for customers, and the Cyber Essentials scheme allows you to demonstrate that you have a robust security scheme.

Matthew Smith:

I would absolutely say that [we should be selling tight security as a benefit] and I feel Tony would agree as well. You know, it’s a USP, right? If you’re good at security and you can demonstrate that you take it seriously, it helps people embody trust because everyone worries about how their financials are going to be handled. And that’s a concern for everyone. And that’s what we see in our focus groups when we look at our security approaches, I’ll say absolutely.

I think the other point as well, perhaps to pick up on hear is actually that there is a framework for demonstrating you’re good at security and it’s sponsored by the NCSC. So the Cyber Essentials scheme and I particularly reference Cyber Essentials Plus as just a little bit more robust standard that can be marketed or demonstrated that you’re complying with because it’s independently audited. You know, it’s not particularly expensive as a standard at all to go through. But in terms of the controls we’ve just talked about.

You want people to feel like their data and finances are safe, and I haven’t seen any customer pushback on that.

Tony Challands:

But I’m just going to say, adding to the point that I think it is expected now. I have certainly not witnessed in the last year or so, anybody really pushing back to say “this is ridiculous, I can’t even talk to you. I can’t share information with you.” Look, there have been lots more people on this Forum who obviously have a direct and personal relationship with people that maybe that’s going in that way, but I certainly think it’s now more expected as Matt picked up with some of the focus groups.

But I also think it is absolutely the way to go. You know, you don’t want to scare people, but you actually want to give them the confidence that you’ve got their data, you’re looking after it. It’s not being lost and ultimately their money is safe in your custody. So, yeah, I agree. And absolutely, that’s the way I think we’ve got to push it.

We’re rolling out MFA for the adviser portal and have been sending out communications unapologetically detailing the benefits to the users.

Martyn Sales:

We’re working on Aegon Platforms in the next month or so, we are enabling multi-factor authentication to log in to the adviser portal. So we’re strengthening that and we’re not being apologetic. We’re saying, “you will need to prove your identity by registering a mobile phone number or an authentication app to gain access.” The adviser log-ins don’t just see their own data, they see all of their clients’ data.

So in next month or so, the comms we’ve started sending out has been the benefits and why we’re doing it and never saying sorry. Because you say, what would be their argument? “Sorry, we don’t like you’re taking security seriously”? So we are being quite bullish about it to protect it.

We require a registered mobile device in order to get in, in case the email address has been compromised.

Martyn Sales:

I mean, that’s a good point, but it’s up to the advisers to upgrade their practises. So at the moment, if you go log in with an email and password somewhere and a lot of people’s reset password journeys email accounts that email address, so only to compromise your email and I get in. Hence, for us with this, MFA, doesn’t matter if your email address is compromised.

We still need the email address. We still need password, but we need this second factor authentication, which is to your personal mobile device or any mode of that mobile device you registered that you own to get in. So by us doing our bit, it’s kind of not making those web services safe, but it’s kind of helping if an adviser’s e-mail address is compromised.

I think customers expect to be seeing a professional email address, and that they’ll accommodate security if they know why it’s there.

Eddie Humphries:

Yes, with like Gmail and Hotmail accounts. Really just, I don’t know, but me personally as a customer, and I’m not talking about as a security person here but having a Gmail or a Hotmail account for me to correspond with you with my personal details and my financial thing doesn’t look good as far as me as a customer is concerned. It’s a bit, you know, I can get a Hotmail account. It’s supposed to be a business that I’m dealing with, right? So at least with Gmail, you can stick it on two factor, well, two-step verification. But I would have expected a professional email address here and to sort of like, see if we’re actually taking that seriously with my money, is where I’m coming from.

But look, there are things you can do to secure your email left, right and centre. But I think at the end of the day, I do appreciate the comments that we’re not going to apologise for security, I don’t think you should. However, a customer will be very, very agreeable to a security control if they understand why you’re actually doing it. So I think that’s probably a key aspect here for the customer is if they understand why that security control is in place, then they’re probably going to be more likely to be accepting of that because of security control and go along with their some decent security.

I fully support the use of reputable password managers to keep track of all your passwords across devices.

Matthew Smith:

So I personally think they’re brilliant. I do strongly advocate them. So there are those schools of thoughts around, well, that’s you putting all your eggs in one basket, so you need to make sure you’re protecting that password manager. I’d also say use a reputable one, some of the commercial services that are available out there. But absolutely, because it simplifies the management.

I’m sure others on the call have a similar number of online accounts, but I’m sort of in the range of 70-80 accounts when you when you look at everything, that you have to log into. I don’t have a unique password for all those sites that I have to remember. That’s very, very difficult. But that’s the only way you sort of secure those sites. So the password manager is a brilliant tool in enabling that. And I think the capabilities that are available today, won’t name` the product, but the ones that go across all your devices. So it’s very seamless, it’s very easy to use iOS, Windows, etc. So I do recommend them.

Passport managers actually add a layer of security.

Tony Challands:

Just to repeat, that we actually would endorse them. I would say with some irony, they actually add a layer of security. You know, I appreciate that keeping all your passwords in one place might feel like a top drawer on a piece of paper, but it’s not. So now we definitely advocate them large organisations and would support it. And as Matt pointed out, go to a reputable one, there’s some very good ones in play. We use them across our group.

And you know, in the IT world where we have lots and lots of passwords and really complex ones, they really do play a part. But yeah, absolutely. They’re not necessarily expensive, but they really are useful and gets over the challenge that traditional challenge that people say “I’ve already got 10 passwords, I don’t want to keep another one.” So I kind of understand that. But even that needs to get lost in the context of what we’re saying. But, password managers: definitely.

I have an MDM module on my phone which protects my work email and firm’s information so they can control that. VPNs allow us to be very specific about where data is coming from and going to. We have company laptops for remote working and employees can only access our email system through our own devices.

Tony Challands:

Mobile device management, which it’s not just about mobile phones, it’s about any mobile device. Again in the same way, password managers are absolutely important. There are many VPN in themselves, somewhat, but mobile device management is the way to bring your own device if you want to have that no problem. You know, I use my own phone, but it has an MDM module on it, and so it is protecting my work email and should my employer want to remove that information, they can. You know, that might sound Big Brother-ish, but it’s their data.

VPNs, generally, again, they have so many benefits. Good reputable VPN solutions from an IT provider, as I am, when we’ve got a VPNs in play, it means we can absolutely be specific where the information is going from and to. So with a VPN in place, we know where it’s coming from and we know when we’re sending it, it’s getting there. So it’s just another technology thing. I appreciate that. But VPNs, they create an encrypted tunnel, a little tunnel where the data can go.

And you know, where one end is, and you know where the other end is. So VPNs absolutely, really useful. But as part of that MFA experience as well. And mobile device management products, which are there specifically to help you protect company data on any device, whether it be someone owned by the company or not. So yeah, I definitely support it.

And the remote working world we’ve all moved to with laptops, which most people have nowadays. Again, they have their own version of MDM on there. t we do in our company again, its not everybody uses it, but you can only go into our world, into our email world in Benchmark Capital, if you have one of our laptops with our mobile device management product on there. You can’t get into it any other way. Not open. Lots of companies do that, that’s fine. We don’t. So there’s loads of things you can do to make sure your remote working and you’re secure and you’re again, protecting that data and ultimately, obviously client’s money.

I think businesses need to keep in mind the concessions that were made to allow for remote working and make sure that the controls are put back in place.

Matthew Smith:

I work with a lot of businesses external to SJP. And the one thing I would take away from the session as well as the core controls that we’ve talked about is how I think about the concessions that you might have made to enable remote working. I would think about, if you think about some of the controls we’ve talked about, how does how we sort of facilitate perhaps remote working practises, what are those security concessions you might have made to enable remote working and do some of those controls need to be put back in place or concessions rolled back?

I think it’s really important as we come, not necessarily out of the pandemic, but as we come back into more of a normal cadence that we think about some of those concessions because actually, I think in the next sort of 6 to 18 months, there’ll be quite a significant number of incidents in the U.K. that will be around the controls that were rolled back to enable remote working and some of the concessions that have been made by organisations and poor technology selection and others will be part of that.

Pay special attention to joiners, movers, and leavers and the data and security they have access to.

Tony Challands:

I’ll just add, think about your own group of companies, your own people that work with you or for you. There’s lots of things you can do that don’t cost any money. Little policies making sure that if somebody joins, they’re updated as quickly as possible. Somebody leaves, unfortunately, take away their access as quickly as possible.

They’re good little standards that don’t cost any money, but you do remove a little bit of a risk when you’ve got people joining and don’t know things and when people leave, without getting too personal about it, obviously, they don’t need access to those things, so make sure you clearly clamp down coming and going. Joiners, movers, leavers, as we call them in our company, really key. That’s some of the key areas to think on.