This is the first part of our series bringing you the fantastic discussions from our September Investment Forum focused on Cyber Security and featuring expert speakers Matthew Smith from St. James’ Place and Tony Challands of Benchmark Capital. This section focuses on the core tenants of cyber security that firms and advisers can take on to keep themselves and their clients safe from cyber attacks.
Multi-factor authentication is a very big factor in cybersecurity. The rest is mostly cyber-hygiene: using encryption and being aware of not accidentally clicking on any phishing messages.
Matthew Smith:

I’ll just go quickly back to your first point of: Can anyone really know enough about cybersecurity? The simple answer is no. There’s lots to learn and lots to understand. But actually, in terms of getting the basics right and in terms of protecting your business and protecting yourselves from sort of 70-80% of the threats or more, actually, there’s only a few simple steps or core requirements, really, that you have to get right. And I’ll go through a couple of them now just as points and perhaps ones for Tony to add comment to as well, in his view.

But, things like MFA, it’s a relatively new capability. It’s been around for the last five or six years, longer in terms of some more mature organisations, but it’s really hit mass market in the last sort of five to six years. An MFA is arguably one of the best mitigating factors in terms of protecting your online accounts and your online identity. Now I realise I’ve used an acronym without explaining it, but MFA stands for Multi-Factor Authentication and what it is its an additional layer of security on top of your password.

So everyone’s used to using usernames and passwords. The problem is that the attackers know that, and the attackers also know that you use those passwords elsewhere. So that password you use for the odd site or social media over here, chances are, it’s also your corporate password, it’s also the password for your email. It’s also your password elsewhere, and it doesn’t take a lot of effort for the attackers to take those credentials if they find them, if they’ve been used on an insecure Wi-Fi, wherever they are, and go use them elsewhere. And that’s generally been the precedent for a lot of the attacks over the last couple of years. And so one of the best mitigating factors and the reason why MFA (Multifactor Authentication) is seeing such prominence in the last couple of years is because it stops those attacks dead. MFA is a really good control, Office 365, all those types of applications they support enabling it. So, if I had one thing to say to take away today, it would be very much go enable that control. And if you’re not familiar with it, whether you’ve got IT support or online resources around enabling it, but every major account and service will support turning it on.

So it’s a really good mitigating factor. And then the rest comes down to sort of what we call cyber hygiene. And cyber hygiene really for us is perhaps normal IT administration, making sure your systems are up to date, making sure you have an antivirus solution. If you have data on your device, how is it backed up? How are you managing that? Are you encrypting it? So Ian mentioned the fact find that’s exactly the valuable information that attackers are after. So making sure that data is appropriately protected is really, really important, both if you have an incident and you need to get it back, but also because this is the right and appropriate controls that our clients would be expecting us to take around this data. And so that ability to demonstrate that you’ve got the right controls and you’ve got that capability is really important as well. And the only thing I’ll really add, and I think Tony will have some points on this as well. The only thing I would add as well is, I talk about MFA being one of the best controls to protect yourself. Well, probably the biggest threat for most organisations and most people is email. That is generally how most attacks come into the organisation.

It’s generally how most people are compromised. So yes, you have telephone fraud and yes, there are other mechanisms, but email is really still key. It’s still key to all our businesses in terms of communication. And so actually phishing training, phishing awareness of employees, making sure yourself that you’re just thinking before you click. It’s our mantra: “think before you click.” And the reason is all phishing scams are trying to get you to act very quickly. So it might be a tax return document. It might be something like a missed package. It might be something that’s interesting or of relevance to you and the desire there is to get you to click without thinking or to think it’s a very usual transactional email that you can just click straight through. So it’s always questioning, always thinking about, can you verify it by another means? But really, for us, if we took away phishing awareness and understanding, that’s the prime way that threats and risks come into a business and can compromise a user, as well as the sort of control aspect of enabling MFA, are the two really big things, or quite small things, really in terms of implementation, but make a big difference.

Choosing a long, complex password, using MFA, and avoiding phishing are central.

Tony Challands:

At the risk of repeating some of the things that Matt called out, you cannot repeat enough the multifactor authentication point. All modern good services, whether it be email or other connectivity to your IT, will come with a multifactor authentication method. So if you say you take away one thing, as Matt said, take away that. If you’re buying email services from some of those modern day services like Microsoft Office 365, there are options to take the multifactor.

And coupled with, and this is the one that I’m sure you guys are getting really hacked off with, but as complex a password as possible. It used to be the way that we would change your passwords often, the posture of these criminals now is such that actually that’s not so important about changing your password so often you should still change it when you think appropriate. But more importantly, make it as long as possible. In our organisation now, we don’t force a password change very often, but we do force a very long password. 15 characters. When you turn it into a phrase, you can get there.

And I know it’s difficult because you’ve got passwords for everything, but you know, strong password, multifactor authentication– the system needs to know it’s you. And if someone can work out who you are easily and quickly, the system doesn’t know it’s you. And so they’re in. And so those are key things. And I’m repeating what Matt said. So let’s not push too much on that. Repeating myself again, the email point is, phishing in email, where people are writing to you, sending emails to you, asking you to look at what they’ve written and click on some links is the most common way of somebody connecting through to you and starting to scan your computer to find ways in– you’re letting them in.

Again, I don’t want to scare people because obviously email is a very important tool. But if you don’t trust it in any sense then don’t click on it. Double check if you can, find a method of finding out if that email is genuinely coming to you for genuine reasons. I think 90 percent of the time, you know, it’s just somebody trying it out, and often it is a sales option for you. But that’s not the point. If you don’t, you don’t like it, don’t go in there.

A lot of people are putting identifying information on public social media that can be used by hackers. Try not to open anything suspicious yourself– have an IT team do it instead.

Tony Challands:

LinkedIn messaging is a form of email. Let me just roll that back, though, because one of the things that your criminals are very clever at and we’ve seen a lot is they know where you work, they’ve got your email address, potentially. They can go onto social media and they can find out more information about you, whether that’s work-related social media or Facebook or Instagram, where you are sending stuff where you might be open. And you’d be surprised that the profile they can build up based upon all these places and they can get your address quite easily because it’s probably registered somewhere.

There are lots of little pockets, and social media is equally as useful a tool as it is, an area where it’s got some information about you. So, I personally have a rule that if I don’t know a person, if I haven’t actually ever met them, I don’t accept their invite. If I’ve met them virtually or through work and it’s safe-ish, then I’m fine, but I won’t take a risk. So if you are getting anything with an attachment on any link, you do need to think twice. We’re fortunate, you know, I’m fortunate.

So in one sense, we have that ability to if we don’t like something, we don’t trust something, I have got a small team of people that can go away and look at it for me. They’ve got safe environments and we have what’s called a phishing alert link on our email and our corporate email where you can hit a button, it deletes the email for you and sends it off to somebody.

And those types of services are available out there. They may not be for everybody and there will be a cost. So not always. Social media, you’ll be surprised, a lot can be connected, can be put together. And I think it’s really, really important that you get that rule inside your conscious head to say, you know, don’t like it, don’t know it, don’t trust it: Don’t click it.

People put a lot of personal information online that hackers can then use. Any adviser in the Openwork Partnership can ask our team to securely check any suspicious emails.

Eddie Humphries:

I totally support everything that you just said there, from a security point of view. I head up the Governance & Assurance team in Openwork Partnership, which puts me in information security. So and what I would like to say is another thought, that when you get these messages through from social media or from email is if you would open the door to somebody to a stranger that stood there, would you actually impart that information to them? Normally, the answer’s no. Ok, so why would you do it online?

The other thing that does worry me about social media is especially when certainly with our kids and the younger generation which are a lot more free with their information than what we cynics might be. As seen from the hacker community that there is a build up of information from social media, from young people because they know that in a few years time when they get to 18, they’ll be applying for credit cards. So having that information out there on social media, like what school are they going to? So what’s your first school, what was your first car? These are all security questions, right? So it’s very easy to actually start harvesting all this information and building this up.

So, you know, I would say be careful about what you put online and how free you are with that information or how accurate you are with that information. And certainly in your personal life, because profiling a person from LinkedIn to social media groups to their email addresses, etc. and to various different clubs, et cetera, it’s very easy. Nowadays it’s all out there and you even got engines which you can go and buy or rent from the hacker community to actually do that for you. Okay. So, be very sparing.

And certainly, if you’re part of the Openwork Partnership and if you have the Office 365, which I advise everybody to get, there is a phish alert button that we actually put out there that you can click, as you said Tony, to report that back to us in security and we will look at that. But if you’re in the adviser community and you are worried about that and you don’t actually have that phish alert button and you’re getting what you think is a very suspicious email, you know, perhaps drop us a line to our Information and Cyber Security email address for Openwork.

If you’re part of that partnership and we will look at that and perhaps put that on a block list, certainly for the Openwork Partnership, so we can all benefit from that. The more you report these things, the stronger we get with it and the more protected we are.