How do you know if you’re doing enough to secure your clients’ data? And when cybersecurity seems to be a never-ending game of catchup, how do you know you are investing in the right solutions? For Ian Yip, founder of Avertro and former CTO of McAfee APAC, one of the ways for people to become more cyber aware is to help them cut through the cyber-speak and gain clarity about the actual risks.
"There needs to be a better way to operationally and repeatedly deal with cyber issues. It’s no use being told that you have 500 vulnerabilities sitting on a server. People want to know what that actually means so they can then assess what actions they need to take," says Yip. "We started Avertro to help tackle this issue in a technologically-enabled way."
"There’s generally a lack of clarity and communication within the industry that makes it hard for people to navigate. And security people tend to not be very good at articulating things without using technical language. Instead of saying ‘you have 500 vulnerabilities’, it would be better to say, ‘it’s 20% more likely you will be breached’. That is a far more understandable way to explain the risk."
And when it comes to assessing your cyber investment, it has to be risk based. "As a business owner, it’s about working out what you will lose. If you can’t transact or deal with clients for a day, what is the financial impact to your business? How much downtime can you afford to have? If you can tolerate a day of downtime, then maybe you don’t need all the whiz-bang tech that everyone says you need, and you just need to have the ability to restore from a backup within the space of 12 hours. But if you can only afford to be offline for 10 minutes, then you better have all the bells and whistles."
Yip says that the recent Channel Nine cyberattack has helped to put cyber risk in focus for many businesses. "It should be treated like any business risk and be part of your planning cycle. No matter how big or small, every business should be assessing their risk to understand what is at stake. If you can quantify that risk, you can then work backwards to work out what you need to do."
Nicole Alexander, Head of Licensee Standards at Centrepoint Alliance agrees. "For financial advice firms, a cyber-attack can seriously damage your business and your reputation. That’s why it’s important to have a robust policy in place that helps you to improve your defences and ensure that you and your employees know what to do should a breach occur."
Yip and Alexander highlight the importance of having people properly trained and cyber aware to minimise the chance of your business being breached. "The easiest way to access a system is through people, rather than finding ways through security measures," says Alexander. "It’s important to reinforce that everyone needs to be vigilant, especially when working with client data."
Yip continues, "People always think cybersecurity is about the tech. But it's actually not. If you model the right behaviours, you have the right policies in place, and you educate people properly, the tech will just augment good practice."
Though for Yip, having someone watch a video and fill in a form is probably not the best way to educate staff on the importance of being cyber aware. "Getting someone to answer a bunch of questions and needing a pass mark of 80% won’t get them to focus on the being more secure, it will just make them want to pass the test. Proper awareness is still the front line of defence for any business. Secondly, it’s making sure that you do your due diligence to understand the type of data you have and where you have it."
Alexander also encourages firms to ensure that their everyday business practices align with their investment in technology. “For example, if you take client data from a secure location and transfer it via email you undermine your efforts to improve data security.”
Yip notes, "We commonly get questions like, how much is enough? How do I focus on what's important? How do I prioritise what I should be working on? What will give me biggest bang for buck?"
"At the end of the day, these are all just questions about a business' risk appetite. I've seen many examples where businesses have disappeared because of a cyber breach. And it wasn’t because of the incident itself, it was the impact and fallout as a result. You lose trust. You lose customers. What we really need is a national campaign, like the slip, slop, slap campaign in the 80s but for cyber. I mean, everyone knows to put sunscreen on and wear a hat when they are outdoors now."
Both Ian and Nicole participated in AFA’s webinar on cyber resilience: Is your business cyber healthy? Practical tips to safeguard your business on Tuesday 11 May at 11am AEST.