Greg Hodgkiss: 00:00 Education in cyber is almost unheard of in the workplace anywhere in the world today, and yet as a people working in our businesses, we’ve gone from being 10% of the risk six years ago to 69% of the risk in 2019.
Fraser Jack: 00:18 Hello and welcome to the Goals Based Advice Podcast, where I have conversations with pioneers of the new world of financial advice. I’m your host, Fraser Jack. I want to thank you so much for tuning in today. If you enjoy this episode, please help me spread the word and share it with your friends and colleagues, and leave me a review. I’d also like to thank our supporting partner at Vice Intelligence for powering this podcast.
In this episode, my eyes are opened to the real threats of financial advisors. Possibly more important than the exams or additional qualifications as I chat with Greg Hodgkiss from Cyber Indemnity Solutions or CIS. We chat about how the new wave of machine learning cyber malware that is threatening to steal our clients’ data and sell it on the dark web before we even know we’ve been hacked. With up to 80% of companies infected it’s a massive risk for advisors and licensees who are responsible for keeping it safe.
If you have any personal or business data and there’s a good chance you do, then you must listen to this episode. In addition, Greg has offered the listeners of the Goals Based Advice Podcast an offer to check your system and I will cover of that at the end of the recording. Let’s jump straight into the episode now.
Welcome to the show Greg.
Greg Hodgkiss: 01:35 Thanks Fraser, how are you?
Fraser Jack: 01:36 Very well thank you. Now I just want to start with a quick overview of you and what you’re doing at the moment.
Greg Hodgkiss: 01:44 Well, we’re right up to our ears at the moment in solving for mainly SNBs the very complex and difficult way in which to treat their cyber protection and their cyber threat issues. It’s a world that’s all sorts of options for them and it’s often very difficult for them to understand that there are in fact some simple, straightforward things that they can do to protect themselves.
Fraser Jack: 02:11 Yeah and what’s your role in that?
Greg Hodgkiss: 02:14 Well, I am the CEO of Cyber Indemnity Solutions which is a major developer within the cyber security space. My role very specifically is working very closely with the markets, especially with financial advisory groups and insurance underwriters and insurance broker groups along with other affinity associations around Australia.
Fraser Jack: 02:43 And how did you get into this?
Greg Hodgkiss: 02:45 Well that’s quite a long journey to be honest with you. My background is entrepreneurial going back many, many years which was always to do with R&D and IT development, so this was approached if you like from the early years of internet development where I earned two companies that were developing specific solutions for internet training for Microsoft out of the UK. And from that we got very involved in understanding how digital works and we became the developers of the world’s first insurance policy that allows you to ensure data which we’re just getting ready to launch across Australia now which of course led us to understanding the security issues.
And with the transformation into the digital world from things like [inaudible 00:03:39], the whole world of security changed overnight. Digital of course means open, it means accessible, we’re no longer dealing with physical substances locked behind barriers and so we realize that it was going to become really important to understand how to keep what we were doing safe in a data protection environment which then led us to work further and further towards developing specific solutions for all people relative to cyber attacks.
Fraser Jack: 04:09 So when you say data protection, what do you mean by that?
Greg Hodgkiss: 04:13 Well, people hear about cyber security, they hear about cyber attacking at the end of the day, these are all fascinating words but what are they actually attacking? There is no cyber risk if there is no data so it’s the onset of the world moving towards recording and managing everything in digital environment that has bought about, if you like, the ability for man to develop a new form of crime. So prior to the digital world, it was a physical environment. People had to steal your physical tapes if you’re talking about data or any other physical product.
Today with the onset of the internet which is essentially an open door into your business or your personal life, they can steal that digital zeroes and ones and however form you’ve stored them much more easily and much more successfully.
Fraser Jack: 05:18 Yeah because I see this as this, [inaudible 00:05:21] it’s stealing the data, so you don’t have it anymore and then there’s stealing a copy of the data.
Greg Hodgkiss: 05:29 Well yeah, I mean in today’s world, you don’t actually need to steal and remove necessarily the substance but of course, if you look at something like a ransom attack, that’s exactly what they’re doing. They’re taking your digital information and they’re locking you out of it which is the equivalent of removing it from you. And unless you do what they say, you’re not getting the key back into the room.
In many cases they destroy the data because they don’t want evidence left behind what they were doing with it in the first place. And therefore the theft of the actual data product itself is a major rising issue.
Fraser Jack: 06:13 So financial advisors of course, licensees, store a lot of information and have to store a lot of information for the just sort of purposes of their clients and obviously need to keep it safe and what sort of processes around that should we really be aware of?
Greg Hodgkiss: 06:35 You know, Fraser, the financial services industry per se is very much at the forefront of being exposed because as you just mentioned, their client base is a high net worth for a financial institution based environment, the type of information that they’re holding is valuable and what the average financial advisor probably doesn’t recognize is that he is in fact legally the gatekeeper and the watch keeper over that valuable data. He’s actually responsible for what happens to my data if I’m one of his clients.
To a criminal, information about me or about my transactions or about my investment programs or any other aspects of my financial life is actually a sellable asset, it’s actually no different to a thief stealing my jewelry. He will break into my home and then he will steal my jewelry and then he’ll go find a buyer for it. The cyber crime industry is in fact a business model, in fact it’s an extremely successful business model and it’s been operated and run by essentially four crime family syndicates across the globe and they are inventing the technology to steal our data and then they sell it to other criminals to steal and to then sell on.
So a financial advisor is holding data that is valuable to another party. And therefore, allowing others to gain access to it does two things, it puts us in a legal position that we become responsible for and so we can be sued for failing to look after that data. And then secondly it can destroy our business because we’ve now become a threat to our own customer base and people no longer trust us to hold their personal data.
Fraser Jack: 08:27 Yeah, as you mentioned it, it’s a sellable item. What are some of the things it’s been used for?
Greg Hodgkiss: 08:37 Well everybody of course has heard about identity fraud so one of the first areas they do is they look at personal data that can be used in a fraudulent way elsewhere in the world. So a good example of a recent case that we were dealing with, a financial advisor who had a number of his high network customers’ personal data stolen, nobody was aware that it had been stolen, we now know that more often than not, you’ve already been infected, roughly 80% of the people listening to this podcast will already be infected and what that infection is doing is taking your data from your systems and then using it fraudulently. So in the case of this example, the financial advisory company only became aware of the problem when their clients that were affected began to contact them where they had as clients, received visits from the Australian federal police.
The federal police became aware of that client’s name in connection with overseas fraud cases that Interpol was working with. So in one case for example, that investor’s personal details were used to open up a fraudulent bank account in the Caribbean as part of a drug cartel operation. In another case, the client’s personal details were used to create fraudulent contracts in Eastern Europe to scam other businesses. In other case, a client’s name and personal details was used to set up a fraudulent banking system that would scam other people a high low false lottery system. In other words, the sort of data that a financial planner and advisor and financial services company holds on their customers, is powerful enough to use fraudulently all over the world.
So what that meant was, somebody was stealing that data from the financial advisor’s systems and selling it to the fraudsters for a fee, who would then go on and use it to create more money through fraudulent practice.
Fraser Jack: 10:54 Yeah, because when I think of cyber... Well first thing I think of when I think of cyber crime is the traditional, you’ve locked somebody out of their computer and you ransom them to give their data back. But this is a whole new level of just getting it. It’s not even stealing from the client, it’s not even stealing their money, at this point it’s just stealing their identity information to sell to be used for fraud cases around the world.
Greg Hodgkiss: 11:18 Well in that case, that’s exactly what they’re doing but then of course, the same data has got value in other areas. So for argument’s sake, that data tells a crime syndicate where he lives. That data can be sold on for street crime or home invasion crime. And people are buying that data on the dark web all the time. People will know for instance through your insurance policy what’s being held, they can target specific homes for specific reasons. One of the latest very worrying trends to all parties but especially insurance industries it’s now becoming obvious that the cyber criminal groups are targeting companies that are insured because they gain access first of all, to the content of the insurance policies which tells them more information about them as individuals or their possessions. And thirdly, they think that if they target you because you’re insured, the insurer’s more like to pay out. So this is where ransom becomes part of the target environment.
Fraser Jack: 12:35 So this is where insurance brokers are being targeted, isn’t it? Where they actually hold information?
Greg Hodgkiss: 12:40 Yeah, yes. Yep, any system where personal information or corporate information, you have to remember there’s as much desire to buy corporate data as there is personal data. I can go onto the dark web and I can order data on another company, I can ask for somebody to provide me with information about the existing contracts or about tenders they’re involved in or about their current banking situation or how many assets they currently have. All of this is purchasable. What you’re really looking at here, is a global shopping basket of criminal access.
Fraser Jack: 13:20 Wow, it’s all... We call it, “know your client,” but I guess they’re calling it, “know the victim”. So people are then having information stolen out there, their financial advisor has no idea in a lot of cases or the small business I should say they’re dealing with, has no idea in many of these cases that it’s been taken.
Greg Hodgkiss: 13:40 Small and large and the reason for that is because the technology behind the attack has changed. So to a large extent most Australians are under a belief that because they have antivirus software or they have strong firewalls through Windows or other systems that they are somehow protected. Well you are against viruses but you’re not against malware. And one of the problems that we have today is that malware started off as a soft threat word a few years ago and people have drawn a conclusion somehow that malware is somehow nothing more onerous than for instance, some software that puts advertising up on your webpage which is nothing more than an annoying nuisance.
Unfortunately malware technology has now been on developed to a point of automation that it’s completely able to control your systems. So malware works very differently to the other threats. Malware operates through the world of the internet domain name structures. So everyone is connected to the internet, you can’t run your business without being on the internet. That means that you’ve got multiple access points happening in your life all the time. So for instance, how many people watching this podcast are working from home as financial advisors at one time or other through their week? How many of us know for instance, that not a single router in the world is secure? And the reason for that was originally the American FBI obtained permission through the federal government to stop the router designers and developers putting secure layers on the routers so there was access easily by government onto our computers.
Well essentially my home and your home and everybody else’s home is an open door. So if I don’t have protection on my actual devices that I’m using in my home, then I’ve got an open door for criminals to reach me and the same applies to my office environment and my business environment. And this is how malware gets there, it sits and watches your doorway. What people don’t realize is what the doors are. They’re not as obvious, so your mobile phone is a door. So if your mobile phone’s not secured, it doesn’t matter what security you’ve got on your computer, you’re connected to the same router so the malware’s going to enter your system via your phone and on and on and on it goes.
Fraser Jack: 16:21 There’s a lot of doors isn’t there? If you think about how many people are connected through wifi, but not just phones but all sorts of Smart devices.
Greg Hodgkiss: 16:29 Yeah, tablets, any device. In fact the other day I was invited to a financial advisor’s business and I had to wait a little while because something was happening. I said to them, “You mind if I connect to your wireless network and do some work while I’m waiting?” They said, “Sure, by all means.” What they didn’t know was that if my phone had been unprotected they just allowed a new doorway.
Recently a large financial insurance brokerage house got very badly hit in Australia, about the fourth in the last three months, at least three of these cases the malware came because they were connected to 20, 30, 40 other brokers all of which had no security. So essentially we’re in a community today and that’s the great weakness.
Fraser Jack: 17:20 Yeah, now you mentioned... before this 80% infected. Do you want to expand on that? Because it sounds a bit disturbing?
Greg Hodgkiss: 17:28 It’s very disturbing and it’s something that’s really come to a fore in 2019 as more and more businesses finally recognize there really is a serious danger. So, essentially the technology that we’re talking about appeared around about the end of 2015 and it’s become more and more sophisticated since and because it’s not detectable without specialized scanning to see if it’s there and doesn’t show up in the existing security software systems that you’re running, it’s entered and it spreads. So it may enter your associate’s laptop and then when he’s in your office it enters your system and then it populates everybody that’s connected to your system and then if your system is connected to another third party’s system, it will populate their system and they may have 200 people connected to it so it then populates them.
And so it’s gone like a wildfire and today they estimate roughly 80% of all Australian businesses are infected and they don’t know it. So what is happening while they’re infected? It’s extracting the data for sale is what it’s doing and selling your private and your customer’s information onto third parties and abusing them, when they’ve got enough and you have to understand this is automated, this is all in the world of artificial intelligence, there aren’t any human beings sitting at a screen somewhere watching this. This is a totally programmed environment that’s highly sophisticated.
When it determines that it’s got all that it can get from your system, it will then spark an event and in today’s world it’s normally a ransom event that encrypts all of your system’s data, stops you from operating your company and demands that you pay ransom fees to get back out of the problem.
Fraser Jack: 19:29 So let’s see, the old ransom conversation is really just the large resort now?
Greg Hodgkiss: 19:36 Yeah, but the problem with the ransom conversation is it doesn’t necessarily solve the problem, we’ve been watching a case in Sydney this year where the client was hit five times in a row. As soon as the insurer paid off the ransom, they shut them down again. Didn’t give them time to insert the protection that was required to stop them doing it again. Eventually the insurer threw his hands in the air and walked away, leaving the customer locked and with nowhere to go and they collapsed.
So what you have is a situation where here as a business owners for a very small amount of money you can your system checked right now, you can determine the malware that’s in your system and you could stop it right now and that would be the end of the problem.
Fraser Jack: 20:22 Yeah, I’ll talk to you about the how in a second, so I just wanted to think about this data loss scenario. That’s a catastrophic event that’s going to close businesses, isn’t it?
Greg Hodgkiss: 20:38 Yeah. So, statistically any company that suffers a catastrophic loss event to do with data is out of business within nine months. That’s insurance statistics. So it’s a bit like denying yourself food. You can only go for so long and then you’re going to collapse. We live in a digital world, everything from fuel being pumped at the service station to the food at the supermarket is all controlled by digital environment. Your business, my business, everybody’s business. We’re dependent entirely now on it.
Cut that off, you basically don’t have a business so you can either do one of two things, go under or start all over again. The problem is that it’s so easily fixed. So really this is about education. And that I guess what the podcast is all about.
Fraser Jack: 21:41 Yeah, there’s certainly a few different things I see here in this space, obviously the person is bringing it to the attention of education and allowing people to understand how these malware can be infected into computers and then being able to do something around that.
Greg Hodgkiss: 21:57 Yeah.
Fraser Jack: 21:58 And then, all the way through to the protecting from, as you said before, the cyber insurance where they pay out if they get ransom through to that data loss zone. So there’s quite a few different areas in it. Do you want to start taking us through some practical tips around what people can do?
Greg Hodgkiss: 22:18 Yeah, essentially you’ve got, as we mentioned before, an avenue of infection. So, it’s commonly known as protecting your end points. And there are two types of end points, essentially they are the devices, the hardware that’s connecting to the internet. So it could be your phone, your tablet, your PC, your laptop, your server. Or it could be somebody else’s end points that you’re hanging off of.
So for a financial advisor, you’re using a platform of one form or another, well what’s the security of those platforms? We’re already working with some of the platform providers in Australia to make sure that they’re secure now. The second part is your web interface, it operates as an end point environment all on its own and therefore, also needs to be secured as well.
So, two steps. One, identify what malware you’ve already got. So far in 2019, we’ve not found a single company without it, so that will give me an idea of how serious the issue is. Thirdly, closing the end points and securing them so that they can no longer give entry and then thirdly, put in a layer of security into your system that stops it happening in the future. None of which is difficult to do or particularly expensive to do and is tailored for businesses from very small to very large. And what they technology does is it then monitors and watches your system 24/7 from then onwards and stops all attempts in the future.
Fraser Jack: 24:17 Yeah now, is this a bit like having a high level of security mean that you lose a lot of flexibility around like, if I wanted to jump on social media or something like that while I’m at work or connect my phone, is that what it’s about? Really locking that down?
Greg Hodgkiss: 24:35 Th single most important issue on anything new in life is learning how to manage it and understanding what it really means. So education in cyber is almost unheard of in the work place, anywhere in the world today. And yet, as a people, working in our businesses we’ve gone from being 10% of the risk six years ago, to 69% of the risk in 2019. And that’s exactly what you’re talking about, is I don’t know what I’m supposed to be doing with my internet use in a secure manner and if I did, if I was trained and we can provide education these days that takes care of that training and monitors it, you reduce that risk back to a level that software will then keep you completely safe and manage you.
But for instance, you may have a member of your staff who’s not obeying the disciplinary process, try and hop onto a dodgy site for example. Today’s security systems that are AI driven will stop him from doing that. And the marketing will know that he’s done it because it can be monitored and reported on. None of this affects your day to day business life, none of this requires any expertise on behalf of the business owner. This is no different to him going down to a service station, buying a liter of fuel, he doesn’t have to operate the service station, he doesn’t have to know anything about how the fuel got there, he just has to buy it.
Fraser Jack: 26:18 So you mentioned 10 to 69%, nearly 70% of all risks then come from people not realizing?
Greg Hodgkiss: 26:27 People mismanagement and a lot of that is fraud so say for instance, a real example from London in recent time, one of the Ford syndicates set up a circus troupe in the city of London, very advanced circus troupe. They would do acrobatics on the street in a performance outside of two major third big corporations. They wanted to gain entry to those corporation systems. So here’s an example the opposite end to your average financial advisor, these companies that spend hundreds of thousands of dollars securing their systems. What they didn’t take into account was they hadn’t trained their people, so we watched the circus troupe. So they had hundreds of people at lunch time coming and going from these buildings and they offered them a free seat at the major show that was going to show in London two months later. And all they had to do was to go in and within four hours, so it was time limited to win your seat, was the plug in the USB drive that they gave you on the street and register your name.
Well they weren’t going home in four hours. So they all went back into the office and plugged this in, making sure that 200 different USBs invaded those companies’ servers within two hours and they stole all the data from those two big companies.
Fraser Jack: 28:02 Wow. Talk about creative, that’s incredible.
Greg Hodgkiss: 28:07 Well it’s the trickery. We are dealing with the world’s criminals here, there is no arms barred here, this is not a gentleman’s game.
Fraser Jack: 28:18 Goodness me, so if we go back to a lot of financial advisors are small businesses put together by maybe with or without the help of a local IT person who might be able to set up information, set up systems, set up some virus software on it and that’s about as far as it’s gone from that end point process. Is that what’s being targeted?
Greg Hodgkiss: 28:49 Your question being about the third party IT?
Fraser Jack: 28:52 Yeah, my question being about the idea that a lot of small businesses and medium sized businesses generally just has an IT person that they might know or that they come across that sets up their systems, they set up the phone systems, they set up the computer systems, make everything talk to each other. They might set up a software on there to look for ransomware or malware and those sorts of things and that might be an ad hoc relationship with that person.
Greg Hodgkiss: 29:21 Yeah, it can also be a very close relationship and one of the issues that the security industry is facing on a minute by minute basis are these relationships. The very existence of small businesses means they need help on a variety of different services and so the rise in using third party IT service providers from small one man band operations to large corporate structures is so common that in Australia, 85% of SNBs use them. Therefore, one would have hoped in the evolution of security that one would have depended on those parties to make us secure.
Unfortunately evidence has shown worldwide that that is not what’s happened. And the reason for that is no more difficult or complex than the fact that the technology is completely out of their realm of understanding or training. So globally today, all large corporations have removed responsibility of IT security from the senior technical officers and have replaced them with the senior security officers.
At the local small business level, you can no longer plug into your IT service provider for security, in fact every customer that we’ve seen this year both through us and our associate partners in the industry, all had IT security companies working with them already when they were hacked or when they were broken into because they’re looking after IT and unfortunately cyber is a business problem. It’s not just an IT problem. There’s so many other aspects that have to be dealt with that a IT person can’t deal with. So, today, unfortunately if I want my car fixed I don’t take it to an aviation mechanic, in the same way if I want my cuber security done, I don’t take it to an IT hardware and software provider.
Fraser Jack: 31:39 Yeah, so that’s probably the point I was trying to make around the idea of it being a very specialized area of IT and I guess as financial advisors we just see IT as IT and it’s not the case. IT is around putting systems and stuff together and making it work and security is a very different beast all together.
Greg Hodgkiss: 32:00 Very different.
Fraser Jack: 32:01 Yeah.
Greg Hodgkiss: 32:03 And very specialized. And of course, the one message that I have to give to everybody and we’re reminded of sales constantly is this is an evolving process. You don’t get a fix on Monday and somehow or other, you’re now safe for the rest of the year. So you need to be using a service provider that is keeping you secure sup to date just like you want your IT provider to keep you up to date with your software and internet and other services.
Fraser Jack: 32:32 Yeah, so in the financial world we often, advisors speak of the idea like you can get advice once but that doesn’t necessarily solve all of your problems unless you’re regularly coming back to see your advisor and they’re holding you accountable and all those things.
Greg Hodgkiss: 32:46 Yeah, yeah.
Fraser Jack: 32:48 Exactly the same. So you can get one off security advice but it only covers you on that day unless you’re actually doing the monitoring and checking.
Greg Hodgkiss: 32:54 The key is to be able to tap into services that are automated and inexpensive. Cost is the big barrier up until recently, but with now the complete evolution of artificial intelligence into the protection environment, it’s brought the costs down and now allows SMBs to obtain the same level of security that large enterprises used to have to pay hundreds of thousands of dollars for.
Fraser Jack: 33:28 Yeah, obviously cost is a massive issue, there’s a lot of costs in financial advice at the moment. And this is just yet another one but obviously the cost of losing your data or having somebody gain access to your data, stealing it and using your client’s information for crime overseas is a pretty massive cost as well. When you say inexpensive and costs come down, are you able to throw some numbers out there or is that to hard?
Greg Hodgkiss: 33:53 No, of course. For a business for instance that’s maybe turning over... You give me some figures for the small end of the business?
Fraser Jack: 34:07 You know, even say turning over from half a million to a million?
Greg Hodgkiss: 34:12 A small company that’s turning over that sort of amount of money is looking to secure his business around about $600 a month including the insurance cover and the education and the IT security and all of the other layers that go with that. You can’t buy an insurance policy for that so at the end of the day, what’s being able to happen in recent times is to integrate a lot of this into single services which bring the pricing down for bundling it all together.
Fraser Jack: 34:50 Okay, so... Not a... It’s still a little bit of money but obviously you got to compare it to the risk. How do people get the training though? Like the staff training?
Greg Hodgkiss: 35:05 Part of the service provides you with a license seat for a staff member that allows your staff to be given a course on a regular basis. So there’s a course that takes them about two hours to do, it’s online, and they have to go through it in different modules. They can’t move onto the next module unless they passed the first one. But what’s more important about this is that it’s being updated constantly all of the time. So if you then ensure that they take that course four times a year, they are learning constantly of new threats and therefore new methodology that they have to implement or new thinking that they have to think about when they’re using the IT system going forwards.
Fraser Jack: 35:52 Yeah, I think it’s like anything, if it you’re regularly learning and regularly updating your skills on something then it becomes part of your everyday behavior.
Greg Hodgkiss: 36:03 Yes, it does. And the other thing is part of the process is we analyze with the clients through very advanced platform of assessment, all aspects of their business’s security. Then once again, it’s trying to educate people that IT is not the issue here. Cyber is not an IT problem, it’s a business problem, so does that company however small, have policies and procedures in place? There are many things the company should be doing to be safe that they don’t know about.
So what that assessment does for them is shows them what they can do to become safe in all areas of their business. And of course, one aspect of this, and they’re going to see a massive encroach in their lives, over the next three years or so like the Europeans and the Americans if they’re going to be forced legislatively to do all of this and therefore one is rushed, already APRA is launching on the 1st of July, the CPS234 Cyber Management Law for the top end of the financial services industry that will come down eventually over time without any doubt at all to cover the rest of the industry and the rest of industry per se. Now’s the time to learn what that’s really all about and to implement it and to be able to do so without it interfering with your daily lives I think is the big bonus of what modern technology can now do for you. And that’s really key to running your business.
Fraser Jack: 37:38 So that legislation that’s coming in, APRA brought that in and it’s basically saying that insurance companies and anybody in financial services who report to APRA, the bigger end of town, must obey a certain set of guidelines which really puts the directors’ butts on the line, doesn’t it? It’s about saying, if you’re a director of one of these companies and something goes wrong, you’re going to be in trouble if you haven’t done anything about it.
Greg Hodgkiss: 38:04 That’s right. So from a legislative perspective, there’s 26 management cyber security procedures that are now required as mandatory in your business. For the average Australian business, you wouldn’t see more than one of those currently being implemented. So 95% have yet to be implemented by companies to be safe. Now they’re only doing it to protect both the companies and the nation and the people that the companies service. No government’s interested in doing this sort of thing if there isn’t a positive result from it.
In Europe, it’s not reached the point where in the first countries like Austria, it’s not criminal activity that directors are sued under for not doing this and so you can go to jail for not implementing it which will give you an indication of how important this is globally now. We wouldn’t dream of building a house without putting locks on our doors. Well we can’t really dream about building businesses without doing the same thing going forward unfortunately.
Fraser Jack: 39:15 So these procedures, these 26 procedures, they’re not just one offs right? They’re ongoing, you’ve got to be able to-
Greg Hodgkiss: 39:21 They’re ongoing stable methodologies and practices that protect the way in which a business functions and operates against cyber crime.
Fraser Jack: 39:35 How does that relate to the essential eight that-
Greg Hodgkiss: 39:40 Right, every country in the world has adopted one form of security standards around cyber. So of course everybody in Australia that’s in business has heard of Europe’s GDPR. The first country to really look at developing a cyber and security standard around which they could start functioning was the United States and they have what’s called the NIST standard and Australia took the NIST standard and looked at it from the application of its needs in Australia and developed what’s now called the Essential Eight.
So these are the eight points of security around which a business should have minimal coverage. So these aren’t maximums, these standards say the least you should be doing is applying these standards to your business. The figure eight refers to eight different forms of security application that can be applied to the IT side od your business. The APRA regulation is now dealing with 26 more points related to the management of your cyber security because now the world realizes IT is only one small part of the security problem.
Fraser Jack: 41:03 So as small businesses we should be looking at the essential eight first or looking at all 26?
Greg Hodgkiss: 41:10 The assessment tells you automatically how you fare against both the essential eight, the GDBR, the NIST and the APRA. We would advise you through your assessment results where to quietly start working through the process. There’s a minimum one should do to secure you immediately against malware attack, that’s the first point for an SMB. Stop the attack right now.
From then onwards it’s about taking a quiet and serious and professional approach to quietly building the security layout over that business, over a period of time.
Fraser Jack: 41:53 And ongoing?
Greg Hodgkiss: 41:54 Yeah, it’s an ongoing program and that’s what the APRA regulation and the GDPR is doing, it’s forcing security become as common as your accounting disciplines.
Fraser Jack: 42:08 So if somebody checks their system and finds that somebody’s in there and looking, can they see what they’ve taken?
Greg Hodgkiss: 42:15 Yes, if we go in and we do what’s called remediation we are able to uncover what the damage done by that viral malware attack has done. We can see what they’ve been helping themselves to and what they’ve been disturbing and we can also see where they’ve gone on from there. So we can see where it came in from and we can see what they did in there, and then we can see where they went from there because you may also now be the jumping point for some partners in business. So you’re now responsible for notifying another financial advisory partner for instance that you were infected and you were connected to them so they need to be checked immediately.
Fraser Jack: 43:03 Oh wow, yeah, okay. So... talk about opening up a can of worms.
Greg Hodgkiss: 43:10 Mm-hmm (affirmative).
Fraser Jack: 43:15 So how can financial advisors then, what can they practically do? I mean obviously this is not the place to advertise or to do anything like that but if somebody wants to jump on a website and continue that conversation with you, where could they go?
Greg Hodgkiss: 43:31 Their best thing is simply to jump on an application page on the site CIS website which allows them to start a conversation with us and somebody in literally 10 minutes can explain to someone what’s actually required to be checked.
Fraser Jack: 43:51 And how long would a check take for a small business?
Greg Hodgkiss: 43:55 Half a morning.
Fraser Jack: 43:59 Half a morning?
Greg Hodgkiss: 44:00 Yeah.
Fraser Jack: 44:01 A couple hours, a few hours?
Greg Hodgkiss: 44:02 Remotely.
Fraser Jack: 44:04 Wow, okay.
Greg Hodgkiss: 44:05 All we do to start off with is see if you’ve got the malware. If you haven’t got any malware, well good news, you’re one of 3% left in Australia that hasn’t got it and if you have got it, we will then show you exactly what has to be done to get rid of it instantly.
Fraser Jack: 44:05 And then you can work out whether you want to look at-
Greg Hodgkiss: 44:22 And then you have to secure it because it’ll come back. Because the AI systems will tell them that you’ve just had it removed and they’ll come straight back and jump back into you. So how it actually works is when we find it there, we put the security in first and then we remove it so they can’t jump... It comes back in in fractions of a second of you removing it. So you have to secure the door, then remove it internally.
Fraser Jack: 44:47 Okay, a lot of things to think about for financial advisors out there, on top of a whole lot of other things they might be dealing with at the moment. Exams and education standards and all sorts of things, so I want to say thanks so much for coming on and chatting about cyber and about these things specifically for financial advisors. Or other professional accounting firms or whatever it might be. So yeah, but thanks for coming on. I’ll include some of your details in the show night if people want to continue the conversation and get hold of you and see what they can do for themselves.
Greg Hodgkiss: 45:22 Thank you Fraser, great to talk to you.
Fraser Jack: 45:23 Thanks Greg.
Greg Hodgkiss: 45:24 All right, take care. Bye.
Fraser Jack: 45:27 Wow. What an eye opener. I asked Greg after this recording if it’s possible for both myself and yourself to get their computers checked and he agreed to what I consider to be a pretty special rate. So for just under $500 per business, you can perform a check which involves working through a checking process with a professional security person, running a set of diagnostics checks and getting a report back.
I’m going to be doing it to my computer and if you’re interested in doing the same thing then please let me know and I can arrange something for you. Thanks very much for listening to this episode.
If you haven’t already, I’d love you to subscribe to the podcast on your podcast platform of choice. And to continue the conversation, head over to our social media channels, we’ll catch you next time.
Disclaimer: This document is a transcription obtained through a third party. There is no claim to accuracy on the content provided in this document, and divergence from the audio file are to be expected. As a transcription, this is not a legal document in itself, and should not be considered binding to advice intelligence, but merely a convenience for reference.