Financial advisers are increasingly bullish on the ability for technological innovation to drive efficiencies and reduce red tape in their business. While these are important applications of emerging innovation, particularly with the rise of RegTech solutions aimed specifically at helping with compliance, the consumer experience is often a technology after-thought.
The Adviser Innovation Summit 2017 put client experience at the very heart of its agenda, providing advisers with eye-opening, future-looking content that challenges them to ensure consumer engagement is paramount in a world that is rapidly evolving into various realities. The following is a wrap of some of the summit’s highlights, shining a light on the technology and business model innovations of today and tomorrow.
Staying relevant now and in the future
Speaker: Matt Heine, joint managing director, Netwealth
In the last decade, the world has fundamentally changed. A hell of a lot has happened. Remaining relevant in the future is up to you. It's not up to the advice industry. The advice industry will continue to evolve, adapt and thrive over the next decade, but it comes down to the individual and to the practice as to whether or not they go on that journey. I've been fortunate to go to Silicon Valley in San Francisco a couple of times over the last six months.
Even in a very short period of time, the progress that's been made is absolutely astounding. It's really easy to dismiss a lot of the big mega trends that we’re seeing and say, “This hasn't actually impacted me. This is big world stuff”.
But when you go to San Fran, you actually see the ferocity at which change is happening. There are two key things that came out of the trip. The first is that financial planning businesses are no longer being compared to the banks or to other financial institutions. We're competing against Facebook, Google and all these companies who are focused on delivering engaging, frictionless and highly personalised services to billions of people in real time. We need to catch up as an industry.
The other big thing that came through was that it's no longer man against machine. It is really man with machine against man without machine.
What is it that our customers are actually going to expect in 2025? What's going to be driving the change and how are we going to make sure that our services are aligned with those expectations?
The first thing is that our customers are going to be always connected. At the moment, around 45 per cent of the world is connected to the internet and by 2025 that number is expected to grow to around 85 per cent. In 2025, 10 per cent of people will be wearing clothes or glasses connected to the internet.
Health trackers are going to radically change the way that insurance is done in the future. A number of companies are currently looking to commercialise technology embedded into our bodies. One company is looking at injecting technology into our eyeballs so we don't need to wear glasses but will also be able to see the internet, holograms and images all around us.
Nanotechnology will be injected into our bloodstreams to fight free agents floating around our body and seek out and destroy cancer cells. We’ll be living in smart homes. Amazon has launched their new Amazon Alexa – a home system accessed via a video screen in every single room, which you can ask to increase the room temperature, put up your blinds and make your coffee. It's a learning machine and comes to understand your habits and how you like to live, so it can pre-empt your requests.
The fact is, our clients are going to be totally connected and you need to be ready for it. You need to be masters of multiplatform communication. Your client might be out for a jog and send you a quick voice message on their phone. They might be at home and just want to have a video conference while walking through their living room.
They're going to want to snap, tweet, gram, post wherever they are and they expect an immediate response. You need to think about how your CRM should be configured, so that if someone does tweet a question, then calls you up and then has a video conference, that all of those different communications, which could easily be on a single topic, are stitched together in a central place.
Artificial intelligence is here and it's going to be huge. It's already pervasive in so many of the technologies that we interact with today. In San Francisco, the buzz around AI is incredible.
The amount of money being invested into AI is staggering. In 2010, it was about $15 billion that was invested into AI technology. Fast forward to 2015 and that number grew to $45 billion and is increasing pretty quickly.
Understand that this is the way of the future. So while we've got virtual assistants like Siri, Cortana and Alexa, they're not perfect yet. Some technology experts call artificial intelligence at its current stage ‘dumb’. When you think about the fact that ‘dumb’ AI can drive a car, translate voice and text into myriad different languages, diagnose most diseases now better than a doctor and solve some really big problems, it's pretty scary to think that, with increasing computing power and a huge amount of capital, in the next two years AI will be totally unrecognisable.
Another thing that AI is really good at is investing. You may have seen Black Rock has recently effectively got rid of their active management teams and are instead focusing on quant and AI. To try and understand this a little bit better, I've been spending a bit of time with Sanlam – one of South Africa's largest fund managers. They manage about $104 billion across a whole range of strategies.
Two years ago, Sanlam launched their AI Investment Portfolio Service. The way that this works is via a three-step process. So, they've got their AI technology or their selflearning technology, they put in their constituents, they put in the constraints. So what is the portfolio that you're actually looking to build? It could be a balanced fund, so it's 70/30, and then they run the predictors.
Now those predictors for each asset class are made up of 600 self-learning algorithms. Think of those 600 selflearning algorithms as AI analysts. Those 600 AI analysts, basically, are running a range of different statistical models. They're using different price points, different timeframes and then the head analyst for that particular asset class will construct a smart prediction based on the best 30 or 40 predictions from their panel of 600.
That blend then gets fed into a portfolio allocator, who takes the same information from every asset class. So you've got 4,800 analysts working on this portfolio. You have no sick days, no HR issues, no academic divides. Just databank provided in real-time to be able to perfect portfolios, focused on reducing drawdown and maximising the capital return. Sounds pretty cool? The returns are about four times that of a human driven benchmark. I think that says enough.
It really is man with machine versus man without. You need to simultaneously invest in horizon one, two and three to make sure that in five years, you're not still sitting here having adopted nothing from today. I thought I'd just finish on this fantastic quote from Bill Gates: “We always overestimate the change that will occur in the next two years and under estimate the change that will occur in the next 10. Don't let yourself be lulled into inaction.”
Customer-centric virtual reality in financial services
Speaker: Peter Ford, founder and chairman, Control Bionics
How can you leverage virtual reality, augmented reality and mixed reality to show your clients just how much more exciting data is when it's not just on a spread sheet or a three dimensional graph? How do we make data stand up so it’s accurate, current and engaging enough for the client to see it, and intelligent enough for the client to understand what it means?
Let me introduce Second Life – an online virtual world. It's built by Linden Laboratories in San Francisco. They've got servers all over the United States. People go ‘inside’ Second Life, create an avatar and do business.
There are gorgeous buildings, centres and art galleries. They have islands. You can fly, you can walk, you can run. You could be meeting your clients next time in a space like Second Life. Why? Because you can show your data in a more vivid way.
Second Life is an example of virtual reality where you're totally immersed into a virtual world. We also have augmented reality where you're looking at something and there is data overlaid on top of it, like when you use Google Glasses. But then we have mixed reality where you can actually interact with the images in the real world – and this is going to be big.
Ask yourselves how you as advisers can embrace this technology and turn your numbers from a spread sheet, a two-dimensional array, into something so vivid your client goes, “Holy cow”, and the next thing is, “Tell me what I need to do next”.
As the bankers are starting to understand, the number of financial advisers may be diminishing as the amount of information coming from the web, or AI or the servers is expanding and becoming more reliable. Millennials are turning to Google and Facebook, and whatever other media they think is credible online, for financial information rather than coming to advisers.
So what happens to the financial advisers? Are you going to be maintenance people who look after the intelligent platforms, computers and programs, or are you going to do advice in a whole other different way?
Take the data and make it so engaging it's irresistible, but also accurate and reliable? And are you going to do it in a way that gets people at your office where you have a high labour content, or can you put it out on the web under your own signature, under your own logo, so that you have clients coming on board and bringing that revenue to you in large numbers?
You could be walking your clients through an environment, making it innocuous and valuable with visual information and data that places them in context, in the space and time of now when they are investing and later when they divest or reconvert. It has been suggested that you can make AI an ally. But I think you need to go beyond that – we've got to go there anyway, we can't stop evolution. But I think if you can embrace the technology, if you can get over the flood of data and new tech, and new apps that you're hearing about every day, you'll find this a really powerful tool.
Perhaps advisers can even reverse the trend of people seeking information via computers or going to the web to get their financial information. Maybe you can once again personalise the data and make it irresistible so that everybody benefits. So how do advisers actually go away and implement some of the ideas we’ve been talking about? You don't want to throw out all of your account processes and providers and suppliers to try something new, because that will essentially remove all the benefit you've had from that existing knowledge.
But at the same time, I think it's really important to make sure you're engaged with specialists in the fields that you're looking to move into, if it is any of the AI, AR, or MR or VR, because we've heard a lot of horror stories about people investing significant amounts of money and just getting something that's not usable and not deployable. That's obviously a bad result for everyone.
It's important to keep going with the current providers you've got, but also reach out for consultants and specialists who can provide the knowledge you need to move into that space appropriately.
Embracing technology and open APIs
Technology leaders share their thoughts on the future of innovation in advice and the importance of an open data environment.
Moderator: Aleks Vickovich, managing editor, Adviser Innovation
Amreeta Abbott, chief executive, NowInfinity
Julian Plummer, managing director, Midwinter Financial Services
Peter Malekas, founder and managing director, Moneysoft
Amreeta, if we could start with you. You work with accountants, estate-planning specialists, SMSF specialists and also with financial advisers. Do you have any insight into how these groups stack up in terms of their tech needs and tech literacy?
Amreeta Abbott: The focus on technology has really been to enable financial services professionals to continue their conversations with their clients. If we take the accounting sector as an example, accounting and bookkeeping software firm Xero has played a huge part in forging that sector forward.
It has enabled other providers to keep on their toes and actually offer accountants solutions that enhance what Xero provides. When it comes to technology in the financial planning world, the problem isn’t so much a limitation but rather we don't see that drive to bring everything together. And there is a huge opportunity for that.
Research by Netwealth has found that advisers are planning to spend more on technology in the next year. Are those statistics reflected in the conversations you guys have with advisers?
Julian Plummer: Absolutely. Advisers have realised they're not just advice companies, but they're actually software companies themselves. On our trip to Silicon Valley we learnt that software is beginning to eat the world. Think about your practices. You're running a CRM, you're running cash flow management tools, you're running registry systems if you're that large, you've got self-managed super fund administration vehicles, you've got NowInfinity doing all your trustees and documents. All you do is software.
Once you realise that, then you understand that you have to reinvest every cent you can in technology to make sure you scale out your business. How do you scale out your product? How do you get your advice out to as many people as possible at the lowest price possible, and simultaneously ensure that you cover off their best interests?
Peter Malekas: 100 per cent agree with that. More and more advisers are not just looking at a single tool to do everything. They're Technology leaders share their thoughts on the future of innovation in advice and the importance of an open data environment SESSION THREE looking at a series of tools that unpack either their back office or front office or their client engagement process.
It's about wrapping those tools up and making sure that they talk to each other. We’re seeing advisers actually out researching the tools that complement their business processes because they're realising, at the end of the day, it's up to them – not their licensees, not the banks – to actually make their businesses scalable and profitable.
As a former practice principle, Peter, do you agree with the point that advice firms must have a designated tech expert who is looking at this stuff full-time, or do you think that a practice can just partner with a really good BDM, for example?
Peter Malekas: I think it's relevant for advice practises to have their own champion within the business that looks after these initiatives. As a practice principal you've always got to be saying, “Well, at the end of the day, we've got our core activities up and that's fine.
But what's not working at the moment and how do we look at that next 20 per cent?” Or “what tools are we going to implement in the business and with our clients to actually make that happen?”
So an advice practice does need someone from the business to continuously focus on it, reinvest in it on an annual basis. It is also up to the licensee and we're starting to see that, where they appoint certain individuals to take it the next level and think beyond what we've got today and look at what 2025 is going to be looking like.
Julian Plummer: Licensees, when they've selected software, have often, not selfishly, but they've thought about themselves. How can they make the head office more efficient?
And then they go off and select the software based on that decision point. It should be about how they make their advisers’ lives more efficient. Sure, you might be able to save a few hours at head office and go with one set of software.
But what if you could save 100 people's time through your adviser network? The decision that the licensees should take should be about the advisers, not about the licensee.
So if advisers need to be first and foremost, how does a dealer group get that balance right? On the one hand they have a liability issue where they're the ones who are visible to ASIC. But at the same time, clearly their authorised reps need this technology.
Julian Plummer: They do it through approved lists. So you have an approved list of software and the adviser can select their main piece of software and then the adviser chooses their own stack. For example, historically, we've always had Rice Warner as our insurance starter.
Rice Warner is very good for the big out-of-towns; CBA, StatePlus, they all love it. And you've got the lifey up on Parramatta Road who hates it and they're all about Omnium. Now why on Earth am I trying to shove Rice Warner down their throats? I give up.
Take Omnium. Do whatever you want. I don't care anymore. Now we integrate with both. So we're giving you the decision. Once you choose our software, you then decide what components of our software you want on or off. So it's about choice and that's what this whole API is about. I've given you guys a choice to align your business with your technology.
I wanted to talk about open APIs and that whole mindset of open pipes. There is a frustration that a lot of advisers feel towards the larger software providers who don’t open up those pipes? Why is there that restriction? What is it that the licensee of the technology provider gains by not opening up?
Peter Malekas: This is an issue that we’re seeing with the banks who don't open up their platforms and I think there's a real issue about who actually owns a client and control.
We’re moving into an era where people are demanding control over their own data. It's my data and how I transact is up to me. We’re starting to see banks open up. There are two APIs that have currently been opened, Citibank's got one and Macquarie’s got another one.
So you're starting to see from the top level now where banks are going, “Well, at the end of the day, we need to give not only consumers, but we need to give technology providers the ability to also integrate in a single way that can take data but also give data back to improve the overall experience for the end customer”.
We had Shayne Elliott, CEO of ANZ, recently come out and say, “We'd love to open the pipes, we'd love to open the data. We just can't. It's a governance issue”. Do you agree that it is starting to change, that they're being forced to change? Or are they just going to hunker down on the data?
Julian Plummer: Australians, when we talk about our financial planning systems and superannuation, we lord it over the UK and we love how our platforms are better than theirs.
But there's one specific area that they are absolutely miles ahead of us, and that's sharing data. They've got an open bank working committee for data that is set up by the UK Treasury. And within two years, they're going to legislate open APIs for all their banks. End of story. Because it is their view that the client owns the data, not the bank. And we don't have anything like that.
Amreeta Abbott: We're very clear on what our core strengths are and we're very well aware of areas that we're not going to build into. When we come across other providers that try to create a barrier, it's really, really frustrating.
I have conversations with those tech owners saying, “Why are you doing that? Because you're really just restricting the freedom of choice for the end consumer, you're really, really holding them back”. There's one out there that actively just says, “We're not going to integrate with NowInfinity because they've got a similar product in another area of our business”. Let them use it. Let us connect.
We connect to you in a different way. I don't care. Our product stands up and if the consumer wants to use it, great. If they don't want to and want to use yours, it doesn't matter because competition's healthy and I think that we should all have the freedom of choice to actually connect, so they should open them.
Peita Diamantidis reveals the tools and strategies advisers can use to try new things, gain a competitive advantage and establish businesses that are able to experiment.
Speaker: Peita Diamantidis, managing director and financial adviser, Caboodle Financial Services
You really need to know who you are as a practice. You need to decide what type of business you have – what’s your ideal business? Do you want to have a lifestyle business? Are you looking to downsize?
Perhaps, you’re really happy with the size of your business but you want to spend some time consolidating, tweaking the machine of your business so that it’s efficient and the cogs are turning really well. This is generally the stage of a really established practice. Or you might be an empire builder – you're ‘go hard or go home’. You’re all about growing fast and you're willing to accept the pain that goes with that – the complex systems and processes, HR systems, layers of management.
In our industry we tend to imply that we should all be in a growth stage. I call bullshit on that. Build the practice you want to build and once you make the decision around exactly what type of business you want to be, everything you do should be defined by that. Then it’s all about finding the right tools.
These tools should be helping you to constantly renovate, because remember we're in a constant stage of renovation. There is one tool that you cannot do without – and that’s the spirit level.
For tradesman in the building industry, a spirit level is a large ruler-like instrument with a bubble inside it used by builders or carpenters to ensure the accurate levels are maintained for the objects they are building. In our practices, our spirit level is our vision and our values – those are the things we should be checking against everything we do, everything we build.
In terms of how you use your spirit level in your advice practices, this isn’t just about hiring staff this applies to all the processes you put in place, all the widgets you select, all the businesses you partner with. They all need to match your business values. And I know people might be like, “What has this got to do with technology?” If you get this right first, optimising your use of technology for what works best within your business becomes so much easier.
Now, what happens when you let your team loose with a bunch of renovation projects and you start going hard with technology and innovation is down to you and the enthusiasm of your team. If you go hard at innovation, you're going to mess it up. So what it requires is really strong project management skills. These are skills, I would argue, this industry simply doesn’t have. Despite the fact that we're advisers and we know how to plan for people’s financial future, we simply don’t have these project management skills.
So what you do is you get a great project management system. If you're going to be an innovator there’s two key systems – your core advice or CRM system, and your project management system – if you don’t have those two, you're in a lot of pain. One of the important things about some project management apps is the tool that allows you to collect ideas.
A real struggle with business days like this is you come along, scribble down about 30 pages of ideas and then you go back to your office and nothing happens. Some tools allow you to stop writing notes and write ideas straight into the application and they sit in a section of the project management tool waiting for you to implement them – the system tracks those ideas and tags them so you can write them off one after the other.
Once you have an effective project management system in place – you need to be the foreman. Being the foreman means you're not on the tools. You're there to direct traffic and keep things on track and you hire the experts and keep them in line. Static websites are a perfect example of how advice practices go wrong in the way they go to implement projects. A lot of advice practices will get a designer in, they’ll sit down with the designer, they hand over the brief, they walk away and the designer comes back with a website. That is not how you run a project. You hire the expert but you constantly check in with them because you need to constantly be using your spirit level to be sure the project meets your values and your vision.
This is fundamental. This is success in implementing projects.
Finally, I want to make a request. Please stay nimble. Our ability to implement quickly is the single largest competitive advantage we have over the big institutions, and the faster change happens the bigger that advantage is.
We have such an advantage over the institutions because we can implement well and we can implement fast, so I would ask you all to think that way and make sure when you're dealing with the rush of technology you do it well and you do it fast, because that is our biggest advantage and it's how we can transform this industry.
The foreign fact-find
Members of the advice sector share their overseas experiences and what they believe will be gamechangers in Australia.
Moderator: Michael Heine, joint managing director, Netwealth
Richard Dunkerley, head of marketing and communications, Zurich Life and Investments’
Vincent O’Neill, director of private wealth, Stanford Brown
Adele Martin, managing director and senior wealth adviser, Firefly Wealth
Ray Jaramis, financial life manager, Treysta Wealth Management
Each of these panellists has done an overseas fintech tour and I think it will be worthwhile to find out a bit about their experiences, what they learned. Starting with Richard, tell us about your experience and what your takeouts are.
Richard Dunkerley: We're a long standing sponsor of the AFA Adviser of the Year and for the last couple of years, we've offered the winners a trip to South by Southwest, which has been taking place in Austin, Texas.
The bit we've been going to is the interactive piece and it's a five-day event that's full of venture capitalists, web-developers, creatives, just people who are there to experience some innovative thinking. It's at that event where applications like Periscope and Foursquare got launched. It's regarded as the place where Twitter actually got a real sort of kick off. It's kind of a heavyhitting event. What makes it stand out is that it's got nothing to do with financial services.
I think there is a bit of sameness in some of the events you get to go to, particularly domestically. So you won't get anything to do with the Australian market, you won't get anything to do with products. The biggest takeout you get from it is a change in mindset. There are a few speakers that are more general interest, more sort of inspirational. The guys we took basically said it's the best single conference they've ever been to.
Thanks. Vincent, where did you go, what did you see, what did you learn?
Vincent O’Neill: We went on a pathway tour to San Francisco and Silicon Valley. There were a few reflections we took as a business away from the event. One of the first presenters we had was someone global who presented to us their technology around AI (artificial intelligence) investing.
It just blew our minds just how far they've gone. They are a bit ahead of the curve in this space. I think most of us went through a bit of a rollercoaster there where your initial reaction is “Oh that's it … The machines are going to take over and we're done”. And then you sit back and you digest it a little bit further and you think, “Well, hold on a second”. Yes, their AI is going to be great but there is going to be probably another hundred competitor AIs out there.
Whatever efficiency the first mover gets will eventually be eroded and eventually the consumer is going to want to understand which is the best AI. Which one should I be using and is there going to be another AI that is going to pick the best AI? There is always someone offering that.
As a group, we began to realise well actually, there is still always going to be a leaning towards wanting some form of human interaction here. I think it was a big learning around understanding what your value proposition is, because if your value proposition is towards picking the best stocks or trying to beat the index by half a per cent, you're going to struggle to compete in the future.
I wish my youngest son was here because he hassles me every couple days about whether there is a future for Netwealth because algorithms can do everything. But he's forgetting that human interaction. Thanks, Vincent. Adele, tell us about your experiences.
Adele Martin: So I was very lucky last year. I got to go to FinCon, which is where financial planners and media come together. I also got Members of the advice sector share their overseas experiences and what they believe will be gamechangers in Australia SESSION FIVE to go to the XY Planning Network as well. I'd describe XY Planning Network as sort of like a dealer group for those who want to work with Gen X and Gen Y clients.
My big takeaways from both of them were firstly the guys in America, they think big. So it was really great to be exposed to some of their thinking. One of those things is the open API. You can't have one product that does everything. The other thing is the cool consumer behaviour apps over there that I really liked as well. Like one which is geared around teaching children about money. The biggest thing that I saw was the apps and technology. The technology was amazing. It was behavioural change around money. It wasn't just looking at what's happened. It was how do we change people's behaviours around money?
One of my favourites is called Proactive Budget, where you have an EFTPOS card and you also have a phone app. You have different bank accounts, or 'buckets'. So you might have a bank account for entertainment, a bank account for looking good, groceries. You actually go into the app, press which account and then this one card lets you link to all of them. Why that works is that it changes your behaviour. It gets you to stop and think about which account it comes from.
At FinCon, I learned about how to develop a personal brand. So that's why at the moment I'm in the middle of doing AdeleMartin.com. I learned about live streaming, that's why I run regular Facebook live stream events. I learned about how to build Facebook communities, which have been a good source for me to find clients. It was really great to be in a room with people that just thought really big.
Ray, can you tell us your story?
Ray Jaramis: I went on the Implemented Portfolios study tour. We were on the east coast, so Boston and New York. Our conversations there are somewhat different to what we're seeing in Silicon Valley.
There seems to be the alpha trade of Wall Street. Technology for them is about the algorithms and helping them deliver things that are more efficient. In Boston, we were fortunate enough to go to State Street and the Centre of Applied Research. They were doing really interesting things, understanding how consumer behaviour is changing while we're going through this process of intergenerational wealth change.
What I'm finding that technology is doing, both here and overseas, is allowing conversations to be had at a cheaper level, but it's not changing the conversation. What technology isn't doing yet is helping the adviser understand what's going on behind the scenes. Why is a client being driven to do that? So I was planning on going overseas to see if there was anything being built around that space, and I'm still waiting.
Building cyber secure tech practices
Cyber crime is a real and growing threat to big and small business in Australia. KPMG’s Stan Gallo shares how advisers can protect themselves.
Speaker: Stan Gallo, forensic partner, KPMG
What we are going to talk about today is cyber incidents and cyber activity, but I'm not here to talk about bits and pieces around controls. We will touch on risk frameworks generally, but my current role in incident response is around what's happening, and a lot of it is quite common as we'll see. I have a law enforcement background prior to joining the firm, so about 15 years with the police.
Early on in that career, I was tapped on the shoulder and re-directed into an alternative path, which was the covert operations role that I did. That lasted about five years. That was about a third of my entire career, so you disappear at one point and re-appear a few years down the track. What that meant was becoming a member of various organised crime groups throughout Australia and internationally, and while I was still a state policeman, we were linked through collaborative arrangements with federal and international law enforcement.
Make no mistake. What we're talking about here is organised crime, not script kiddies or hackers at home. Organised crime will target businesses, and don't think because you're small that you won't be a target. Technology doesn't discriminate. Back in the late ‘80s, as a group, we were a very entrepreneurial, innovative, forward-looking bunch.
We weren't as well dressed as we are now, but basically we used to sit around the table and we would look at our revenues. What were our goals, what were our targets?
Back then we had the idea that electronic data was something that was valuable and could potentially go beyond what we were receiving from guns and drugs.
We weren't techies at all. We would outsource that. Our dodgy phishing scams back then weren't “Dear Westpac user” and the poor spelling. We employed a psychologist to write them because we needed a sense of urgency so other people would click on the link. We had a pretty girl standing out in front of buildings handing out USBs because people would plug them in. And then you would access the systems. Again, if you look forward to today, that really hasn't changed much. Evolution has brought technology way forward.
The core areas of cyber crime that we're seeing evolve today still remain phishing, social engineering, ransomware – those are the common ones. Invariably, what I see is that companies will try and bargain with the baddies. Having been sitting with the baddies, if you send out a ransom to somebody and they come begging “Please don't charge us.
We are a poor small business” – the fact that you're contacting us tells us that it's not going to drop. All that tells me is that you don't have backups and you're in trouble, so the price goes up. Does that mean you should just pay the ransom? I think not. It leads to two things: it doesn’t guarantee that you'll get decrypted and secondly, it sets you up as someone who should be revisited in the future.
The other thing that I saw is that for those businesses who can't afford to pay a ransom where they encrypt everything, the other option was for the baddies to say “Give us your contacts and we will do our thing. If two of them pay, we'll decrypt yours for free".
Now, the idea that if you're small, you're not a target is false. If you're small, generally people won't have the spend or the focus on things like IT security. Why are you going to target the bank when you can target a small business? The average cost of a cyber loss still seems to be about $500,000. To a small business, that's obviously a lot bigger hit than to a large one.
Back in the day, when you're stealing cars, you're not going to deliberately target the ones that are locked and have the security system. If the company doesn’t think about security, they will be a target, you will be a target. When you take a computer and plug into the work network, everything that a user has access to, [a baddie] now has access to.
You can take that a step further and activate the microphone so you can listen, which we've seen happen in board rooms. Or you can take it a step further again and activate the camera and then literally watch what happens.
It's real in that this is happening constantly and just as I came here today, I dispatched my team in WA because we're having an issue over there as we speak.
The company is suffering a ransomware attack that has taken down about 80 per cent of the company, and if we can't get it up and running by Monday, they are in real strife. So in terms of a risk framework and how we do that, it doesn't matter whether you are a big business or small business, it's really looking at how likely is the event versus how serious the consequence. If you outsource, you need to consider what that looks like. Is their risk process sufficient for you?
You can outsource the responsibility but not the risk. Ultimately though, the best control, and we're not talking about big budget IT stuff either, is people, because that is what the baddies target.
We didn't target IT systems or rock solid virus configurations and update patches. We targeted the weak link, which is the person who clicks on an email, the person who will stick the USB in the drive and infiltrate the machine.
That's what we would go after because that's where the money was. No IT control will lock that down because the system is designed to let those people through because they are there for work. [Protecting yourself] can be as simple as asking yourself “Is my core data on a separate system and unattached to the drive? Do I have a response plan? Do I have insurance?” It's really not overly technical.
It's really about understanding the balance between IT spend, which is where the bulk of industry seems to focus, and people. If you can make your people aware, you have a culture of awareness within the group, then you're going to get the ones who see the email and say “Well, I'm not touching that and I'll let everyone know that I got this dodgy email”.