"Mr Ransomware is knocking on the door," says the man responsible for keeping £57bn of people’s money safe

We recently had the opportunity to speak with Simon Mair, Head of Information Security and Data Privacy, at Brewin Dolphin on their approach to cybersecurity threats.

Brewin Dolphin is a financial advice and investment firm with 80,000 clients in the UK, Ireland and Jersey. It has around £57 billion of funds under management. Simon and Brewin Dolphin have worked with The Security Company for the past five years.

Simon kindly agreed to talk to us and share his views about the current cybersecurity threats, including his experience of working with The Security Company.

What Simon does

“We run three lines of defence at Brewin Dolphin – the operational teams, the IT security teams, and the team I head up, the privacy and information security team.”

Unsurprisingly, Brewin Dolphin works in a heavily regulated environment. Simon describes his role as “being in governance and oversight — we check that the privacy and information controls being put in place are effective…and we're responsible for cybersecurity awareness among staff, contractors, and clients."

Everchanging regulatory environment

There have been a number of high street banks whose recent technology changes have led to clients being defrauded. Thus, the regulator, The Financial Conduct Authority (FCA), is currently pushing out operational resilience regulations to the sector.

Simon and his team have been examining every aspect of Brewin Dolphin’s operations to discover “which ones could hurt a client if they go wrong. If we were offline for days and days, what would be the impact on the client? Could it cause harm?”

“We're going through quite a significant effort in that space at the moment to satisfy regulatory requirements.”

Pandemic planning before the pandemic

When Simon arrived at the company there had been a significant roll-out of new technology. The intention was to make staff more mobile.

“Within about a week of me arriving, the Beast from the East cold snap hit. We had a couple of days where people were told not to come into the office. It was incredibly fortuitous as we discovered — and closed — a few gaps in our system.”

In 2020, cyberattacks against financial sector companies rose by 200%. Brewin Dolphin’s response to the Beast from the East put it “in a good position” to cope with cybersecurity threats arising from COVID-19 pandemic homeworking.

Ransomware remains the biggest threat

Ransomware is the biggest concern to Brewin Dolphin because of its potential to cause disruption.

“Mr Ransomware is knocking on the door. The worst case is where cybercriminals get hold of a list of clients and contact them pretending to be the FCA or the police – whatever their story is.

""

This leads to another big concern — protecting their clients. “There's a large amount of education done internally and we’re looking at ways to engage with and make the client feel that we're embracing them in terms of helping them in the event of a breach.”

Phishing

With phishing, according to Simon, "there are so many ways that the aggressor can get into a company’s systems. They can call up. They might send a link in an email. These days, they're starting to try and coerce employees to go to a website and download a file.

Making our staff understand how these people operate is really helpful. If you can give a real-life example, it's much more effective than standing there and saying this might happen. People do listen to that.”

Social media

Cybersecurity experts have long recognised the issue caused by information sharing on social media.

“There's a huge amount of information out there for those who want to sound genuine if they're trying to coerce somebody. There are privacy concerns, however, in that employers really can’t be looking over the shoulders of staff members – that wouldn’t be acceptable”.

""

In lieu of that, staff training is essential on the appropriate use of social media.

Collaboration with The Security Company

It was Simon’s experience with The Security Company (TSC) at his previous employer, Clifford Chance, which led to him recommending them to Brewin Dolphin’s Chief Risk Officer.

We asked him to describe the benefits TSC’s service has delivered to Brewin Dolphin.

Bespoke training

“Prior to creating a bespoke training package for the company, we carried out a TSC benchmark security awareness survey among the firm’s staff to determine the biggest gaps in their knowledge and understanding of cybersecurity.

“Now we've got 12 training packages that we've created, and this online education helps free up my team and the security team’s time because they're not receiving phone calls about issues that staff now know how to resolve.”

Creating staff engagement in training

“TSC provided a suite of eLearning solutions which included elements of gamification.

“If somebody is having lunch and they're sitting at their desk, they'll go and play the game. That's great. If we feel there's a group of people who need to redo an aspect of training, we can just pop those course parts into their learning folder and they do them again.

“It’s so engaging and new — they take 10-15 minutes to watch it and then answer the questions at the end. We can monitor their progress and the results are running at 99%. Working at a regulated firm, it does make demonstrating compliance much easier and we know that staff are completing the courses.”

""

A culture of responsibility for cybersecurity

“Everything is shifting online. There are databases out there with precise information on people, their jobs and who they are. With that information, cybercriminals steal their personal identities, their credit cards, and their money. You hear about the fraudsters who can extort millions of pounds from companies all the way down to £200 by changing the bank details on an invoice of a plumber.”

Staff at Brewin Dolphin recognise that a successful cyber attack represents an existential threat to their company. And they act accordingly. Technology is one piece of the puzzle, and, as Simon says, “culture is the other".

Thank you to Simon and Brewin Dolphin for sharing their insights.

If you would like to know more on how TSC can help you with your cybersecurity training and awareness requirements, please contact Jenny at jenny.mandley@thesecuritycompany.com.