AdviceTech Podcast #59 – The Cyber Collective – Transcript

Peita Diamantidis
Hello and welcome to the Ensombl AdviceTech Podcast. I’m Peita Diamantidis and the guest joining me here today to deep dive into the cyber collective. How cool does that sound has actually been a financial adviser himself and his design practice. He’s a bit of an outside the box conference attendee like me keen to learn from sort of overseas finance professionals and even some, you know, other weirdo other industry conferences, and has recently in the last few years into the advice tech space himself, thank you so much for joining me on the show. Fraser.

Fraser Jack
I love the intro. That was awesome. Thank you.

Peita Diamantidis
You are very welcome. I’m so excited to have you on the show. What I should have said in the intro, too, is you yourself has have hosted ensemble podcasts. So yeah, what’s this podcast thing you’re on? Yeah, exactly. Exactly. We’re a bit meta here. Hosted interviewing previous host of the host of, of all these things. So it’s fantastic. Now, we’re going to dive into the cyber collective we’ve got lots to cover. So much going on in your world, but let’s get to know you a little bit of through your use of technology. What’s your most used emoji? Do you even use emojis?

Fraser Jack
Yeah, look, I do i do i pretty tragic. Of course. Being a next generation we love our emojis don’t leave out. We often get told to stop but but I like mine are all pretty positive. They’re either happy faces or sell a celebratory type emojis. You know the the congratulations piece. But probably the strong arm is the one I use a fair bit I like to I like to make sure people know that there is strong so strong arm and their happy faces are my go to

Peita Diamantidis
Nice. Do you know I think that’s the first time the strong arm has come up. I think first in the show. Well done you.

Fraser Jack
I’ve got a few love hearts there too. But don’t tell anybody No.

Peita Diamantidis
Secret. So if you then had to delete all the apps off your smartphone, and we all have so many now, which three would you keep? If you could only keep three of them?

Fraser Jack
Oh god, that’s a that’s a horrible question. I horrible thought no idea. What’s the point? Now? I think the ones I probably use most would be the messenger. Isn’t it tragic that most of my apps are all workouts. They’re like messenger, LinkedIn. You know, the Microsoft, you know, doing emails type things I actually. And of course, for telephone, I actually use my phone as a phone quite often on the phone, which, which is on you know, like old school, very old school.

Peita Diamantidis
That’s so true. Actually, you are one of those people that will be messaging a bit Weren’t we like, it’ll be a Facebook message or something will get said and then my phone rings? Yeah.

Fraser Jack
I’m like, I can’t I’m like, I’ve got too much going on in my brain to just use my fat thumbs to type out a message. So I need to I need to get on the on the phone and saying, Yeah, kicking it.

Peita Diamantidis
I love it. So let’s dive into the cyber collective and to give the listeners some context to it. I’ve seen you in events, you’ve been out there sort of talking about cyber risks and what we all need to be far more aware of, but give us the like the category you sit under, in an advice tech sort of space. And I know it’s broader than just for advisors, but sort of What group do you sit under? Who are you sort of lined up against when people are sort of looking at a service like yours?

Fraser Jack
Yeah, I guess I guess the best way to describe our service, I mean, there’s and there’s a there’s a couple of pieces to this puzzle. But essentially, we’re a platform that provides educational services to advice firms, predominantly financial advice firms, we call it we say financial professionals, because that incorporates people who hold really, really important information and data about their clients. And they’re generally small to medium sized businesses or smaller licensees, because they don’t have the in house facilities to be able to provide this. So I sort of I sort of say we’re a bit like a Kaplan but for cyber and for every single financial, every single team member in and out and a financial advice firm. Yep. Not just not just the IRS was so much education and training is based around. Let’s let’s give CPD points to the authorized representatives. Because that’s a learned behavior that we were used to, which is great, by the way, I’m not getting I’m not begging that I’m just saying that for when it comes to looking after clients data, every single team member is is just as as important. So really, it’s about making sure those team members know what they’re doing know how to use the technology that they have in place, because that’s a big part of our process. And yeah, and being able to report and do a whole lot of other cool things on the platform.

Peita Diamantidis
It’s such an interesting point, isn’t it when you think about CPD, and of course you know, we’ve got the the jewel as CPD events that ensemble put on where we all go Hot for a day and we get lots of points. what it’s all about then is theory, like they’re always theory base, that sort of learning, isn’t it? Like it’s very, it’s technical and theoretical or academic. And whereas often what we need is the practical, like, the thing I need to do, or the thing I shouldn’t do, you know, it’s a different type of information, isn’t it?

Fraser Jack
And there’s sort of, there’s three, that you’re exactly right about the academic. And there’s three sort of things that we like to focus on when it comes to the education. One is that it’s, you know, you learn something, which is obviously the point of education. The second area is that it becomes a part of a habit. So it’s not just about knowing something, but it actually forms party day to day habits and part of your day to day activity, when it’s whether it’s working with your clients, whether it’s working with the kids, whether it’s working with your parents, your community, everybody around you, it’s about being a good cyber citizen and having a good life skill, but it becomes a habit. And so it’s a very different awareness training is very different to that, that training that you talked about being being,

Peita Diamantidis
you know, theoretical.

Fraser Jack
Yeah, academic. So it’s about applying, like, what the way that we do his one topic, at a time very short, sharp, like five minutes or training is all you need. But often, so once it becomes front of mind, always thought about, and not not difficult, or completely, clickbait just a bit of a Goldilocks thing, right, just right, not too not too heavy, not too light. So it kind of needs to be for that individual. And everyone’s different. That’s the other thing that we flavor, what is different in a firm, so. So that’s what you got to try that awareness training, not just the information, but that taking the learnings forward into a habit is important. And the third area that we that we really focus on is the demonstration of proof if you like, you know, like providing the proof. And that is around reporting and board reports. And because we live in a world where compliance is big, you know, like, and you’ve got to be able to have all the evidence and stuff behind you say, yes, my team, we’re all trained. And here’s exactly what they’ve done. Here is exactly the time they did it, it’s over this bar a period of time. And you can, you know, you can back it up with the, with the with the compliance.

Peita Diamantidis
It’s an interesting thing, too, you made your point, the point about, you know, all the different facets of the business and all the different team members. And it is I think, when I, when I look at the way we interact as an industry, it is very advisor centric, naturally, I mean, I get why, but for everything, like we sort of see them as the pointy end of everything, and, and it does become something of a soft spot, like a soft underbelly, because we’re not necessarily applying the energy to all the other people in our teams. And those could be suppliers, it could be partners, it’s not just you, your literal staff, there’s all sorts of people. And I think, you know, if anything that I become aware of with cyber and all these risks is how connected we all are. All right, that’s a big deal in all of this.

Fraser Jack
Yeah, and if I, if I, if I, if I go back to that point that you made about how many times is that the authorized rep has to go back to the business and then say, Oh, I learned this at the PTA and learned that or the PTA and, and we want to do this and the other anyone just looks at them going. It doesn’t make sense, you’re not because they have had the advantage of learning about it for an hour and coming up with one good idea. And they’ve got the context behind them. And the rest of the team just looks at them and goes, and we’re supposed to do this, when and why? And I think so I think I’ve heard the, you know, we concentrate on the team as such, and the team being the first line of defense, not the weakest link. But when when we talk about the weakest link, who is the weakest link in the in the business, often it’s either the new team member who hasn’t been trained yet, or the CEO or the business or the owner of things, but that doesn’t have to apply to them. Right? I mean, all my team are doing cyber training, but I don’t need to because, you know, no one’s gonna get me in trouble if I don’t do it. So yeah, I think we’ve all been in that scenario where, you know, you think are this, I want my team to do this thing. But I don’t always follow my own advice on that one. I don’t always follow the rules.

Peita Diamantidis
Absolutely. And this is, you know, this is one of those categories where we just can’t call ourselves experts. We can’t say all but I know that stuff. We can’t say that, you know, this is this is like learning self defense. Unless you are actually a martial arts expert. You can’t say that you know how to defend yourself. Well, this is that stuff. This is just the cyber Aquila equivalent of that. We’re all just learning self defense, right? And so, you know, you can’t pretend that you’re we’re experts, you know, and there’s so much to learn and understand. Every time. We don’t know I’m like, I’ll call you and I go on and I fully understand this and you’ll give me another instant I’m like, Oh, right. Yep, there’s another layer, right? So it’s just it’s this constant, almost like we You are gonna have to invest that 10,000 hours to become, you know, experts in another category that isn’t advice, because this is such a big issue for us all, you know, and and the impact we can have on our clients because of it. Yeah, absolutely.

Fraser Jack
You know, I know you like talking about ninjas a lot. So let’s use that analogy. But you’re absolutely right. You know, if somebody is learning a martial art they go along for for weeks and weeks and weeks and have that the discipline of ongoing training and repetition of, you know, the amount of times the amount of times that they would train versus the amount of times they would actually use their martial arts in a combat Wars scene, you know, where they actually are fighting somebody is, you know, the proportion that you just really just have to keep training, keep sharpening, sharpening the knife, if you like.

Peita Diamantidis
So, we talked about the different team members, and you mentioned that, you know, the short, sharp pieces of content or education is your take that even it’s not just short pieces, and it’s not doing it regularly, but also repetitively. So as part of it sort of revisiting some of these concepts is that part of what you, you sort of factor in because I know, I’ve just discovered even with learning tech, like, the only way we get really proficient is if we’ve got to, like, use it over and over and over again, for a period of time because your brain just forgets too quickly.

Fraser Jack
Yeah, I think I think we have a lot of things now brain, don’t we, and depending on their level of fear, or concern, or prioritization, or motivation, it gets pushed back. So things are regular and consistent, then that does create habit. And, you know, there’s, there’s all sorts of different books around around, you know, how to create good habits, and, you know, make them you know, make them easy to do and make them you know, all those sorts of things. So there’s, you know, atomic habits, and there’s, you know, there’s the hook around, variable reward, and all these sorts of things that form habits. And I think cyber is certainly one of those things where to make cyber interesting and engaging. Because from a topic point of view, you can’t just be all about fear. Because fear, just fear will get your attention. Yeah, and you might you and your, if you’ve ever driven past a car crash, you’ll, you’ll remember it right, because you can remember those details, but it’s not always a great motivational place to be in. So you know, you want to you want to make it you want to use, I always talk about with content, there’s a little bit of fear in the recipe, but you got to use it like salt, you know, you’ve got to make sure it’s not too salty, or enhanced the flavor not to not make it crazy. But But yeah, there is there is a little bit of though, like you said, there’s a lot of different areas, there’s a lot to learn, and there will always will be that’s the point because everything’s always changing and updating. So it’s about making sure that people are utilizing, like, for example, passwords, the history of passwords is changing has changed. You know, it’s gone from it’s gone from doing a password to having multifactor to using, you know, biometric technology, facial recognition, you know, these days, if you open your banking app, you you look at your phone, you don’t, you know, you don’t type in your password. So you know, and that’s all changing as we go through. So yeah, and so it’ll be, it’ll be never ending. And on that

Peita Diamantidis
if you really, and this, I guess this probably particularly applies to those that are sort of Gen X or older. But if you ever want to really get a wake up call on the evolution of passwords, there’s a YouTube video of a comedian Michael McIntyre. And he does a bit on passwords. And he starts with when we all first had to give passwords, and we all started with the, you know, word password. And he goes through the evolution and the more he goes through it, the more disturbing you can hear the audience get, because they’re like, Oh, my goodness, he’s just described exactly how my password has evolved over time. And it’s so true, it’s sort of it was one of the things that really stood out to me of, we can’t, we cannot just allow ourselves to determine these things, because we’re just no good at it, you know, and we all do it the same way. So I’m, I’m sort of curious about that, then, in terms of, you know, a practice that engages with you guys, have you got a sense of, you know, who manages to go because it will be a journey, right? This is almost a transformation for the business, then do you get a sense of who manages to take that on board? Well, and who struggles like is there anything about either things they should do beforehand? Or the type of business or the type of approach that means that it can be a smoother transition than not? From what you’ve seen?

Fraser Jack
Yeah. Yeah, look, I think to start with, I like to talk about the approach that people use we use we use a structured approach right? So you know, it’s about on you know, picking up every single rock seeing what’s under it and and it might be fine. Yep, keep going. You’re doing a great job. This one could do a slight bit of improvement. This one you haven’t got it all you need and everybody is different, but because we have a structured approach, it’s been like a financial advice process, right? Everybody comes in with a band aid, everyone comes in with band aids here, band aids there, they’ve got a super phone, but they’ve never really looked at it, whether it’s that they’ve got one head five super funds, they might have something over there and they’ve got a bank account, they might have some shares that they bought over there, you know, they’ve got a mixed bag of lollies, and they walk in, and they say, Can you sort this out for me, and so that’s the same thing with cyber, cyber, so everyone’s got something, some people will have a tech guru, that they’ve got a headset up a bit of equipment for them and worked for tomorrow, other people won’t. And so and that’s an important piece of the jigsaw puzzle. So we need to make sure that do have somebody, people will have a password manager, others won’t, you know, and people will share email, information, email, others won’t. So everyone’s at a different place. I think the the big thing is that you’re right, it is a journey. And it’s not a difficult journey. It’s just a whole lot of small steps in a journey. And so if we break it all down into small steps, it’s much easier you know, the cybersecurity this was gonna say before the cybersecurity thing, the umbrella thing. Is it big is one topic like cybersecurity. Yeah, that’s but it’s actually like me saying financial services, right? There are so many different things going on in financial services. It could be you know, self managed super funds, it could be insurance, it could be the UN. And so, you know, cyber is just a whole lot of small topics wrapped up under one umbrella. And it’s just a systematic process of going through saying, let’s go through everything, you either got it, you’re on your journey, somewhere on the spectrum, we should say, We’re all in the spectrum, right? You’re in the journey somewhere. And so let’s just go through bit by bit and work work through it, you know, sort of it’s not. Thankfully, for me, it’s not incredibly difficult. Yeah, it’s just a process that you all go. Yeah, very similar to, I guess, financial services. When you think about what all the different strategies are, what are the different products and funds, if you know all those things, then you can help somebody through that, you know, with their stage in life and all that sort of thing. So it’s just about working out where you are. And it’s, it’s so go ahead, I was gonna say, Everyone comes in a little bit embarrassed. There’s a little bit of, please don’t judge me for that. I know, I should be better. Yeah. And it’s like, stop it. We’re all in the same zone. Yeah, everybody can be better. Let’s just work, let’s just set up a better process, work through it and get you to, to it and you’ve started

Peita Diamantidis
start, like nothing’s gonna get fixed if you don’t stop. Right. So it’s such an important sort of that is just starting. And it’s an interesting analogy, actually. Because I do think what when we look at some of these things, and we look at it from almost that bigger picture, corporate governance sort of approach is our mental picture is all risk assessment, big report, all my goodness, four years of project, right. So it’s like, that’s the mental picture we have. Whereas it sounds like what you’ve, you’ve, you’re delivering with the cyber Collective is like the GPS, like, I’m just, I just need to follow the directions that GPS is giving me and do the next thing, you know, and, and yep, and then we get to the next thing, which takes the pressure off, it’s like when you’re in a foreign country, and you’ve got, you’ve got Google Maps, it just takes the pressure off, I don’t have to worry, I just do what Google Maps tells me to do, and take the next action. And I think it can really demystify and sort of take some of the anxiety out of the whole process. Yeah, well, we

Fraser Jack
start we actually start the process with knowing what the regulatory guidance is. Right? Right. And so and so often with advice firms and and we want to make sure that we’re not upsetting the regulator’s we’re doing the right thing by the compliance piece of it. And we go, we’ll, we’ll do you know, the guidance actually is right, if you don’t know what the guidance is, you set up a program and so and then, and then do you have a plan? Right? And so that’s based on the guidance, and then when you got a plan, and then you can go around and say, right, well, we need all these tech things set up? Do we have them all? Maybe you do? Maybe you don’t? Right? And then do you have the budget? I do understand the supply chain risk. And the training the humans are that 90% of issues with cyber, involve a human? So are all the humans trained in the in the in the software that you use? Are they trained and the right things to do? Have you done testing, do your vulnerability testing and phishing campaigns and, like there’s the whole process involved around making sure that the tech set, the people are trained, but also the, you know, the you can provide the proof the compliance pieces is relevant to you know, the Australian based regulators for financial services. So it’s, yeah, it’s it is a process. But yeah, certainly not one. That’s that scary. But you’re right. The first step is always the hardest

Peita Diamantidis
it is and it’s something that sort of, I guess, not surprise me, but but was a bit of a wake up call for me. Was this the Behavioral Risk? Right. So I think we will focus on tech being hardware or software. You know, we forget that it’s the human beings using the tech that actually have the risk, right. The actual machine itself is not the problem. It’s the Humans using it, anybody that’s have to had to explain how to use, like a computer or a phone to somebody much older understands that the human is the problem. Right? So and that’s the case here, right? It’s about changing behaviors to and probably, I mean, I would argue that could be harder than the, you know, Hey, go and tweak this, this feature or this setting or this, you know, because that’s a one off one and done, right? Whereas the behavioral change is probably the hardest part of all of this. Yeah, absolutely.

Fraser Jack
And that’s probably the same with every product you’ve ever had on the on the podcast, there was a product to Kimball work really well. But if you’re not utilizing it, by the, if the humans aren’t working with that product in the best possible way, then you know, that product is never going to get the you’re never gonna get 100% of any tech, if the humans aren’t utilizing it properly. And if they’re utilizing it every day, that’s great. They probably can, but you know, we could all do better with some of the some of the fringe tech that we use around the place and that and you find that people are using it a great way, I really you can do that. And I have no idea. You know, we’re not using it that way.

Peita Diamantidis
Yeah. Well, it’s it’s a. The other thing I’m finding with this sort of stuff, too, is, is it feels really big and complex. And anytime we talk about, you know, whether it’s two factor authentication, or any of these things that come up, they are said as there’s these terms, in fact, I think I feel like the public probably feels a lot about financial services, I feel that way about all this stuff, right? Because there’s this language used and the language used assumes you fully understand what they’re saying, when and I think for most of us, we have no earthly clue, actually what it means we’ve got our own little interpretation of it. But until you sort of take a bit of time to actually understand what it means, then you can ask some better questions. I mean, you and I chatted recently about something where, you know, you might want this sort of two, you know, two steps, I guess, to know, it’s them. But if those two steps are two things that could be hacked, then and had relatively easily then is it really secure? You know, like, it’s, it’s knowing enough to be able to question that. And I think that’s not easy. You know, it’s not easy to get your head around that well, because often we’re dealing with all these different providers and, and all this different tape that they’re talking about.

Fraser Jack
Yeah, you’re either out there, or firstly, you’re writing about the acronyms because there’s the you know, cyber, the cyber world has a whole lot of fancy. Should I say wanqi? I shouldn’t say well, I don’t mean that. But maybe I should. terms for everything, right? We’re talking about, you know, is EMS and information security manuals. I mean, that’s just, that’s just weird term for having a plan, right, making sure you got a plan, cyber incident response plan, CRP is, you know, that’s just making sure that you gotta plan in the event of an attack that you’ve, you’ve already thought about it and you’re prepared something. Yeah. And so there’s no, yeah, there’s just term after term after term that we get into, you know, we think we think financial services has lots of accurate acronyms. So to sum, but at the end of the day, they don’t actually matter. What matters is your understanding. And a lot of what we do is very similar to advice, where it’s a demonstration of understanding, right, there’s this, there’s these these complexities over here, as an advisor, you know them, you know, they’re going to work for the client, you’re just gonna have to explain them to the client in layperson terms that they can understand. Once they understand they go, Oh, no, I get that. I know now, why we’re doing it. And it’s the same as cyber one site once with a bit of explanation and layperson turns people go, Oh, I get that. Now, I know why I’m paying extra for that. Right? That’s great. Thank you, I feel comfortable with it. I’m confident in that. And it’s about that it’s the same, it’s very similar to the advice process where there’s, you’re just taking a complex, complex term or a complex thing. And they’re not that complex. To be fair, they’re just little bite sized chunks of complexity. Yeah. And then you’re, you’re able to allow people to understand them in a better way, without having to get into all the jargon in the, in the, you know, the fine print of exactly how these things work and, and speak like an IT person.

Peita Diamantidis
Which is a challenge. I mean, it’s it is a challenge. But I think that it’s also, I think it’s important to take the time to understand and that’s why the sort of education you’re talking about is so valuable, because there’s language we all use it, I think can be a bit misleading. Something like, you know, you’ll talk to somebody go, oh, but we’ve got bank level security. Now, that sounds pretty serious. But what actually does that mean? And if you think about it, a bank doesn’t email, its clients, like, sorry, email backwards and forwards with its clients all the time. And a bank doesn’t hold nearly as much personal information as we do. It’s an interesting dinner. I mean, like, there’s this way we talk about this stuff that sort of makes assumptions and and and I guess gives us as confident one on some level, but I think, you know, we’re not really bothering to understand what we’re saying or what we’re talking about.

Fraser Jack
Yeah, absolutely. And he can get a bit too involved in the terms and those sorts of things but you All right now you don’t want bank level security, you want more than the bank level security, right? Because the bank, the bank holds doesn’t hold as much in client information as you do. They don’t have the clients hopes, dreams, goals, aspirations, they don’t know the client’s personal statement, their medical history, you know, they, they might, they may or may not know, all their investment, super funds and the relationship they have and the history of those funds, and, and, you know, their families and all these other things, right, that that advisors have on record, which is way more important than, you know, information in the bank holds. So you got to think about that, from a budgetary point of view, you don’t have the budget of the bank, but you hold one more information. So your security should be should be greater than the bank. And it’s about it’s about great, you know, what you can do better in the bank as you can get your people engaged and enthusiastic about security. You know, anybody would say that’s the advantage of small business small advice firm has a bank is the team. Yeah. And I think with anything, when it comes to cyber, getting your team engaged and wanting to protect their clients, every single firm that I work with their team want to protect their clients, right? There is no doubt nobody wants to do multi factor authentication, but they do want to protect their clients. So if they’re coming at this from a, Hey, I’m looking at my client, then that’s, that’s a much better way to do it. And sometimes I love this question. But people say to me, oh, but my clients won’t want to do that, you know, they would they happy just to email me the stuff in and, and I’m, and I’m saying to them, Well, you know, what your client actually want to see you’re investing in their protection in looking after them. And they would actually, and this is mostly the case when advice firms do say to clients, oh, we’re doing it with a new system and process and it’s more secure. Clients like oh, well, of course, yeah, that’s this is me, we’re talking about, you know, it’s not, it’s not about the extra two seconds is going to take it to this is about my safety and security. And so, yeah, I think that’s an opportunity rather than a than a really to talk about.

Peita Diamantidis
Imagine the insights. I mean, we’ve done this, even through COVID, when we’re doing more webinars for clients, and just engaging with them, we did a lot on say scams, and then on, on cyber, all sorts of things. And they’re not getting that information from anywhere else. Really. I mean, morning TV sometimes has like four bullet points about how you should worry about your password or something, but, but at the general public are not necessarily getting access to this type of information. So you are doing them a wonderful service, you know, so with some positioning, I completely agree with you with some positioning, they’re going to devour this information. And you know, and interestingly enough, the government’s put together a lot of there’s a lot of materials, there’s a lot of, you know, examples and case studies and all sorts of things where if you can point them in the right direction, they’ll be like, Wow, I didn’t realize that’s what we were dealing with you. You know, and it’s so important because they can they form part of all of this protection to their behaviors can can impact this, right, the full supply chain is part of this,

Fraser Jack
the supply chain is massive. And if we start with the concept of clients, there are a lot I hear a lot of stories of when you know, somebody has got into a client’s email or got into a client, and they’re getting, they’re getting information out of the clients email or computer that that that that demonstrates the relationship they have with the advisor. And that could be an SOA or something like that. But they understand then that there was a strong, trusted relationship between the advisor and the client. And so they’ve got that information from the clients computer. And they then they then try and manipulate that information, either by, you know, sending information to product providers saying, This is my new address this as my new bank account details, etc. Or they are trying to manipulate the conversation with the advisors saying, Oh, can you pay me do this at the other or they’re trying to manipulate to pretend to be the adviser back to the client saying, you know, here’s so there’s just, they’re just cheeky, getting in the way and cheeky is a very slim word for it, because I couldn’t swear about it. They’re just manipulating that situation. So absolutely the supply chain, it’s not just the advisor. So the advisor and their firm is one part of a chain that goes past the client and on to the clients family. And on the other end of the chain, you’ve got the product providers, you’ve got every single piece of technology that they’ve ever gone and signed up for and holding client data information in. And a lot of the time we think, here’s a great product, it can help us do this x y Zed as part of our process. And it might give us some efficiencies, which is great. That’s what you know, texture before. But there is also with every single one of those additional pieces of software and additional slight risks that we have to think about. And so it’s about it’s about thinking, Well, if that software that we use gets hacked, what happens to our client data and who’s responsible? Are they unsure? Are they they sign up to the privacy principles? Can the government go after them? Is it just us as all fall back on us? The reputation damage tends to fall back on us. If you’re logging into advisor portals. There’s Apple regular Leyshon, and you know what something happens to the, you know that inside that portal. And guess what, all of a sudden, you’ve got a large brand as well as you and they’re trying to throw you under the bus. And, you know, so it’s just, it’s it goes on and on and on. And we’re talking about CRMs. We’re talking about email platforms, we’re talking about the whole thing, how, what is the, what are the contractual obligations inside that software? If they get hacked? Do they have to tell you, if you get hacked, you have to tell them? Like, what are some of the obligations when do these things, you know, when are the contracts expire. And the other thing with that is a lot of financial services, businesses rely on their licensee to have those contracts. So they don’t even they don’t even know or have that relationship directly with the with the tech supplier. So all of those things can cause issues to the business. I’m not saying you have to solve every single one of them. But it is a requirement to know about them as an, you know, a director obligation of the business based on that the acid guidance to be able to say, we’ve know we know about these things, we’ve thought about them. And we’ve made this decision to do this, you may have thought about and we think the risk is low, we’re happy to keep going. Have you checked with those tech providers? What what level of security they have, do they have an ISO certification, etc, etc. And so there’s, there’s a whole lot of little things like that. And they’re not difficult sending you sending them an email asking them to give you a copy of their, for the framework they use for their cybersecurity. Yeah, you know, so that you can then say, look, I checked once, and they said this, so I believe them, and therefore, we’re that’s why we’re continuing to use them. Yeah.

Peita Diamantidis
And yeah, and it’s, it’s, it’s such an interesting process, all of that, because like you say, you know, we’re all going to be using more and more tech, it’s not like that’s going to get less, it’s just not right. So. So it’s just having a way to handle that each time. And the questions you ask and, you know, the the framing the questions the right way, which is part of understanding the language and understand the acronyms, you got to ask the right questions. Because I think the thing that is tough, and this is, you know, this is where, you know, when you hit a lawyer, if you ask a corporate lawyer, how to minimize risk, you know, their answer would be don’t have any clients, right? So you can never wipe out risk and completely, but it is about understanding what risks you are taking on, like making sure you understand them at the very least. And being informed, right, that’s gonna be the start. And then it’s about you making a decision for the business. It’s about you going, right? Well, how do we feel about that? And have we complied? And what else do we need to do? And what other ways can we add it? I mean, it’s, I remember seeing a session that one of the federal sort of, he was actually part of us scangrip, you know, so as in one of the federal guys that sort of looks into those. And he said, what’s so interesting about most of the instances is, if a human being had called a human being, at some point in these, then this would have been averted in most instances. Now, that’s not always all of them. But you said, that’s the that’s the thing with all of this stuff, is if you can apply a bit of sensibility to it as well. Then, you know, you really can shore at least the defenses up quite high.

Fraser Jack
Yeah, you’re absolutely right. I mean, there, there are a lot of what we do is, as I said before, is around understanding and demonstration of understanding and the way often we do that is bringing it back into the concept of behaviors online versus behaviors in real life and, and, you know, saying to somebody, you know, Can I Can I grab your video password, people go, No, it wasn’t, but, but I send you an email saying can you please update your password, click here and you go, okay. And so, you know, you know, talking to strangers for example, talking to strangers, easy talk to strangers, no worries, I’ve got a I’ve got a Facebook profile and LinkedIn privately, they’re not a stranger anymore. But hang on the internet. They’ve never actually met that person. Yeah, so yeah, there was there is there is a little bit of that I’ve actually got this site, but part of what you talked about, you know, with with asking good questions at the beginning and prioritization and how do you do that? I’ve got I’ve got a bit of a framework that I like to use and it’s I’ve created it based on a based on an agile prioritization category, I call it ice which is important, how important is this product when it comes to choosing the tech then was Ice. Anyway, so it talks about the concept of how important is this product? How practically Can we do it like what is right what you can do it to do it or as can somebody else put it in place, and then it talks about the cost and so the C As costs and so when we look at, you know, how important is that something? Can, how quickly can we get it in place? And then the, you know, the cost of it, and with the cyber stuff is actually, when I, when I put that through that process, it actually works out very well, like it’s actually very easy to implement, right? It’s extremely important. And the cost actually isn’t that much, right. You know, when you think about all the different things and you know, prioritizing risk in your business, it’s one of those ones that most when I talk to business owners, it’s one of the things that keeps them up at night, right? Right, losing or having their client data or personal information compromised, is a big concern to a lot of people. And a lot of the time people think it’s going to be a big cost that goes with that. But it takes more fun isn’t actually very reasonable. I mean, I’m sure there’s people out there, that’ll charge you a lot for it if you want to, if you want to pay a lot of money, but there’s actually a lot you can do for very low cost.

Peita Diamantidis
And that’s part of the journey to I mean, even if that’s where you’re going to end up at, I’d argue going through a process like this, to educate yourself and taking some actions as a start means you will better engage with whoever that might be, right? If it’s because otherwise, you’ve just got to sort of nod right on Okay, that sounds good. Well, it just doesn’t sound like being a responsible, responsible cyber citizen, you know, like, I mean, that’s what it’s going to come down to is this is all going to be about how we individually behave. I’m sort of curious. So in terms of then ongoing, I’m betting that the like, there’s some reporting, there’s information that can then be collated together so that people can sort of keep an eye on this as well. So this isn’t just like a one and done initially, it’s sort of an ongoing process.

Fraser Jack
No, I mean, our business is set up as a as an ongoing model. And, you know, we call it business as usual. And it really, there was no way that you can learn everything about cyber and in you know, a short space of time, and nor that, nor do you want to, because, you know, if you go to before, if you go and cram something, of course, you’re never going to retain all of it. We’re not built that way, we’ve got our lives to live, but so ongoing. Absolutely. We do. We do. I mean, the reporting around, you know, ongoing education is really important. But the reporting around sort of, like we call the audit that once a year audit, we, you can demonstrate your businesses up to speed, really good for the regulator’s good for your your insurer is good for if you’ve ever wanted to sell your business to good for your clients conversations, just to be able to say look at our audits quite comprehensive, we’ve done this, this and that. And those sort of conversations with clients are great. But I think what we do a little bit differently as than most cyber businesses is we don’t start with the audit, we don’t go, let’s do an audit. Let’s make you feel really bad about yourself. Let’s put some, you know, intimidate you into saying you need to do all these things. And then then do another audit and then demonstrate how much of a good job we’ve done. Because you’ve gone from here to here, what we actually do as we say, well, let’s not start with the audit, let’s not hold a bad audit on file, let’s just get you up to speed. Like we did uncover each of those rocks and then do the audit. And so yeah, we were a little bit different than most businesses because, you know, we’ve all been through audits without love them. So why do two and you can do one especially why do Why do a bad one when you can do a good one.

Peita Diamantidis
And it is it’s it’s it actually as you were describing that then it reminded me actually of, of personal training and and where a lot of the these gyms, the first thing they get you to do is a weigh in and a measure. And I get why they’re doing it right. They’re putting a line in the sand for you. But it is the most traumatizing and negative experience to start this journey that should feel empowering and positive with this thing that makes you feel shitty. Right? I mean, it’s the same issue isn’t that none of us feel confident about this stuff about cyber. So, you know, probably the last thing we needed somebody to tell us how we probably should feel even less confident, you know, you’re really not

Fraser Jack
the last thing I want to do is make people feel like crap as they walk in, you know, like, though it’s it’s a really smart thing for those gyms to do it. Just it’s not a great user user experience. Yeah, for

Peita Diamantidis
sure. In terms of then the you’ve you’ve had practices and groups come on board and go through the process and still going through the process. Has there been any surprises in that or surprising outcomes or realizations or, or anything like that, that sort of come out of that that sort of process from practices?

Fraser Jack
Yeah, I guess it was fair to say that we’ve pivoted over the years, you know, there’s there’s been some change in our business over the years. There’s been as as things have developed, and we’ve gone from being quite technical to more human centric, I guess, over those last few years. You know, we sort of started out, I guess it’s the same as when as an advice, we started out being you started out going I’ve read the PDF as I know all the technical stuff, let me tell you about that. And then as you gain experiences, advice, you’ll actually know it’s about humans, you know, it’s about people. And so, and so, yes, we definitely made that mistake, you know, starting out wanting to know and get involved in every technical issue in the business, which is great because it’s, you know, you’ve got to know the technical, you just don’t need to make sure everybody else knows that. So So yeah, you know, there’s been, there’s been, there’s been some great, but I think, I think like advice we all love the positive outcomes right when the clients come in and they can see the value in what you’re doing. And they can see the value that what they’re spending versus what they’re getting out of it. And they’re really happy with where they’re at now, and they’re feeling good about the, you know, being more confident they feel all these good feelings in that’s the part that, you know, I think drives us all. In that space. Yes, yes. We love that, you know, we love to nerd out about some of the technical stuff we can see it’s in a better position, all those sorts of things. But you know, that reaction from you, your clients is, is actually rewarding. Yeah, for

Peita Diamantidis
sure. And I’m betting that, you know, there’s always surprises for people, you know, it’s it’s, it’s something that we all do as business leaders, not No, we never do that. Like, for all sorts of things for all sorts of reasons. No, nobody does that. I’m betting this, as the process has gone along. They realize there’s one team member who, and not out of malice, just out of like you say behavioral or lack of training is doing something that Whoa, whoa, whoa, whoa, we didn’t know that was the case. All right, we need to retrain, I’m betting that comes up when people go through this process, too.

Fraser Jack
Yeah, I think, um, I think everybody everybody’s in this scenario, once at once we’ve gone through a lot of our process people like, well, this is this, this, we didn’t know that. And we didn’t know, we didn’t know which, and now we know, which is great. And then there are you right, those things that people know that they should be doing better, but they’re looking for an accountability buddy to to make that happen. And, and so we play a bit of that as well. You know, in that scenario with your knees, shoot, we really should be here. Can we all agree on that? Yes. What do we need to get out here? What do we need to do? Can we prioritize that? And like anything, the reason we, we, you know, we do the audit losses, because we want to make sure everything’s done before the audit. But we also need to put them like, like everything, timeframes around that as well. Because, you know, when we first started the business, it was like, we’ll get to the audit when you’re ready. These days, were more like, let’s put, let’s put a deadline in there. And we’ll work to it. And then, and we find that actually gets more stuffed up. Yeah. So it’s kind of a bit about that. Thank you for we didn’t know that. And that starts out and then the accountability buddies stuff kicks in. Very similar to you know, I guess when there’s a deadline on something on anything that runs around and

Peita Diamantidis
afterwards, I mean, I’m, in fact, I have a problem in that respect. If something doesn’t have a deadline, then I’m just, I’m just one of those like, I work under Well, under extreme pressure, right? In fact, that’s not good, right? Because that seems good. For people who don’t handle that. Well, it seems good like exams, exams don’t bother me. Right? That sort of pressure? Nope, doesn’t bother me. But the problem is, then, for somebody like me, sometimes you need to sort of manufacture that to then get things done. Yeah.

Fraser Jack
I think that deadline is you’re in a small group of people called the rest of the world of people that are affected by that. And so it’s always good. You know, like, that’s human. Again, everything we do is about, you know, awareness, training and understanding. Are we doing this thing? Is it? Is it, is it going to sink in is a valuable in one ear and out the other, then it’s not worth doing?

Peita Diamantidis
Yeah, for sure. So in terms of move, like looking forward for the cyber Collective is there if you’ve got things on the development path? Is there places you’re, you’re keen to take it or things you’re going to be adding on over time? Where do you see it heading?

Fraser Jack
Yeah, absolutely. So Well, the thing about what we’re doing is we’ve been very conscious all the way along that that we want to move to a very scalable position. And so we’re working a lot with, with firms one on one, and that, you know, that’s not that scalable. But all of this information that we gather over time is is scalable, and education and training and short courses as a scalable. So you know, we’ve been able to keep the pricing low, because we’re going to scale Yeah, and make it that way. So, you know, financial services, financial professionals, professional service firms, all those, all those, all those firms in the country that hold personal information. The thing about all those firms, and I can say this was tongue in cheek is the kind of cookie cutter, right, everyone’s got an email, everybody kind of uses Google or Gmail or Microsoft. Everybody holds personal private information, everybody needs to do a backup, everybody’s, you know, users passwords. And so we can actually work with firms all over Australia. And come to think of it New Zealand, you know, South Africa, around the world, there’s, although a lot of our stuffs based on Australian regulation, Australian regulation is very good. And so we can actually say to firms, it’s kind of what you need to do anyway, anyway. And so, we’ve got the concept of, you know, moving from financial services to other professional services from, you know, accounting to, you know, auditing to all sorts of other you know, solicitors, lawyers, all sorts of other firms, mortgage brokers, etc. And but we’ve also got the vertical say, we can scale overseas. So it’s about going, you know, using what we know, from here, which is good practice and good practice around the world. And some of our, our frameworks are actually global frameworks, which, which is great. But yeah, from here, it’s, it’s about turning, making sure that everybody can get involved get their uplift at a reasonable price, and getting in putting scale into it.

Peita Diamantidis
And it’s a, it’s, it’s such an interesting point in terms of, you know, going global, you know, what the internet did is made the world really small, and hence part of the risk. Like, if we only, you know, maybe for melee had to, you know, defend ourselves against Australian criminals, then well, that’s only one level, you know, but now we’ve got all these, you know, all these groups overseas. So it just, it sort of reinforces the need for all of this is it’s not just our local patch. Yeah, yeah.

Fraser Jack
And you and I are both in the zone, where we remember paper based files and filing cabinets. And, and so that was that was, you know, not very good for structure. You know, it was very unstructured data, and we couldn’t go and search for things very easily unless we use the alphabetical system. But, but what that did actually was mean that, you know, hackers from all over the world couldn’t come and steal the information out of your office, unless they were, that geolocation thing was turned on, right? They actually had to be physically in your office to the information, whereas nowadays, they don’t have to be in your office, and in 24/7 year, you can be exposed. So you’re absolutely right, you know, the old paper base files, whilst it was terribly for unstructured data was, you know, to have had an element of security to it, because of the location, it was locked in inside a filing cabinet inside a locked office, but it was your multifactor.

The reality is, we’re here now, right? We’re in a digital world, but we just have to make sure that we adapt completely to what we have in front of us. And to where we’re going, you know, with AI comes a whole lot of new challenges. You know, when it comes to chat, GPT for example, how easy is it to write a phishing email now a chat GPT rather than all the grammatical errors are gone. And if you want to write it, you know, I’m the CEO of financial services company, I want to give all my staff a pay rise at Christmas time. Can you write me a happy, joyful email letting them know and, and I’ll add the Lincoln to my malware after that, you know, and so, even that now, you know, it was easier to spot a phishing email, because there might be grammatical errors in it. They’re all gone now. Yeah, yep. Check GPT to correct them all for you. Yeah. So I mean, AI is adding a whole new level of sophistication into the world of cybercrime. So it’s, it’s about not that we can stay ahead of it. But it’s about staying with it responding, though about it in

Peita Diamantidis
Yeah, for sure. Now, is there any parts of the sort of cyber collective offer or the experience we’ve missed? And we sort of touched on the key elements?

Fraser Jack
Yeah, key are three key elements as essentially the ongoing learning education platform, the cyber uplift in audit process, you know, up lift first, then the audit and then the, and then the, you know, the idea of how do these audits go with their policies and procedures? Do we have all those policies, plans, procedures in place? And then, and then kind of the a lot of those plans and policies and procedures are always about annually reviewing them? Quickly, going back here is the same as our financial advice review every year? Just a quick review? Yes, it’s all good. Add a couple of things, has it been a problem, etc? Do a do the auditing, again, annual audits and go from there. So it kind of Yeah, that’s what we’re about making sure the practices is secure, making sure that people in the practice or the, you know, the teams are trained,

Peita Diamantidis
perfect. All right, advice, explorers, we’d like to find out more about the cyber collective, then the website link is in the show notes, along with phrases LinkedIn details, so feel free to give him a nudge, and he can point you in the right direction. Thank you so much for joining us here today. And really sharing how you guys are sort of empowering us to protect you know, our practices, and our staff and even our clients. So thank you so much for your time.

Fraser Jack
Thank you for having me.

Peita Diamantidis
So are you a current member of the cyber collective? You know, are there other parts of the service that you’ve taken advantage of you early in your journey? Have you been using them for a while, you know, please share your experience and your insights on the ensemble community platform. We’d all love to hear our take this is a journey that is relatively new to all of us. So, you know, I think collectively then we can learn from each other and cheer each other on and make further progress. And so, I know I would love to hear how what your experience has been like or, you know, perhaps you Use another service or similar tool. But please share how you’re going on this front of, you know, really arming ourselves against these cyber risks, because it’s something that’s just going to be perpetually a part of, of our businesses going forward. In terms of my thoughts on this, you know, it’s so interesting, we really can focus on the fact that there is its take, right, and so we think it’s about the features, we think it’s about the settings we put on, we think, you know, all these, all these things we can do, and whether it’s a password manager, all those, all those sort of things, and there’s absolute value in those. But it’s so interesting, the impact over a long period of time that a new great habit can form. So and that’s, you know, where this training comes in, it’s helping you and your teams, all of our teams have these new great habits. And it made me reflect on back when I was young, and you know, sort of in my late teens and learning to drive. And I happen to have some lessons from a guy who actually was a limo driver driver. But he also taught kids how to drive and his one habit that he taught me was always locking the car from the outside. Now, for those of you who are blessedly young enough to only ever have, you know, automatic openers and things where that’s how you get in and out of the car, then you’ll never have had this problem. But back in the day, it was very common for those of us who were new to starting to drive to end up having to call our folks because we’d locked their keys in the car, because we’d left the keys in the console got out, push down the lock on the car, and close the door. And then we’ve locked the keys in the car, this was really normal. And he taught me this habit where you always locked the car using the key from the outside, and it meant in my life, I have never locked my keys in my car. And it’s just interesting when I reflected on how that little small thing he taught me, held me in good stead all those years, all those years going forward. And so really, you know, this type of training platform, this type of thing that can just teach us these new habits, yes, it’s going to, you know, get us to do some things that we change in terms of the systems or what we’re doing with them and asking questions about providers and all that sort of stuff. Absolutely. But it’s also going to help us now teams build these better habits, that can really be a great part of our defense, and overtime will really add up to some incredible value. So I think, you know, education, bite sized bits of education are going to make a huge difference to that, and not overcomplicating it too much. So I really love that idea. And I think there’s some power in giving out all of our teams the opportunity to take part in things like that. Now, as you know, there’s only one skill we need to become bionic advisors, folks, and that’s Avoca your curiosity. And to help you build that habit, I’ve got a fun one for you today, folks in our curiosity corner. This is a website that I love you to take a look at called fake you. And I’m actually going to insert a piece of audio that I created using fake you have me doing that curiosity corner, little introduction there. And it’s in fact me as Darth Vader.

Darth Peita
As you know, there is only one skill, we need to become vanity visors. And that’s avid curiosity. And to help you build that habit, today’s curiosity corner website, that I’d love you to take a look at these fake you.

Peita Diamantidis
So now having heard that, or the reason I actually wanted to put this website in here, aside from it being fantabulous ly fun, right, and you can find it at fake u.com If a k, e, y o u.com. And you can pick all sorts of characters, there’s also like 1000s of characters, and you can just do a recording and then change it, you can even do a recording and pick an avatar and it’ll turn the turn the avatar and it’ll sync with your talking. Right, all of this is amazing. But the other thing that, to me, it really demonstrates is how easy it would be to mimic somebody else. You know, this is just another example of the risks that are out there. And the technology that’s available so that people can can imitate other people. So I really would encourage you to take a look. You know, technology has come a long way. And I think it’s helpful to see and experience what’s available out there. And just to understand how far it has come and might potentially the risk that that could involve down the track or somebody you know, mimicking or imitating somebody else. But also, it’s loads of fun, and I think could be some great font in your marketing efforts, maybe new social media or or something you would normally do you could have, you know, said in Darth Vader, or you can have it in all sorts of characters. They’ve got Mario Brothers, they’ve got all sorts of stuff there that you can have your uploaded voice and they’ll they’ll convert it for you. So check it out, and I’d love to hear what you did as your own conversion. And he at least the fun you had with it as you experimented with the tool. Well, that’s all we’ve got for this week. Be sure to subscribe to the podcast so you’ll get your advice tech fix automatically sent to you each Friday. And if you’re ready to really achieve Zen In the world of advice, tech, then be sure to nudge your dealer group or nudge your group to reach out to hear about my new keynote for 2020 for the zen of advice, tech finding balance in the digital age. You know, in a world where technology can be super duper overwhelming as Fraser and I were just chatting about this session will sort of show you how to streamline your tech stack, right and really enhance client relationships all while applying a particularly mindful approach to tech mastery. So I’d love to embark on that path with you to get a more focused, efficient and really rewarding operational environment together. So if you are curious, then please reach out to me on LinkedIn at Ford slash Peita MD That’s PEITA. MD. And I’d love to have a chat. Otherwise, oh, look forward to turning up in your earbuds next week. And remember, advice explores: Stay curious.