A recent report published by IBM Cyber Security Intelligence Indexed found that human errors are the cause of 95 per cent of cyber security breaches globally, the average cost of which could be as high as USD3.33 million.
George Ralph, Global Managing Director of RFA, is here to make that better. Ralph says: “Realistically without saying we do everything, we do everything that a CTO or CISO (chief information security officer) would be responsible for.”
Ralph started in technology 26 years ago, and joined RFA as a partner eight years ago, preparing clients for due diligence group audits and working as an outsourced CTO/CISO, giving strategic advice.
RFA has 13 offices around the world, with the largest in London and New York, with 400 staff globally, around 850 clients and an equal focus on hedge funds and private equity firms (as well as Investors, Wealth Management, Family Offices and Fund Admins). Assets under management service stand at GBP1.5 trillion.
Ralph notes that cybersecurity used to be called information assurance but is now up front as one of the biggest risks for organisations. “People are used to having powerful mobile devices of their own and treat them like a day-to-day thing, without thinking about it,” he says.
“Because it’s their own they think its secure but if you have a rogue app or a phishing attack, they are in your device – it’s about the education of people. Training is really important.”
The situation has worsened due to Covid and the whole work from home growth, Ralph says. Also, from event driven situations, such as the recent death of the Queen of England, which make people more emotional and not thoughtful in terms of what they are viewing online, Ralph says.
“There are no more attacks than there were, but more people are getting caught out because of these scenarios, electronic communication volume and emotions,” he says.
RFA offers an e-learning platform to teach staff about cybersecurity and then regular testing, every three months, with emails to check that they are still observing good cybersecurity techniques.
“We also teach them about the repercussions if they have a breach and we can lock their machine for 10 minutes to make them realise there are repercussions,” Ralph says.
Having worked in training and in mergers and acquisitions in the past, Ralph notes that an event such as a merger can see lots of new, rather disoriented staff, with higher emotions which impacts on their practice of good cybersecurity techniques. “The pass rate of our testing drops off a cliff,” he says.
He recommends testing as often as possible. “If someone is in your phone, they have all your contacts, so the issue becomes a public relations one as well – if it goes into the media, then there is a risk of a drawdown as well. It’s the modern equivalent of leaving a file on the train.”
Ralph says that a lot of cybersecurity techniques are common sense. “The really important bit is the collaboration, especially with disparate working where you can’t lean over and say: ‘this doesn’t look right’.”
Ralph notes that Covid made people more wary about who they start doing business with and having had a breach of security is a bad mark. If a breach happens, RFA brings in an incident response plan. “I’d like to say it’s a when, not an if,” Ralph says.
The firm has invested heavily in r&d creating an AI reporting engine which proactively models behaviour looking for chinks in the armour.
“If someone tries to access their HR folder we get alerts,” he says. “The monitoring of the insider threat is not a big brother activity – it does two things: if someone is fully remote it’s hard to tell if they are happy and we also look at work life balance. We have lots of clients who have burnt out because they are working globally with no breaks and no walk between meetings, no water cooler moment. We notify clients that this person has been working on Excel from six in the morning to midnight and so we are protecting people and the assets of the business.”
