Milford Asset Management
What: Phriendly Phishing
When: Jan 2018 - Ongoing
Leading investment firm eliminates phishing risk in just 12 months
The back story
Milford Asset Management is a specialist investment firm. Established in 2003, the majority Kiwi-owned staff-owned business has enjoyed significant growth over recent years, cementing itself as a leading industry player in the fund management and investment space. Today, Milford Asset Management has around 90 staff across its offices in Auckland, Christchurch, Wanaka and Sydney. The firm currently manages over $6 billion in funds and deals with clients’ private information on a daily basis.
Milford’s reputation is built on a foundation of trust with their clients. The firm’s rapid growth raised new questions around existing security policies and procedures, and how Milford could better meet their fiduciary duties to their expanding list of clients.
In 2015, Milford Asset Management engaged Origin IT to implement a company-wide review of their IT environment with a focus on cybersecurity. The business challenge was to identify gaps in their security policies and infrastructure and recommend an effective security solution that proactively mitigates risk and protects against security threats.
In addition, Milford wanted to enhance staff awareness around cybersecurity as it relates to client data and private information, and to encourage a shift in existing attitudes from ‘ease of use’ to ‘risk management’.
We recommended the Phriendly Phishing programme as a ‘low hanging fruit’ solution that would enhance Milford’s security posture while simultaneously driving behavioural change and attitudes around corporate phishing attacks.
Prior to implementing the programme, we gathered data from across the organisation to establish staff awareness levels and phishing click-through rates prior to any formal training.
The Phriendly Phishing programme was rolled out company-wide in January 2018. Staff were exposed to tiered phishing emails that varied in complexity over a 12 month period. Phishing attacks were heavily personalised to impersonate c-suite staff whose information is typically pulled from company websites by cybercriminals.
Phishing training was made mandatory for all staff. The firm worked hard to encourage competition around the phishing programme so as to facilitate feedback and open discussion around phishing best practice.
The average starting baseline for Origin Security customers is typically around 23%, and over the initial 12 month period, we typically see that number reduce to the single digits (5% on average). In the case of Milford Asset Mangement, who had an exceptionally low baseline of just 13%, staff click-through rates on phishing attacks were reduced to an impressive 0%.
John Paull, Head of Operations at Milford, says there’s been a notable culture shift. Staff have increased awareness of cybersecurity risk, and are more likely to report a phishing attempt to management.
Milford has implemented Phriendly Phishing as an ongoing security solution. The programme continues to be mandatory for new staff, and phishing training is rolled out on a monthly basis to keep it front of mind.