Best Behaviour True Crime: Episode 1 - The Rise and Fall of a Finance Giant

Show Notes

Welcome back to the 2025 season of Best Behaviour! This year we've given the podcast a creative refresh, kicking things off with Episode 1 of our True Crime series.

In this episode, we dive into The Rise and Fall of Bennet and Clarke Capital, a finance firm in its golden era - until a high-stakes merger changes everything. As priorities shift, psychosocial hazards emerge and cyber safety is pushed into the background. And when a devastating data leak occurs, the firm’s response reveals just how deep the cracks run…

A gripping story of secrets, blame, and cultural failure that will leave you guessing until the very end.

Want to see more of our work at Interchange? Check out our case studies HERE

Best Behaviour podcast is recorded on Wurundjeri land, Interchange acknowledges that this always was, and always will be Aboriginal land.

For more information about Interchange and the work that we do, check out our website, or connect with us on LinkedIn, or instagram.

Chapters

• 23:01: Episode Discussion - Felix & Georgia

Transcript

Narrator: [00:00:11] Welcome to Best behaviour True Crime, where we explore the scandals, chaos, and dark secrets lurking in the business world.

Today we dive into the story of Bennett and Clark Capital, a finance firm that thought they had their cybersecurity measures under control. Until they didn't.

A story of secrets, blame, and a company's culture in crisis. This is episode one, the rise and fall of a finance giant. 

Our story begins in September 2023, [00:01:11] when our two finance firms both in their golden eras, finalised a much anticipated merger. Bennett and Clark Capital were born with the vision of taking the market by storm. Growth in market shares, geographical expansion, and product diversification were all on the cards.

The deal was hailed as a breakthrough, an alignment of expertise and resources that promised to solidify the firm's position in the market. However With every merger comes change, and this was no exception. New systems needed to be integrated, policies reassessed, and employees retrained. And beyond the operational adjustments, there was also a shift in leadership.

New faces were seen in the fortnightly executive leadership team meetings, altering the dynamic within the company. [00:02:11] Employees found themselves in an unfamiliar corporate landscape where old hierarchies were gone and a new order was struggling to take hold. Some employees thrived in this new environment, eager to prove their adaptability and work their way up the ranks.

Others, however, found themselves swamped and overwhelmed. Among them was Layla Hassan, a mid level manager who had spent years building trust and rapport with her team. Layla was now expected to enforce policies she had little say in creating, and answer for decisions made by executives who seemed to be increasingly detached from reality.

But despite the influx of change, business ran as usual, with any issues promptly rushed under the rug.

On the 15th of October 2023, barely one month later, the internal cyber team [00:03:11] flagged a small but concerning issue. An unusual logging traced back to an external server. At first, it seemed like a minor mistake. However, upon further investigation, the issue was traced back to Layla, who had unknowingly synced her login details to her partner's web browser the evening prior, ultimately causing the issue.

It was a simple mistake, one that many employees could have made. Layla had been on a tight deadline, reviewing a report late in the evening on her partner's laptop, after leaving hers at the office. The firm's security policies strictly forbade logging in from any non company provided device, but the consequences of missing this deadline felt dire for Layla.

The decision to proceed just this once seemed to outweigh the risk of disappointing Layla's manager.[00:04:11]

Frankly, Layla, this just isn't good enough. I'm done beating around the bush. If I don't have an email with the quarterly report attached, I'll be seriously reconsidering your position at the firm. 

Layla felt she had no other option. She took every precaution possible, ensuring she saved no files to the desktop, and confirming she had fully logged off once the job was complete.

But amidst the spiral of figures in her brain, and her sprint against the clock, Layla Made the grave mistake of absent mindedly clicking the Yes button when prompted to save her login details on the Internet browser. The consequences weren't immediate. Layla managed to complete the report and send it to her manager on time.

Everything seemed to be under control. However, in the background, something with the potential to be sinister was [00:05:11] already in motion. The following day, Layla's partner, Michael, took his laptop to work as usual, completely unaware as soon as he connected to the unsecured network in his office, the saved login details were exposed, slipping quietly into the hands of those waiting to exploit the mistake.

Fortunately for all involved, in this instance, the company's IT team detected the data leak just in time, preventing it from falling into the wrong hands. However, Over the following three months, cyber security incidents became increasingly frequent, revealing a concerning pattern. Although these issues varied in severity and impact, one thing was clear.

Change was imperative. Recognizing the repetition of mistakes and the impact on [00:06:11] the reputation of the firm, the executives decided to engage the internal cyber security team to develop and implement a comprehensive cyber safety training module. The timing was strategic, aligning with the Christmas break, a period notorious for a dip in employee motivation and focus.

The module was mandatory for all staff, including the executive leadership team. Layla completed the training module, but had very little faith that it would change anything. Like many others in the company, Layla's role was under immense strain. The pressure came from everywhere. Layla's team raised concerns about the overwhelming workload, conflicting corporate messaging, and an endless pile of mandatory training.

Meanwhile, the senior leadership team provided little support to Layla and the rest of the mid-level [00:07:11] managers. I have a team of 10, and every week, at least three of them come to me with concerns, burnout, pending unapproved leave, or worries about unrealistic deadlines. But when I took these concerns to senior leadership, they just told me to handle it internally and stop making unnecessary noise.

It wasn't just the workload. The company's leadership had become increasingly out of touch. Annual salary reviews had been frozen. But the executives were still paid their short term incentive bonus in full. Teams were halved, while output expectations were doubled. There was this one time when I flagged that most of my employees were far too overloaded to complete the mandatory training.

But my manager just laughed. And said, I'd suggest that they're not really overloaded, that they just don't know how to manage their time. After the Christmas break, when all staff returned to [00:08:11] work in January 2024, the cracks in the system were increasingly evident. Employee morale had plummeted, internal communication was strained, and trust in leadership was eroding.

There was nowhere to go for help or support. And cyber security policies were low on the radar. Mid level managers began keeping critical operational issues to themselves, reluctant to escalate problems to senior leadership. In one instance, a series of accounting discrepancies emerged in client transactions.

Though not catastrophic, enough to raise concerns about data integrity. Normally, this would have been flagged for executive review, but managers hesitated. They knew that bringing it up would likely lead to blame shifting. And disciplinary action, rather than solutions. Instead, they quietly instructed their [00:09:11] teams to monitor the issue, patching over the inconsistencies as best they could.

Whispers of other unreported problems spread through the company. As managers chose to shield their teams rather than invite more top down scrutiny, the organization was running on fragile trust and it was only a matter of time before something gave way. Tensions reached boiling point in March 2024 when the executive leadership team abruptly rolled out a new performance evaluation system without consulting the mid level managers.

The new metrics prioritized cost cutting and automation, sidelining employee development and well being. Managers already stretched so thin felt blindsided and powerless, while employees saw it as yet another sign that leadership was out of touch. Frustration [00:10:11] simmered in private Slack channels and whispered hallway conversations.

But instead of addressing concerns, executives doubled down, dismissing complaints as resistance to change. The divide between the executives and the rest of the firm had never felt wider.

Fast forward to May 23rd, 2024. Despite the mounting pressure within the company, The day had started like any other. The trading team were deep in market analysis, reacting to fluctuations in interest rates. Loan officers were finalising risk assessments, chasing approvals that seemed to take longer with each passing month.

In accounting, mid level managers juggled overdue reconciliations and vendor disputes, while compliance [00:11:11] teams braced for another round of regulatory audits. Conversations in the break room were brief. Most employees were too preoccupied with deadlines, dwindling resources, and leadership's latest cost cutting measures to engage in casual chatter.

Then, without warning, an alert flashed across the company's security dashboard. The message was alarming. An urgent cyber threat notification. Confusion rippled through the office as IT scrambled to assess the situation. Within minutes, the grim reality set in. The company's small business data had been majorly compromised.

Customer details. Transaction histories and sensitive financial reports were now in unknown hands. What had started as an ordinary work day had just turned into a full scale crisis. [00:12:11] The security team immediately launched an internal audit, and an external IT firm was promptly brought in to investigate and contain the breach.

The media backlash. Bennett and Clark Capital were at an all time reputational low. As the dust began to settle, cyberculture became a hot topic in Bennett and Clark Capital's board meetings. Recognizing that the issue might extend beyond technical training shortcomings, the board concluded that the problem was likely cultural.

They determined that the technical training was not enough to remedy the underlying dysfunction. To address this, in June 2024, the board decided to engage Interchange, a management consultancy, to come into the business as culture experts and analyze why no real progress was being [00:13:11] made, despite multiple training initiatives and policy overhauls.

As Interchange conducted interviews, A pattern of responses and themes emerged. So what's the approach to security at Bennett Clark Capital? Where does it sit in terms of your priorities? I mean, we're constantly being told security is a priority. We're expected to do all this training while juggling basically impossible workloads.

Honestly, I don't even think the senior leaders have seen that cyber security module we had to do last year. It was only a matter of time before something like this happened, really. So Frank, you know, you're in the IT team. You must have seen the cyber training modules that were rolled out in the last year.

How much visibility do you have on how effective those were? 

Well, the records show that everyone's completed their cyber training. At least as [00:14:11] far as I know. We have the data for everyone, apart from the executive team. And I've made sure to follow up and remind everyone who hadn't done it, to get it done when it was being rolled out. So it's hard to believe that something like this has happened. 

So I'd love to know a bit more about you and your relationship with the executive leadership team. What kind of connection do you have with them? What kind of interactions? 

I'd barely call it a relationship. I don't really see a lot of them. I know that they're really busy people, especially now trying to handle everything that's going on. It doesn't sound easy, especially with all the tension and the arguments between the CTO. I don't know too much about it, but it's clear that there's something going on. 

Layla, what's your view on the executive leadership team? How do you feel about the decisions that they make in terms of their impact on the company and on the people that work here? 

I just don't think the CPO [00:15:11] has the company's best interests at heart. She's really difficult to work with and has been so close minded and set in her ways. Recruitment, especially in my team, has been such a struggle, and I voiced this to Anton, the CEO, and he listened to me patiently, but that was it. Nothing else came of that conversation. 

So, Helen, you've been in the CPO role now for a while. Usually that means you come with a pretty good gauge of how people feel that they're treated here. So, talk to me a little bit about trust and respect at Bennett and Clark Capital. 

Honestly, people have been hiding things since the last time this happened in September. No one wants to admit their mistakes anymore and I'm tired of it. The sheer lack of accountability at this business is honestly shocking. Not one of them are going to move up the ranks and make something of themselves unless something changes. 

So Aidan, you're the CTO at Bennett Clark [00:16:11] Capital. How much of a priority, genuinely, is cyber security?

Well, for most of us it is. Unfortunately, we've got people in the executive team that think it's okay to put personal grudges over the safety of our customers data, which is a real shame. 

So what do you know about the dynamic in the leadership team? 

There's bad blood between our CTO Aiden and Helena, the CPO. It's pretty well known. Anything the other implements, they each just disregard. Aiden flat out ignored the new performance management system that was rolled out not long ago. And Helena never touched that mandatory cyber module. No surprise that it was her who clicked that phishing link that caused that data leak in May.

On the morning of May 22nd, Helena Arlo, the CPO at Bennett and Clark Capital, had received an email that appeared to be from a trusted third party [00:17:11] vendor. The email was professionally crafted using legitimate branding and a known sender's name. It contained an urgent request to review an attachment related to upcoming policy updates.

Helena, operating under pressure and with limited time, didn't scrutinize the email. Instead, she clicked the link and logged into her user profile, oblivious to the L at the end of the Benetton Clark Capital Domain being the number 1. When the link opened to an error page, Helena began to question its integrity.

But due to her interpersonal conflict with the technology team, rather than reporting the mistake to IT, she exited the tab and continued with her day, eventually forgetting the event ever occurred. Within hours, unauthorized access was granted to the company's small business data network. [00:18:11]Sensitive client records were exfiltrated and financial documents were leaked to the dark web.

The breach had been preventable. The cyber safety module covered phishing attacks in detail, but Helena had never completed it. The external audit, conducted in the aftermath of the breach, confirmed that it was Helena who had clicked on the malicious link. Triggering the significant data leak. However, despite the gravity of the situation, no immediate action was taken.

Largely due to the CEO's strong relationship with Helena. It wasn't until the board intervened and insisted on engaging Interchange, that the issue was finally brought to the forefront.

At the end of July 2024, Interchange presented [00:19:11] their findings to the board. Their conclusion was clear. The core issue was cultural. Interchange's investigation revealed that the interpersonal tension between a CPO and CTO was merely a symptom of a much deeper problem. A pattern of internal conflict that was pervasive across the entire organisation.

The friction at the executive level was just the tip of the iceberg, masking a culture that was increasingly inward looking and disconnected from the needs of its customers, rather than collaborating to serve the best interests of their clients. Teams were spending more time battling each other.

Interchange's report highlighted a culture fixated on internal power struggles, at the expense of customer safety and satisfaction. Bennett and Clark Capital's purpose and [00:20:11] strategy were equally unclear, their ambiguity exacerbated by the 2023 merger, which had left many employees uncertain about priorities and direction. Systems and processes, while existing on paper, were frequently disregarded and undermined by the mindsets of key leaders who saw compliance as optional. Perhaps most concerning was the lack of transparency and trust, which had led to the formation of silos and a widespread reluctance to share information.

Executives seemed to operate above the rules, fostering a culture where power was synonymous with non compliance. The findings painted a stark picture. Without a fundamental shift in culture, no amount of technical training or procedural updates would suffice. [00:21:11] May 23rd was more than a data breach. It was a cultural failure.

The cyber threat was internal, embedded in a leadership team that believed they were too important to follow the rules. Security protocols were seen as inconveniences. Compliance was treated as a box ticking exercise, and concerns from frontline employees were routinely dismissed. Password sharing was common.

Multi factor authentication was ignored. And outdated systems remained in use. Because upgrading them was deemed too costly. But cyber threats don't wait for convenience. They exploit weakness. And in this company, those weaknesses ran deep. Not just in its systems and processes, but in its mindset.

Employees, exhausted by months of poor [00:22:11] communication, top down directives, and a lack of purpose and strategy, had stopped reporting suspicious activity. Assuming leadership Wouldn't act on it anyway. Mid level managers, already sidelined in decision making, saw no reason to push for stronger controls when they knew their voices wouldn't be heard.

The culture of indifference had created the perfect conditions for disaster. Let this serve as a lesson. Cybersecurity isn't just an IT problem. It's a business wide responsibility. A company can invest in the most advanced. Security software, but if it's people don't believe in the importance of protecting data and if leadership doesn't set the tone, then the greatest vulnerability isn't a piece of technology.

It's the culture itself.[00:23:11]

Georgia: Welcome everyone to our 2025 season of best behaviour. Uh, my name is Georgia. I am a consultant at interchange and I'm joined by Felix, who is a manager. 

Felix: Thanks. Thanks for having me. Didn't realize it was so formal and we're getting our titles read out on the podcast, but there you go. G'day everyone thanks for listening to our first episode. What'd you think Georgia? 

Georgia: I thought it was great. We, uh, just for a bit of context for everyone, we had our offsite last year, went down to Apollo Bay and we've been brainstorming a bit about how. We can switch things up for this year and lean into some of your feedback and also just a bit of brainstorming between our team.

One of the points of feedback that we got was a real want to have more insight into that creative side that we talk about so much on the podcast. And we thought what better way to do that than actually show it on our podcast. [00:24:11] So we've come up with a new format that you've just listened to, our true crime series.

Felix, do you want to tell people a bit more about our direction with that and what they can expect in the season? 

Felix: Yes, well. Our true crime podcast is a work of fiction, and it's important to state that because, you know, we're not jeopardizing any client confidentiality by sharing this story with you today, um, but we do learn a lot about organizations and the dynamics that play out within them, uh, and we wanted to, you know, bring together some of our Insights from different industries, as well as, you know, things that are popular in today's media and stories that break around, for example, cyber security challenges or hacks that happen.

So we thought it was a really good opportunity for us to bring that to life and show a little bit of the investigative elements of our work. One of the core components of the work that we do is always to go in and deeply understand the current state of culture before we're able to help. A business articulate where it [00:25:11] wants to go.

Um, and so we call that part the organizational review. Um, we look at a lot of different factors, um, but there absolutely is like a component there where you are trying to learn a bit more about what sits beneath the surface. People will tell you one thing, but what are we, what are they not aware of?

What are the, what is playing out in the organizational system between people, between teams? What are those patterns of working that we've fallen into that we just. I'm not aware of. We can't see the forest for the trees kind of situation. Um, so our true crime episode is really a way to share with you all the sort of process through which we might come in and try to understand the culture and then shed some light on exactly the kinds of things that we might do as a result of that.

So we're super excited to be presenting that to you iterations throughout the rest of the year. So you'll be hearing a bit more true crime as we go on throughout the, uh, the season. 

Georgia: Thanks for sharing that. I think it's also important to [00:26:11] think about while it's fictional and a lot of the topics at times may be not as relevant.

It's interesting to see how something like cyber security, which people typically think of as something quite technical and it's a system that you put in place and then you forget about it and everything's clean. It's like, what are the behaviours that sit around that and can either make or break intervention or an initiative like that?

Because a lot of people think, oh yeah, behaviours kept to things like safety and stuff, but it's so relevant to everything like in the episode. You just listen to one small behaviour as a result of increased stress and workload. It's like that almost took down the whole company So, how can you take a behavioural lens and safeguard? Towards what you're trying to achieve 

Felix: So true I think I read this I'm gonna misquote this but it was along the lines of if you wanted to build the perfect computer system for an organization that couldn't be hacked. That would be fine. You could do it but you just couldn't have any employees. Because it's the human factor that is the thing that really like, [00:27:11] you know, creates weaknesses.

And a lot of, you know, what exactly what you say is right. Like, organizations build these, you know, compliance training, cyber security training workshops and things like that for people to do. But they don't often, I don't know, maybe follow up on educating people on the exact kinds of behaviours that they need to be demonstrating or the, the mindsets they need to have when they open an email maybe they're not quite sure about. So that's why it's really interesting, you know, to pick up on what you talked about from a cyber security training perspective. A lot of organizations roll that out, but they don't necessarily think too much about the ongoing kind of coaching that somebody might need to make sure that we're not exposing ourselves unnecessarily or that, you know, even in times of great pressure.

People still remember how to remain vigilant from a cyber security perspective. So work that we tend to do in cyber security is always about that behavioural change piece, which, you know, if you read any articles out there, that's actually where the future of cyber security is kind of going, is that it's really [00:28:11] focusing on that holistic element, not just the compliance piece.

Anyway, all that aside, Gee, I know that you are a big true crime enthusiast, you listen to quite a lot of things. How did our episode stack up against your favourite true crime podcasts? 

Georgia: That is such a great question. I found it so addictive to listen to. There was intense music, there's a, there's something secret going on that no one knows about, everyone's trying to blame each other.

And it is like a murder mystery. I'm like, who killed cybersecurity? Who almost killed the company? 

Felix: That's great. 

Georgia: Figuring out who's who and piecing it all together was really interesting. And it also blended my background in organizational psychology with something that I love so much. So it was great to, yeah, be able to understand the behavioural psychodynamic perspective, but also get it in the most creative and teasing sort of way so I'm hooked for this season. 

Felix: Fantastic. Well, we aim to please, I'm [00:29:11] glad we have pleased you True Crime Enthusiast. And we look forward to hearing some more of those episodes as we go on throughout the year and look forward to your company as we share them with you. Thanks very much.

Narrator 2: This episode was recorded on Wurundjeri land. Interchange acknowledges that this always was and always will be Aboriginal land. For more information about Interchange, see the show notes for links to our social media and our [00:30:11] website. https://interchange.com.au/